major organizations still have not removed the DNSChanger Trojan

Some of the major organizations still have not removed the DNSChanger Trojan from infected computers, despite the fact the botnet’s command-and-control infrastructure has been under the Federal Bureau of Investigation‘s control for the past few months.

The primary function of the DNSChanger malware family is to replace the Domain Name System servers defined on the victim’s computer with rogue ones operated by the criminals. DNS translates domain names into the numeric IP addresses and lets users access Websites and work online without having to know each specific computer’s address. Windows and Mac OS X users are both vulnerable to this Trojan.

All user activity from infected machines were directed to rogue DNS servers, which sent users to malicious sites instead of to sites they were really trying to reach. The FBI said the criminals in charge of the operation were making money off referral fees from affiliate programs and fake antivirus software sales. DNS Changer also prevents machines from getting security updates for all software programs running.

The FBI took over the botnet’s C&C servers in November as part of Operation Ghost Click. The FBI replaced the rogue DNS servers with legitimate servers and published instructions on how system administrators could detect and disinfect the malware-ridden computers. The FBI believes as many as four million machines had been hijacked by the malware at the height of the criminal campaign. Six Estonian nationals have been arrested by the FBI.

Half of Fortune 500 companies and 27 out of 55 government entities still have at least one computer or router still infected with DNSChanger malware in their network, according to a study by Internet Identity released Feb. 2. The report data was collected from IID‘s ActiveKnowledge Signals systems as well as from other data-collection systems.

That translates to about 450,000 computers still actively infected, according to the DNS Changer Working Group.