“Internet Shutdown” Postponed by Court to July 9, 2012

Good news for the owners of the millions of computing devices affected by the malicious DNSChanger Trojan. The FBI obtained a court order to postpone the termination of the compromised DNS servers from March 8 to July 9, 2012, giving ISPs and companies 120 days to dispose of the malware.

For those who aren’t familiar with the DNSChanger malware, InfoSec Island reveals that it infects computers, altering their DNS settings so that every time the user wants to visit a website they would be pointed to the rogue DNS servers that controlled the botnet.

These, in turn, would ensure that the unsuspecting victim is taken to a domain that promotes fake products.

In November 2011, as part of Operation Ghost Click, the FBI managed to identify the cybercriminals that controlled the rogue DNS servers located in Estonia, New York and Chicago, and terminated the entire operation.

At the time, Trend Micro made an advisory to help users with infected devices. Senior Security Researcher Paul Ferguson even made some important recommendations to internauts in an interview we had with him at the time.

However, the cleansing process turned out to be more difficult than everyone imagined. Because the infected devices connected to the Internet through the DNS servers operated by the crooks, shutting them down would mean that millions of users worldwide would be left without access to the Web.

Internet Service Providers (ISPs) and companies, half of which in the Fortune 500 list, have struggled to clean up all traces of the malware, but since they didn’t succeed, the FBI considered shutting down the DNS servers on March 8 to contain the DNSChanger infection.

According to Brian Krebs, a United States District Court of the Southern District of New York appointed the Internet Systems Consortium (ICS) to “install, monitor, and administer” replacement DNS servers that would allow victims to identify infections while avoiding service termination.

The ICS will manage the servers for a period of 120 days, giving the affected parties until July 9 to clean up everything.

In the meantime, individuals and companies can continue to clean the compromised machines. Regular users can take a look at the DNS Changer “Eye Chart” to see if their computers are infected, and businesses can turn to one of the organizations part of the DNSChanger Working Group.