Hundreds of thousands may lose Internet in July

Apr 21, 2012 LOLITA C. BALDOR , Associated Press
Hundreds of thousands may lose Internet in July (AP)
This undated handout image provided by The DNS Changer Working Group (DCWG) shows the webpage. It will only take a few clicks of the mouse. But for hundreds of thousands of computer users, those clicks could mean the difference between staying online and losing their connections this July. (AP Photo/DNC Changer Working Group)

(AP) -- For computer users, a few mouse clicks could mean the difference between staying online and losing Internet connections this summer.

Unknown to most of them, their problem began when international hackers ran an online advertising scam to take control of infected computers around the world. In a highly unusual response, the set up a safety net months ago using government computers to prevent Internet disruptions for those infected users. But that system is to be shut down.

The FBI is encouraging users to visit a website run by its security partner, http://www.dcwg.org , that will inform them whether they're infected and explain how to fix the problem. After July 9, infected users won't be able to connect to the Internet.

Most victims don't even know their computers have been infected, although the probably has slowed their and disabled their , making their machines more vulnerable to other problems.

Last November, the FBI and other authorities were preparing to take down a hacker ring that had been running an scam on a massive network of infected computers.

"We started to realize that we might have a little bit of a problem on our hands because ... if we just pulled the plug on their criminal infrastructure and threw everybody in jail, the victims of this were going to be without Internet service," said Tom Grasso, an FBI supervisory special agent. "The average user would open up and get `page not found' and think the Internet is broken."

On the night of the arrests, the agency brought in Paul Vixie, chairman and founder of Internet Systems Consortium, to install two Internet servers to take the place of the truckload of impounded rogue servers that infected computers were using. Federal officials planned to keep their servers online until March, giving everyone opportunity to clean their computers. But it wasn't enough time. A federal judge in New York extended the deadline until July.

Now, said Grasso, "the full court press is on to get people to address this problem." And it's up to to check their PCs.

This is what happened:

Hackers infected a network of probably more than 570,000 computers worldwide. They took advantage of vulnerabilities in the Microsoft Windows operating system to install malicious software on the victim computers. This turned off antivirus updates and changed the way the computers reconcile website addresses behind the scenes on the Internet's domain name system.

The DNS system is a network of servers that translates a web address - such as www.ap.org - into the numerical addresses that computers use. Victim computers were reprogrammed to use rogue DNS servers owned by the attackers. This allowed the attackers to redirect computers to fraudulent versions of any website.

The hackers earned profits from advertisements that appeared on websites that victims were tricked into visiting. The scam netted the hackers at least $14 million, according to the FBI. It also made thousands of computers reliant on the rogue servers for their Internet browsing.

When the FBI and others arrested six Estonians last November, the agency replaced the rogue servers with Vixie's clean ones. Installing and running the two substitute servers for eight months is costing the federal government about $87,000.

The number of victims is hard to pinpoint, but the FBI believes that on the day of the arrests, at least 568,000 unique Internet addresses were using the rogue servers. Five months later, FBI estimates that the number is down to at least 360,000. The U.S. has the most, about 85,000, federal authorities said. Other countries with more than 20,000 each include Italy, India, England and Germany. Smaller numbers are online in Spain, France, Canada, China and Mexico.

Vixie said most of the victims are probably individual home users, rather than corporations that have technology staffs who routinely check the computers.

FBI officials said they organized an unusual system to avoid any appearance of government intrusion into the Internet or private computers. And while this is the first time the FBI used it, it won't be the last.

"This is the future of what we will be doing," said Eric Strom, a unit chief in the FBI's Cyber Division. "Until there is a change in legal system, both inside and outside the United States, to get up to speed with the cyber problem, we will have to go down these paths, trail-blazing if you will, on these types of investigations."

Now, he said, every time the agency gets near the end of a cyber case, "we get to the point where we say, how are we going to do this, how are we going to clean the system" without creating a bigger mess than before.

Explore further: Twitter takes note of other apps on smartphones

More information: www.dcwg.org

4.4 /5 (11 votes)
add to favorites email to friend print save as pdf

Related Stories

Cybercrime networks impacted 1M computer users

Jun 23, 2011

(AP) -- Law enforcement officers in the U.S. and seven other nations have seized dozens of computers, servers and bank accounts in an international probe of cybercrime rings responsible for $74 million in losses to more ...

Two Latvians indicted in US in 'scareware' scam

Jun 23, 2011

Two Latvians have been indicted and dozens of computers and servers seized in the United States and Europe in a crackdown on international cybercrime, the US Justice Department said Wednesday.

Hackers aim ruse at Apple computer users

May 26, 2011

Hackers are out to trick Apple computer users into infecting Macintosh machines with malicious code pretending to be legitimate security software.

Recommended for you

UN moves to strengthen digital privacy (Update)

Nov 25, 2014

The United Nations on Tuesday adopted a resolution on protecting digital privacy that for the first time urged governments to offer redress to citizens targeted by mass surveillance.

Spotify turns up volume as losses fall

Nov 25, 2014

The world's biggest music streaming service, Spotify, announced Tuesday its revenue grew by 74 percent in 2013 while net losses shrank by one third, in a year of spectacular expansion.

Virtual money and user's identity

Nov 25, 2014

Bitcoin is the new money: minted and exchanged on the Internet. Faster and cheaper than a bank, the service is attracting attention from all over the world. But a big question remains: are the transactions ...

User comments : 14

Adjust slider to filter visible comments by rank

Display comments: newest first

kochevnik
Apr 21, 2012
This comment has been removed by a moderator.
zbarlici
1 / 5 (3) Apr 21, 2012
BIG FREAKING DEAL!!!

http://www.evilmi...Down.htm
alfie_null
5 / 5 (4) Apr 21, 2012
Leading up to the shutdown, the FBI should turn the servers off for a day or two every so often. Wouldn't cause catastrophic failure, and guaranteed to get the attention of affected parties.
Eikka
3.7 / 5 (3) Apr 21, 2012
A paranoid person would say that there are no criminals, and that the FBI has been testing and using a DNS man-in-the-middle monitoring system for hundreds of thousands of people for some purpose or another, and now they want to get rid of it, but just shutting it down would cause a lot of people to notice that something was wrong.

It's like having the police come around to your door one day to recover the video camera "a criminal" has planted in your bookshelf.

I've had some of those ad viruses that reroute websites, and they aren't exactly subtle when you suddenly go to a porn site instead of physorg for example, and ads pop up in strange places that break the websites you visit.
sondz
3.7 / 5 (3) Apr 21, 2012
This is an interesting scam. But why doesn't the FBI configure it's temporary servers to resolve all domains to the same web server which serves up basic info to victims on how to fix their pcs... Could probably provide a direct download to a demo antivirus product, and have the developers paid for the advertising privilege to cover the cost. It would be a strong marketing message "this is the FBI, your computer has been hacked and will lose access to the internet soon, get a demo of some antivirus software to cover yo ass'
Eikka
5 / 5 (1) Apr 21, 2012
This is an interesting scam. But why doesn't the FBI configure it's temporary servers to resolve all domains to the same web server which serves up basic info to victims on how to fix their pcs...


The answer is in the article:

FBI officials said they organized an unusual system to avoid any appearance of government intrusion into the Internet or private computers.


The truth is, it might as well have been the FBI itself that did the whole thing, so they're treading very carefully to not give that impression to anyone. What would you think if you suddenly got the FBI logo on your screen that said "Your computer was hacked, but it wasn't us. Honestly!"
PoppaJ
3 / 5 (4) Apr 21, 2012
To be honest I trust the FBI less then I trust the hackers. I atleast know what the hackers were trying to do. And why haven't they given the software a name and passed the info on so other antivirus systems can apply a fix. This is a very suspicious move by the FBI. I suspect they are putting there own software on computers.
MandoZink
not rated yet Apr 21, 2012
If you are paranoid that the FBI themselves might be downloading something onto your computer, do this:

1) Google: "fixmydns.com/checkup2.html"
2) Open up Google's cached version of the page. That way you won't be subject to real/imagined FBI malware
3) This page lists 6 possible ranges of diverted DNS server IP addresses
4) Click on your "Start" button, then the "Run" option
5) Type "cmd" in the dialog box and hit OK. This opens a DOS command window
6) Type "ipconfig /all" at the command prompt, then hit ENTER
7) IP information will be displayed on a line starting with "DNS Server". These are your DNS settings. See if your DNS falls in one of the 6 ranges

If the address starts with "192.168", your router probably holds your DNS server IP addresses. I don't believe this suspected malware would be able to access your router's DNS setting in the first place, although it theoretically could if you never changed the default password and the malware was complex enough to probe the router
Blakut
not rated yet Apr 21, 2012
"The average user would open up Internet Explorer and get `page not found' and think the Internet is broken."

Where there's your problem.
Cyberphobic
not rated yet Apr 22, 2012
To be honest I trust the FBI less then I trust the hackers. I atleast know what the hackers were trying to do. And why haven't they given the software a name and passed the info on so other antivirus systems can apply a fix. This is a very suspicious move by the FBI. I suspect they are putting there own software on computers.

My thoughts exactly.
MandoZink
1 / 5 (1) Apr 22, 2012
To be honest I trust the FBI less then I trust the hackers. I atleast know what the hackers were trying to do. And why haven't they given the software a name and passed the info on so other antivirus systems can apply a fix. This is a very suspicious move by the FBI. I suspect they are putting there own software on computers.

Ditto that! I did NOT want the FBI to scan my computer and "fix" anything!

For special case safeguards, I put together a machine from recycled computers on which I installed every useful and/or diagnostic utility I may ever want on it, and then cloned the entire OS to another drive. I can then use the cloned drive to visit any dangerous site I feel like for whatever reason (I have found a few) while my other machines are disconnected from my network. After I visit whatever site, I check out what it may have done to my system, then I wipe the entire drive and copy a fresh clone to it.
Froob
not rated yet Apr 23, 2012
From a security point of view, this is very poor advice.

Go to a web-site you've never heard of, let it examine your computer and then follow its advice telling you how to "fix" it?

You'd be better off contacting your ISP.
majisafi
not rated yet Apr 23, 2012
Correct me if I'm wrong but problem lies in the IPs being used. Looking into this I found there are huge lists of IPs with bad reputations and growing hourly. DNS would be irrelevant if these were simply blocking inbound and outbound communications. This can't be done on a national level (could it?), but ISPs and sys admins could deploy such measures and render most if not all of these attacks mute. The malware has to "call home", so cut the connection? These hackers use DNS all day long, but these all lead to an IP address right? I did a quick google search for "ip reputation" and still looking into it...

Been a lurker for a while, but felt I would jump in with this theory.
bhiestand
not rated yet Apr 24, 2012
Ditto that! I did NOT want the FBI to scan my computer and "fix" anything!

For special case safeguards, I put together a machine from recycled computers on which I installed every useful and/or diagnostic utility I may ever want on it, and then cloned the entire OS to another drive. I can then use the cloned drive to visit any dangerous site I feel like for whatever reason (I have found a few) while my other machines are disconnected from my network. After I visit whatever site, I check out what it may have done to my system, then I wipe the entire drive and copy a fresh clone to it.

Sounds like a lot of work... why not just use an Ubuntu boot CD instead? Or a VM? Or a proper sandbox? I used sandboxie when I was running Windows...
MandoZink
not rated yet Apr 25, 2012
Sounds like a lot of work... why not just use an Ubuntu boot CD instead? Or a VM? Or a proper sandbox? I used sandboxie when I was running Windows...

Excellent advice! Those are still on my "TO DO" list. I have used Ubuntu and played with several other Linux OS's, but I used Windows(grrr) because I wanted to test a variety of freeware apps.
I have looked at VMware and am waiting for a friend to jumpstart me on that. I downloaded Sandboxie, but haven't gotten around to installing it.

The real reason - since I backed up copies(clones) of several of my machine's OS's after setting them up the way I wanted, it became very easy to just reuse an OS copy on one machine. I have a network full of different-use machines I built(and maxed out) using local recycled computers. Two are just for streaming Netflix.

Sandboxie was gonna be my next project.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.