The US Government has requested a three month extension for the operation of temporary DNS servers to give computer users more time to identify and purge the DNSChanger trojan from their systems.
Security blogger Brian Krebs published a court filing [pdf], which sought an extension to be granted for the operation of the servers in two United States data centres until July 9 this year.
DNSChanger malware infected approximately four million computers in 100 countries, according to FBI statistics. About 500,000 infections alone are in the United States.
The infected computers and routers belong to individuals, businesses and government agencies.
The FBI is seeking the extradition of six Estonian nationals in relation to the malware distribution. The arrests were made in November 2011 under a two-year investigation codenamed 'Operation Ghost Click'.
DNSChanger was allegedly used by the men to "manipulate the multi-billion-dollar Internet advertising industry" to the tune of $US14 million, according to the FBI statement.
The malware redirected users' legitimate searches and URLs to malicious sites via rogue DNS servers. It also disabled anti-virus and software updates.
Under a federal court order, the rogue DNS servers were replaced with legitimate servers that were initially meant to operate until March 8.
This was to give ISPs and users time to identify and rid themselves of infections. If the control servers were switched off straight away, it would likely have disrupted users' internet access.
The US Government is now seeking an extension of the initial court order, which would see the replacement DNS servers continue operating until July 9, according to Krebs' report.
One reason for the request could be the apparently slow progress in removing DNSChanger infections.
It came less than a fortnight after a study by Internet Identity (IID) found high levels of DNSChanger infection among Fortune 500 firms, despite the looming deadline.
IID said it had found "at least 250 of all Fortune 500 companies and 27 out of 55 major government entities had at least one computer or router that was infected with DNSChanger in early 2012."
The firm warned that the rate of infection could spell disaster for users if the temporary DNS servers were switched off as planned.
"Barring further court actions, on March 8, 2012 when ... the legitimate servers are taken down, millions of people may not be able to reach their intended Internet destinations," IID said.
"Because infected computers and routers will have no servers directing their DNS requests, the Internet may literally go dark for people using those computers or routers."
Krebs reported that the court was yet to rule on the extension request.
Information on the DNSChanger clean-up process can be found here.
.png&h=140&w=231&c=1&s=0)
.png&w=120&c=1&s=0)
EDUtech AU
Integrate Expo 2025
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
iTnews Benchmark Security Awards 2025
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
