FBI announced that it has successfully completed Operation Ghost Click, two year investigation of a criminal organization that operated from Estonia. The long-lived botnets made up of more than 4 million machines (bot) had been hijacked by the malware was dismantled by the FBI and Estonian Police in collaboration with a group of International Partners. Thousands of computers still infected with the DNSChanger Trojan will not be able to access the Internet after the FBI shuts down its temporary servers March 8.
Some major organizations still have not removed the DNSChanger Trojan from infected computers, despite the fact that the botnet's command-and-control infrastructure has been under the Federal Bureau of Investigation's control for the past few months. Half of Fortune 500 companies and 27 out of 55 government entities still have at least one computer or router still infected with DNSChanger malware in their network, according to a study by Internet Identity released 02 February.
The report data was collected from IID's ActiveKnowledge Signals systems as well as from other data-collection systems. That translates to about 450,000 computers still actively infected, according to the DNS Changer Working Group.
The primary function of the DNSChanger malware family is to replace the Domain Name System servers defined on the victim's computer with rogue ones operated by the criminals.
DNS translates domain names into the numeric IP addresses and lets users access Websites and work online without having to know each specific computer's address.
Windows and Mac OS X users are both vulnerable to this Trojan.
All user activity from infected machines was directed to rogue DNS servers, which sent users to malicious sites instead of to sites they were really trying to reach. The FBI said the criminals in charge of the operation were making money from referral fees from affiliate programs and fake antivirus software sales.
The FBI took over the botnet's command-and-control (C&C) servers in November as part of Operation Ghost Click. The FBI replaced the rogue DNS servers with legitimate servers and published instructions on how system administrators could detect and disinfect the malware-ridden computers.
The FBI will have to take down the servers they put up to replace the rogue ones on 08 March. The court order that allowed Operation Ghost Click permitted the FBI to run the legitimate servers only for 120 days. If the IT teams don't clean up those computers immediately, come March 8, those computers and routers will be unable to get on the Web, send emails or do anything online.
The FBI has published a PDF guide and page to performing the self-check here:
On-line DNSChanger Trojan detect.
Qualys has added the capability to detect the malware to its free BrowserCheck tool, Avira offers the Avira DNS Repair Tool to fix DNS settings after removing the malware with an antivirus program.