Computers infected by an alleged $14 million clickjacking scheme broken up by the FBI in 2011 continue to send hundreds of thousands domain name service requests to servers set up as legitimate replacements to the rogue DNS computers used by the schemers.
In a Feb. 17 U.S. Attorney application (.pdf) filed in federal New York court, the federal government says it needs to keep in place the replacement servers--which were set to go offline March 8--for another 5 months, until July 9.
The U.S. indicted (.pdf) Nov. 1 six Estonians and one Russian in the clickjacking scheme; the Estonians await extradition by local authorities to the United States while the Russian, Andrey Taame, still remains at large as of Feb. 21, according (.pdf) to a U.S. Attorney court filing.
The defendants infected 4 million computers worldwide, at least 500,000 located inside the United States, including computers belonging to federal agencies including NASA, the indictment states.
Although traffic to the replacement servers put in place by the Internet Systems Consortium at the behest of the federal government has "generally declined since Nov. 8," the U.S. Attorney application states, "it appears that at least several hundred thousand computers continue to rely on the Replacement DNS Servers to resolve DNS queries."
According to Krebs On Security, efforts to remove the clickjackers' malware has taken longer than expected.
Citing research by Tacoma, Wash.-based Internet security firm Internet Identity, Krebs says at least one of the clickjackers' infections may be present "in computers at half of all Fortune 500 firms, and 27 out of 55 major government entities."