DHS pinpoints government computers set to lose Internet access

The Obama administration employed a new governmentwide network surveillance tool and private sector assistance to search for corrupted agency computers that are at risk of going offline in less than two weeks, Homeland Security Department officials said.

The DNSChanger virus had infected half of the government's major agencies as of early 2012, security firm Internet Identity reported on Feb. 2. Researchers there found 27 of 55 government departments had at least one corrupted computer or router. DHS officials on Sunday evening said they could neither confirm nor deny the assessment.

"DHS identified infected agencies by leveraging multiple sources to ensure we have the most comprehensive accounting of machines infected within the dot-gov," spokesman Peter Boogaard said, referring to the new technology, information from industry and government partners, and data feeds. "Each organization is actively implementing mitigation strategies to alleviate infections."

DNSChanger, which federal agents started eradicating last year, worked by commanding compromised machines in a botnet to communicate with rogue servers that redirected the victims to fraudulent websites.

The worm changes the computer settings that ordinarily allow users to communicate with Domain Name System servers for navigating to the right sites. Legitimate servers, operated by Internet service providers, act like a telephone operator, looking up Web address in the Internet's phone book, or Domain Name System. DNS translates alphabetic website names, like Amazon.com, into a series of numbers that computers need for direction. The rogue DNS servers connected victims -- or "bots," as in robots -- to the wrong, and sometimes illegal, sites.

The FBI temporarily solved the problem by seizing the bad servers and getting a court order to automatically connect the infected computers with clean servers until March 8. After that, victims could lose Internet connectivity, government officials say.

"The DHS has been engaged with federal agencies to determine impacts and options for the inevitable power down of the FBI-controlled servers," Boogaard said.

The clean servers were meant to buy time for ISPs and their customers to remove the malicious software. But, now, more than 400,000 computer users in federal agencies, companies, the nonprofit community, and homes worldwide remain dependent on those servers for Internet access, according to Justice Department officials.

DHS officials said they were able to find the agencies hit partly by inputting the footprints of DNSChanger into Einstein, a governmentwide threat-monitoring system. "Various indicators were injected into Einstein sensors to identify victims," Boogaard explained.

The tool has been activated at 17 of the 19 agencies intended to be covered by the program, DHS Secretary Janet Napolitano told lawmakers earlier this month. The department has requested $345 million in its 2013 budget to enhance Einstein with an intrusion-prevention component that can halt breaches before harm is done.

Department officials said they also learned of targets by sharing intelligence with the FBI, ISPs and the Internet Systems Consortium, a nonprofit organization running the temporary servers that the contaminated computers are still contacting.

On Feb. 17, Justice, with the backing of Homeland Security, sought another court order to let the consortium continue operating the clean servers until July 9 so that the remaining victims can be notified and assisted. About a week ago, officials asked the judge to expedite the process by skipping the normal two-week wait period for rendering a decision, according to court documents.

On Wednesday, Federal Communications Commission Chairman Julius Genachowski characterized botnets as one of the most significant cyber threats and called on ISPs to adopt voluntary agreements to address the menace. Specifically, he urged that providers detect infections in customers' computers, teach customers how to spot signs they are being exploited, and offer remedies.