Browsing the Internet involves a certain degree of risk. The sharp increase in commercial transactions online has also increased the risk of losing confidential information such as passwords and bank account PIN numbers.
The latest attack on users, christened ‘Malware Monday’, has bas been a culmination of security threats that were triggered in 2011. These threats were caused by a malicious software (malware), DNS Changer, that worked at redirecting Internet users to bogus or harmful websites instead of their intended destinations.
DNS lookup
Browsing websites is in many ways comparable to making a telephone call. The first step in Internet browsing is ‘DNS lookup’. DNS (Domain Name System) lookup is analogous to us referring to the telephone directory for people and their contact numbers. Just as names are related to particular telephone numbers, when Internet users try to access a specific website, the specific URL (Uniform Resource Locator) of the website has to be related to the Internet Protocol (IP) address of the server hosting the Web content. Numeric IP addresses are convenient for computers in the network to work with.
Mapping URL to IP addresses makes our browsing experience smoother. Remembering Facebook.com, for instance, is easier than 69.171.224.37, which might be the IP address of the servers hosting the content.
Continuing with the telephone call analogy, spurious entries in the telephone directory would result in ‘wrong’ or undesirable calls. Likewise, if DNS lookup is contorted, beguiling users may send requests to a false DNS server. Then based on the spurious entries on the fake DNS servers, connections would be established on websites unsought by users.
A botnet (network of harm-intending computers) operated by Rove Digital, released one such DNS settings-altering malware — the DNS Changer. It infected thousands of computers by altering their DNS settings, leading to ‘click high-jacking’. While the jargon click hijacking might seem movie-like, it is a common menace and can be used to direct users to seemingly innocuous pages, where sensitive user information such as passwords can be extracted or even unwarranted remote access to computers can be gained.
Clean-up
Because this malware infected thousands of computers across the world, six Estonian nationals and one Russian computer engineer running Rove Digital were arrested in an Federal Bureau of Investigation-driven ‘Operation Ghost Click’ on November 9, 2011.
The DNS settings alteration unleashed by the malware had repercussions until last week. The FBI had set up two interim DNS servers with accurate DNS entries. These servers were also being used to collect information and sort out problems on infested computers.
On July 9, 2012, at the expiry of a court order, the FBI had to shut down these interim DNS servers and it was referred to as ‘Malware Monday’. The steps to detect, correct and prevent such attacks have been put up on the website of the DNS Changer Working Group at www.dcwg.org. Even Google and Facebook displayed messages on hosts, which were found to be infected by this malware. In case there were hosts that had not rectified these problems, they would be Internet-less because DNS lookup would fail.
For a secure system
DNS changer, like malware, is becoming plentiful with increasing number of Internet users. Securing computers locally, as a first step, by users themselves is the best way to stay safe. Running the latest operating systems with adequate security patches and using standard Web browsers with latest updates will set the platform right, and caution will reduce the risk of such attacks.
