<h1 class="ec-blog-fly-title">Malware</h1>
<h3 class="ec-blog-headline">
The number is no longer in service </h3>
<p class="ec-blog-info">
<a href="http://www.economist.com/blogs/babbage/2012/05/malware?fsrc=scn/fb/wl/bl/numberisnolongerinservice">http://www.economist.com/blogs/babbage/2012/05/malware?fsrc=scn/fb/wl/bl/numberisnolongerinservice</a></p><p class="ec-blog-info">
May 29th 2012, 8:57 by G.F. | SEATTLE </p>
<div class="ec-blog-body">
<p>ON JULY 9th users of hundreds of thousands of computers worldwide
will be mystified. They will no longer be able to access websites,
e-mail servers and other resources despite an active internet
connection. The indirect culprit is the DNS Changer Trojan horse, a
piece of malware which tweaks operating-system settings on computers and
residential internet routers so as to redirect traffic to certain sites
and rack up advertising fees. But it is America's Federal Bureau of
Investigations (FBI) that is the proximate cause of the disruption.</p><p>Last November the <a href="http://www.fbi.gov/newyork/press-releases/2011/manhattan-u.s.-attorney-charges-seven-individuals-for-engineering-sophisticated-internet-fraud-scheme-that-infected-millions-of-computers-worldwide-and-manipulated-internet-advertising-business" target="_blank">FBI led an international raid</a>
to shut down the malware operation. Seven men have been charged, six
captured, and so far one extradited from Estonia last month. The trouble
is that the gumshoes could not simply turn off the malicious domain
name system (DNS) servers, which translate intelligible website
addresses like <a href="http://www.economist.com">economist.com</a> into numerical ones like <a href="http://www.economist.com/blogs/babbage/2012/05/64.14.173.202" target="_blank">64.14.173.202</a>.
This would have meant that any computer which the malware routed
through the subverted DNS server would find its connection severed. </p> <p>The
scammers made their money, a suspected $14m, by redirecting links from
Netflix, Apple's iTunes and the Internal Revenue Service (IRS), among
others, to another service which paid a fee for each arriving user. Some
of the destinations were none the wiser, like H&R Block, a tax
consultancy, receiving IRS traffic. Others may have been fully aware.
They complemented this "click hijacking" with "advertising replacement
fraud", where ads on legitimate sites were replaced with other,
pay-per-pageview ones that also paid for resulting sales. For most
requests, however, the fraudsters' DNS servers returned legitimate
results.</p> <p>When the subverted DNS servers are shut down, the user's
browser no longer knows where to send page requests and other internet
software will be baffled as well, at least until a user employs "rootkit
removal software", reinstalls Windows or reconfigures the router. This
is beyond the ken of most users. So, in order to avoid disruption, the
FBI secured a judge's permission to have a trusted third-party take over
the DNS service until March 8th. Paul Vixie, the father of DNS and
founder of the Internet Systems Consortium (ISC), a non-profit that
manages open-source internet infrastructure software, <a href="http://www.circleid.com/posts/20120327_dns_changer/" target="_blank">tells a thrilling tale</a>
of midnight server-room activity after the international raid had taken
place. At that time as many as 4.5m devices routinely consulted the
rogue servers.</p> <p>March 8th proved too optimistic, however. As many
as 500,000 machines in America and five times as many elsewhere remained
affected by the end of February. The FBI managed to wangle an extension
until July 9th. On that day, though, the plug will be pulled. An
international industry consortium, <a href="http://www.dcwg.org/" target="_blank">the DNS Changer Working Group</a>, has strived to inform as many users as possible.</p> <p>These efforts were stepped up on May 2nd. CloudFlare, a content-distribution network, <a href="http://blog.cloudflare.com/cloudflare-opendns-work-together-to-save-the" target="_blank">added a feature</a>
for its clients on behalf of whom CloudFlare feeds out web pages and
media files to 350m unique visitors a month. Flip a switch and
Cloudfare-served pages sniff for infected users, alert them to the
problem and provide advice on removing the malware. CloudFlare also
released a bit of JavaScript code that any website can use to the same
end. And on May 22nd Google <a href="http://googleonlinesecurity.blogspot.com/2012/05/notifying-users-affected-by-dnschanger.html" target="_blank">joined the fray</a>, alerting users of its search page who are infected. Google estimates it will reach 500,000 users within a week.<span class="fontcolor-red"><br>
</span></p> <p>Major
internet service providers also have contingency plans to intercept
requests for the shuttered DNS servers and re-route them internally to
their own, kosher ones. This is a Band-Aid, not surgery—but it will do
the trick for now.</p> <p>The big problem is that warnings presented to
users by Cloudflare, Google and others may themselves seem like scams to
those who continue to be affected, especially since a disproportionate
number of them are likely to be unsophisticated users—those better
informed would have flushed the malware out by now. As a result, the
worm may remain on many computers indefinitely. Mr Vixie notes that
years after the emergence of the <a href="http://www.microsoft.com/security/pc-security/conficker.aspx" target="_blank">Conficker worm</a>,
the worst malware in history by number of devices infected, it
continues to wreak havoc with millions of machines. Computer worms, it
seems, are changing from an acute condition that can be cured with a
swift intervention into a chronic disease.</p> </div>