Federal prosecutors have requested a three-month extension for the operation of temporary DNS servers to give computer users more time to identify and purge the DNSChanger trojan from their systems.
Security blogger Brian Krebs published a court filing from the Southern District of New York [PDF], which seeks an extension to be granted for the operation of the servers in two U.S. data centers until July 9.
DNSChanger malware infected approximately four million computers in 100 countries, according to FBI statistics. About 500,000 infections alone are in the United States.
The infected computers and routers belong to individuals, businesses and government agencies.
The FBI is seeking the extradition of six Estonian nationals in relation to the malware distribution. The arrests were made in November following a two-year investigation codenamed Operation Ghost Click.
DNSChanger was allegedly used by the men to “manipulate the multi-billion-dollar internet advertising industry” to the tune of $14 million, according to the FBI.
The malware redirected users’ legitimate searches and URLs to malicious sites via rogue DNS servers. It also disabled anti-virus and software updates.
Under a federal court order, the rogue DNS servers were replaced with legitimate servers that were initially meant to operate until March 8.
This was to give ISPs and users time to identify and rid themselves of infections. If the control servers were switched off straight away, it would likely have disrupted users’ internet access.
The federal government is now seeking an extension of the initial court order, which would see the replacement DNS servers continue operating until July 9.
One reason for the request could be the apparently slow progress in removing DNSChanger infections.
It came less than two weeks after a study by Internet Identity (IID) found high levels of DNSChanger infection among Fortune 500 firms, despite the looming deadline.
IID said it had found “at least 250 of all Fortune 500 companies and 27 out of 55 major government entities had at least one computer or router that was infected with DNSChanger in early 2012.”
The firm warned that the rate of infection could spell disaster for users if the temporary DNS servers were switched off as planned.
“Barring further court actions, on March 8, 2012 when … the legitimate servers are taken down, millions of people may not be able to reach their intended internet destinations,” IID said. “Because infected computers and routers will have no servers directing their DNS requests, the internet may literally go dark for people using those computers or routers.”
No ruling has yet been made on the extension request.
Information on the DNSChanger clean-up process can be found here.