[AfrICANN-discuss] The number is no longer in service

[Anne-Rachel Inné]

Malware The number is no longer in service

http://www.economist.com/blogs/babbage/2012/05/malware?fsrc=scn/fb/wl/bl/numberisnolongerinservice

May 29th 2012, 8:57 by G.F. | SEATTLE

ON JULY 9th users of hundreds of thousands of computers worldwide will be
mystified. They will no longer be able to access websites, e-mail servers
and other resources despite an active internet connection. The indirect
culprit is the DNS Changer Trojan horse, a piece of malware which tweaks
operating-system settings on computers and residential internet routers so
as to redirect traffic to certain sites and rack up advertising fees. But
it is America's Federal Bureau of Investigations (FBI) that is the
proximate cause of the disruption.

Last November the FBI led an international
raid<http://www.fbi.gov/newyork/press-releases/2011/manhattan-u.s.-attorney-charges-seven-individuals-for-engineering-sophisticated-internet-fraud-scheme-that-infected-millions-of-computers-worldwide-and-manipulated-internet-advertising-business>to
shut down the malware operation. Seven men have been charged, six
captured, and so far one extradited from Estonia last month. The trouble is
that the gumshoes could not simply turn off the malicious domain name
system (DNS) servers, which translate intelligible website addresses like
economist.com <http://www.economist.com> into numerical ones like
64.14.173.202 <http://www.economist.com/blogs/babbage/2012/05/64.14.173.202>.
This would have meant that any computer which the malware routed through
the subverted DNS server would find its connection severed.

The scammers made their money, a suspected $14m, by redirecting links from
Netflix, Apple's iTunes and the Internal Revenue Service (IRS), among
others, to another service which paid a fee for each arriving user. Some of
the destinations were none the wiser, like H&R Block, a tax consultancy,
receiving IRS traffic. Others may have been fully aware. They complemented
this "click hijacking" with "advertising replacement fraud", where ads on
legitimate sites were replaced with other, pay-per-pageview ones that also
paid for resulting sales. For most requests, however, the fraudsters' DNS
servers returned legitimate results.

When the subverted DNS servers are shut down, the user's browser no longer
knows where to send page requests and other internet software will be
baffled as well, at least until a user employs "rootkit removal software",
reinstalls Windows or reconfigures the router. This is beyond the ken of
most users. So, in order to avoid disruption, the FBI secured a judge's
permission to have a trusted third-party take over the DNS service until
March 8th. Paul Vixie, the father of DNS and founder of the Internet
Systems Consortium (ISC), a non-profit that manages open-source internet
infrastructure software, tells a thrilling
tale<http://www.circleid.com/posts/20120327_dns_changer/>of midnight
server-room activity after the international raid had taken
place. At that time as many as 4.5m devices routinely consulted the rogue
servers.

March 8th proved too optimistic, however. As many as 500,000 machines in
America and five times as many elsewhere remained affected by the end of
February. The FBI managed to wangle an extension until July 9th. On that
day, though, the plug will be pulled. An international industry consortium, the
DNS Changer Working Group <http://www.dcwg.org/>, has strived to inform as
many users as possible.

These efforts were stepped up on May 2nd. CloudFlare, a
content-distribution network, added a
feature<http://blog.cloudflare.com/cloudflare-opendns-work-together-to-save-the>for
its clients on behalf of whom CloudFlare feeds out web pages and media
files to 350m unique visitors a month. Flip a switch and Cloudfare-served
pages sniff for infected users, alert them to the problem and provide
advice on removing the malware. CloudFlare also released a bit of
JavaScript code that any website can use to the same end. And on May 22nd
Google joined the
fray<http://googleonlinesecurity.blogspot.com/2012/05/notifying-users-affected-by-dnschanger.html>,
alerting users of its search page who are infected. Google estimates it
will reach 500,000 users within a week.

Major internet service providers also have contingency plans to intercept
requests for the shuttered DNS servers and re-route them internally to
their own, kosher ones. This is a Band-Aid, not surgery—but it will do the
trick for now.

The big problem is that warnings presented to users by Cloudflare, Google
and others may themselves seem like scams to those who continue to be
affected, especially since a disproportionate number of them are likely to
be unsophisticated users—those better informed would have flushed the
malware out by now. As a result, the worm may remain on many computers
indefinitely. Mr Vixie notes that years after the emergence of the Conficker
worm <http://www.microsoft.com/security/pc-security/conficker.aspx>, the
worst malware in history by number of devices infected, it continues to
wreak havoc with millions of machines. Computer worms, it seems, are
changing from an acute condition that can be cured with a swift
intervention into a chronic disease.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.afrinic.net/pipermail/africann/attachments/20120531/63506a32/attachment.htm