Half of all Fortune 500 companies still contain computers infected with the DNSChanger Trojan, weeks after a FBI-led takedown operations targeting the botnet's command-and-control infrastructure. DNSChanger changed an infected system's domain name system (DNS) resolution settings to point towards rogue servers that redirected …
Words fail me
"at least 250 of all Fortune 500 companies and 27 out of 55 major government entities had at least one computer or router on their network still infected with DNSChanger"
And they wonder why they get repeatedly screwed overy by cybre criminals?
This is not a new infection for Christ's sake! The BOFH should be ashamed, or more likely the managers beaten with rubber hoses for not authorising/funding the BOFH to nuke such PCs from orbit and do something with a cattle prod to the user if they had a big part in it getting past the corporate security.
Set the DNS servers to point all http requests at a "your computer is infected please contact your support department... click here for more info" type page. Give it another month before killing them.
Think about it
A user tries to browse the internet and is suddenly confronted with a message saying that their computer is infected with a virus and to click here to clean the infection... in other words, exactly what they would see on a website trying to infect them with FakeAV malware. Do we really want to train people to believe this stuff and click the links?
That's not what it says
"A user tries to browse the internet and is suddenly confronted with a message saying that their computer is infected with a virus and to click here to clean the infection..."
I recommend you read the suggestion you were responding to a little more carefully which was - "your computer is infected please contact your support department... click here for more info" - that's exactly who someone with an infected computer should be directed to. Yes people do need to learn not to trust any third party which informs them about an infection with whom no prior support relationship exists to carry out a repair, but that's not the course of action actually suggested here. Perhaps - "contact your support department or current anti-virus software supplier if you have one or your computer vendor if you don't" might be the most precise formulation , but for those with a limited attention span perhaps the advice suggested was better as it was likely to be clearer.
As long as it still says "click here for more info"
it is a bad idea because it trains users to do the wrong thing.
Besides, it would be FAR more effective to put up a nice big friendly message that says:
"This DNS Resolution server has been brought to you by the FBI who are NOT logging your IP address. Your request will be redirected in [countdown timer starting at 10] seconds."
Given they are providing a DNS service instead of the botnet doing it, why don't they simply redirect all web requests to a nice (official) page showing their IP, and what they need to do.
If the users don't believe it, they'll call their sysadmins, who should promptly sort it....
"The German firm, best known for its freebie security scanner software, has also released a free DNS-Repair tool so users can revert to the default settings of Windows with only a few clicks."
So this affects Microsoft machines then does it? Not really a surprize, I suppose!
had at least one computer or router on their network still infected with DNSChanger.
Do you see were it saws router ? When is the last time you have seen a windows router?
When is the last time you have seen a windows router?
About the same time I last saw a Windows server (which was years ago, fortunately for my sanity).
But I've been told some people out there still think a Windows box is a proper server, so I wouldn't surprised if they also used one as a router. Never underestimate this kind of people, I tell you.
Who are they helping by leaving the DNS servers up?
The sooner the DNS servers get turned off, the sooner the people who were infected will do something about it - you don't really think they're going to track it down and fix it before they're even aware that there's a problem, do you?
WTF are they doing allowing internal machines to perform Internet DNS lookups in the first place??
Internal machines and DNS lookups
> WTF are they doing allowing internal machines to perform Internet DNS lookups in the first place??
They don't, normally internal machines get their DNS settings from the local DHCP server, presumably DNSChanger adds a new entry in the local HOSTS file. Besides, according to this, DNSChanger can change DNS settings on the router.
"The DNSChanger malware is capable of changing the DNS server settings within SOHO routers that have the default username and password provided by the manufacturer"
It shouldn't matter what DNSChanger does to a client's local DNS settings: any decent sized company (say more than a hundred machines?) should be denying external DNS lookups at the firewall, and using internal resolvers and proxies to handle traffic to t'Internet. Common sense :-\
What's common sense got to do with it?
Setting up a properly functioning DNS server isn't easy, and in an already overworked IT-department, who's going to take on that task?
It's also common sense to use a login account that doesn't have administrative privileges, but you'd be surprised at how many users at large corporations or government agencies have full administrative access on 'their' computers. (And usually no clue as to why this is bad)
In most big organisations, IT isn't considered 'critical' enough to have it's rightful place in the hierarchy(directly under the company president) or even to have the necessary mandates to do their job.
I can pull the plug on ANY computer in my organisation if I believe it to be infected, knowing that I have the authorisation to do so, and that no two-bit 'king' of whatever deparment can overrule me.
And even if the CTO is nominally sitting at the same table as the CEO,
chances are he's still the red-headed step child of the CxO crew.
"a heightened risk of attack, not least because DNSChanger disables anti-virus software and security updates"
I wouldn't take it for granted that stopping updates to anti-virus software harms security...