ISPs credited with dampening DNSChanger's impact
Internet Service Providers redirected traffic to keep customers online, notified victims with how to remove the malware
By Antone Gonsalves
July 10, 2012 — CSO — Despite warnings of a possible Internet meltdown, the servers that once controlled the DNSChanger Trojan that infected millions of computers were taken down without incident.
The success of Monday's takedown operation by law enforcement was credited to Internet Service Providers that helped victims avoid a disruption in service. Among the ISPs working with the FBI to locate infected computers and help users clean their systems were Comcast, Time Warner Cable and Verizon, ABC News reported.
Last November, police led by the FBI broke up an Estonian gang accused of running a four-year malware campaign that netted $14 million. The illicit operation at its height had infected 4 million computers globally, including 500,000 in the U.S., with the DNSChanger.
The malware redirected infected computers to rogue DNS servers that performed a number of illicit activities, including click fraud, redirecting searches to sites to generate ad fees and spreading fake antivirus products.
The FBI had planned to take down the gang's servers, which were based in the U.S., in March. That deadline was postponed until July 9 to give ISPs more time to work with affected customers. As of July 8, the number of infected computers had fallen to roughly 211,000, according to the DNSChanger Working Group.
Nevertheless, that number included 12 percent of all Fortune 500 companies and 4 percent of "major" U.S. federal agencies, said Internet Identity.
To prevent a disruption of victims' Internet service, ISPs redirected traffic to keep customers online. The companies also notified victims via mail and email with instructions on how to remove the malware.
While ISPs were given kudos for helping avert what could have grown to a major problem, they were also criticized for choosing to redirect traffic, instead of insisting that customers clean their systems of malware.
"We can't keep providing a safety net for people with malware-infected computers on the Internet," Chester Wisniewski, senior security adviser for Sophos, said on Tuesday.
Rather than wait for a crisis, ISPs should continuously monitor for malware in customers' computers and take infected systems offline until they are cleaned, Wisniewski said. In the case of DNSChanger, computers that had their traffic redirected remained infected, and could be carrying other viruses.
DNSChanger was more than just one malware. The malicious app was often bundled with other malware, the blog KrebsonSecurity reported.
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.