DNS Changer: Cyber Criminals, Internet Access And The FBI
MR. KOJO NNAMDI
From WAMU 88.5 at American University in Washington welcome to "The Kojo Nnamdi Show," connecting your neighborhood with the world. Later in the broadcast, an Olympic gold medalist talks about heading to London this time as coach of the U.S. track and field team. He'll also explain why the University of Maryland is struggling to keep its track team where he is also coach. But first, headlines were calling it the great internet blackout of 2012.
MR. KOJO NNAMDI
They labeled it Doomsday, but yesterday on the date the FBI feared thousands of Americans would lose access to the internet, well, virtually nothing happened. So was the threat overblown, not worth the hype or did effective planning by the FBI and others prevent a massive problem from occurring nationwide?
MR. KOJO NNAMDI
Most importantly what should we do the next time a gang of cyber-criminals is arrested and we find that they've hijacked the computers of hundreds of thousands of Americans? We thought it was time to ask some experts that question and have them explain what's been going on behind the scenes.
MR. KOJO NNAMDI
So joining us in studio is Johannes Ulrich. He is a network security researcher who heads up the SANS Internet Storm Center, an early warning system which monitors internet threats from foreign network administrators and security professionals. Johannes Ulrich, thank you for joining us.
MR. JOHANNES ULRICH
Thank you for having me, Kojo.
Also in studio with us is David Hoelzer. He is a computer security specialist and senior faculty member with the SANS Technology Institute. David Hoelzer, thank you for joining us.
MR. DAVID HOELZER
If you've got comments or questions about this event, you can call us at 800-433-8850. Were you affected by it in any way? Did you have trouble accessing the internet yesterday or did you get notification from Facebook, Google or your internet service provider that your computer was infected? Call us at 800-433-8850. Send us email to email@example.com. Send a tweet @kojoshow or you can go to our website, kojoshow.org, and ask a question, make a comment there.
Johannes headlines today implied that this threat was overblown, that the problem of the DNS Changer virus was more hype than reality. But I'm betting you'd call this whimper maybe a great success for the FBI.
It is a great success for the FBI initially as somewhere between two and four million hosts were infected by this particular malware. About 90 percent of them have been cleaned up because the FBI worked with ISPs, with companies like Google and Facebook to notify as many as possible of these infected hosts.
So four million were initially infected?
That's what the initial data indicated, anywhere between two and four million. At that number, it's not so easy to really pin it down to one or two hosts.
The credit for success goes apparently not just to the FBI, but as you mentioned, to Google and Facebook and others. How did they work together, David?
Well, the idea behind this particular threat was that it reconfigured computers to go to some compromised and otherwise illicit DNS servers so that you would confuse your computer into giving you bad information. What these organizations worked together to do was to replace the DNS servers that this company had put out, but also within ISPs and other organizations begin to alert you if they were detecting that you were trying to get to them or getting information from those servers and ending up at their sites.
DNS, of course, is the acronym for Domain Name Server, correct?
Yes, that's right.
Before we go any further, let's get the basics out of the way. It's my understanding that this problem originated with a criminal gang in Estonia broken up by the FBI last fall. What was this gang trying to do? This time I'll start with you, David.
Well, there is an organization that made its money through marketing, which is, you know, a lot of us do that, but they had this criminal element involved and they had this great idea. If we're going to get paid for every time someone goes go to one of the marketing ads that we've got on a website, if we can convince more people to go there without them knowing, we'll make even more money.
So by replacing the DNS records in computers, they can convince you to ask them where to find Google and Facebook and whoever else and now stand in the way and start giving you those ads and they start making more money.
800-433-8850 is the number to call. Were you affected by this in any way and did you have trouble accessing the internet yesterday? Call us at 800-433-8850. We're talking with David Hoelzer. He is a computer security specialist and senior faculty member with the SANS Technology Institute and Johannes Ulrich, network security researcher who heads up the SANS Internet Storm Center, which is an early warning system that monitors internet threats for network administrators and security professionals.
The FBI considered shutting down these servers immediately, it's my understanding, anyway, but decided not to. Why not?
If the FBI would have shut down the servers right away, then all of these two or four million users would have lost access to the internet right away. So this is why the FBI asked the federal judge to give them permission to actually take over this DNS server and then together with these ISPs, with the DNS Changer Working Group which was founded to fight this particular piece of malware, they went ahead and replaced that malicious DNS server with one run by that group.
Is this the first time that the U.S. government has coordinated such a big fix? How does it compare to previous threats or Y2K for that matter?
Well, there have been some instances where the government has acted in such a way, but not usually in such a broad way where it affects so many people. Usually, it's in defending the U.S. government itself, but in this particular case, it really was a wonderful response because in addition to these people no longer being able to get access to the internet, the other reason it was so important to step in there is that in almost every case, these computers are infected with all kinds of other malware. So if they simply fix their DNS problem when they lost the internet, there would still persist a tremendous problem of all of these millions of infected computers.
Ulrich, I mean, Johannes, tell me a little bit about the legal process that the FBI had to get involved in in order to get permission to do this.
Well, the FBI doesn't own the internet so the FBI can't come in and just take your DNS server from you. Just like when they seize anything else, they need permission from a federal judge to actually get access to that property, in this case the DNS server. So the federal judge here gave the FBI permission originally until March to run this DNS server.
In March, the FBI decided there were still too many people infected. They got an extension until yesterday to continue to operate that DNS server. So it was a very open and legal process the FBI went through. In the past, actually Microsoft has done similar things for other malware. So Microsoft, as a private company, went to a judge and asked for permission to, for example, take over host names and other servers that were threatening Microsoft customers.
Here is Victor in Woodbridge, Va. Victor, you're on the air. Go ahead, please.
My question is we all too much rely on Microsoft antivirus software. What the installation of the latest version of Ubuntu would help. That's Ubuntu. Yeah, a friend of mine from Ukraine said when you install Ubuntu -- you know what I'm talking about, an operational system? You practically forget about the viruses and all this malware.
Is Ubuntu a Linux software system?
Yes, yes, it is.
Okay. What do you say in response to Victor's suggestion?
Well, you know, in this particular case, Ubuntu would have been a great selection, though there still actually was some potential for problems. But this particular threat, not only were Microsoft Windows systems involved, but there were some variants that even attacked Apples, which I'm a big fan of and are well known to be protected. But you aren't safe and even with Ubuntu, while it wasn't vulnerable directly to this particular threat, if it infected a machine on the local network could have potentially also even compromised your little home router and convinced that to send you to the wrong place.
So while the Ubuntu would have been nice, in this case it's not a surefire protection because there are other issues that you can run into there.
I just want to point out that every day we not only have these Windows viruses and Windows malware that makes the news, but there are also thousands of servers that are being infected that are running Ubuntu and other versions of Linux. They're just affected by different attacks than your Microsoft operating system.
On to Andrew in Washington, D.C. Andrew, your turn.
Hey, I did get hit with a pretty bad virus yesterday. It didn't do what you guys were explaining. It messed with my registry and re-routed a lot of the ports on my computer I use that connect to the internet in various ways. I did a registry clean and everything worked out fine. I got rid of it, but I was wondering if that's what it was supposed to do. Are the two things connected? It seems rather coincidental that something big was supposed to go down yesterday as I got hit.
You know, it's true that this particular threat can make changes to the registry. It's one of the ways that it attacks things. But with what you're describing, if you weren't seeing that your data itself was being re-routed to the wrong place, it may not have been this threat.
But even what you've done, while that's excellent, cleaning the registry, if you talk to most people who are in the computer security field, we would recommend that if you end up infected in some way, these things are so pernicious and so difficult to track down today, the best thing possible is to have made sure you already have your data backed up, rebuild that computer and then bring your data back in because it is so hard to tell that it's really gone.
So what exactly do I need to understand about my own computer's DNS server, for those who may still be worried about this?
Well, the DNS server, the DNS system is really the phone book of the internet. If you're typing in a name like google.com in your browser, your browser needs to know what's the numeric address that is associated with that particular name. So what typically happens in a normal configured system your ISP provides a DNS server that will then be used by your browser to make that conversion.
And in this case, they put in a malicious DNS server that would actually give you the bad number back instead of the right number.
Andrew, thank you very much for your call. We got an email from Mike in Bedford, Md. "Assuming we, as computer users, are diligent about installing patches and updates to our operating system, does that make us less vulnerable to things like this DNS Changer virus and what else should we be doing? Dave?
It does make us less vulnerable, but we need to understand too that there's lag time between the time that these things are discovered and the time the manufacturer develops a patch and then lets us know that there's a problem. So it also involves just being wise about how you use the computer. If you're going to go to a site that's offering to install something on your computer so that you can see the dancing bears, you have to ask yourself if you really need to see those bears.
Johannes, what is the takeaway from this experience? Should we expect to see more collaboration between the FBI and private sector internet service providers in the future?
I would hope we'll see more of that collaboration because I think it's important to get the message out and get these systems cleaned up. I think they did an excellent job there. They learned a lot during that entire event. For example, one of the problems is how do you actually, as a user, know that a warning message is authentic?
One thing we have seen a lot in the last year is where criminals now take advantage of this and they may show you a banner that you're infected and trick you into installing malware, which goes to the prior caller, you could have all the antivirus you want, you could have all the patches. If you install software willingly, there is no patch for that. So these are some of the issues that have to be worked out. How do you actually know that a warning like this is authentic?
Any advice you'd like to give, David Hoelzer, in that regard?
Yeah, even just thinking about what Johannes was saying, some have wondered, well why did it take so long for them to clean this up? I mean, we even had to get the extension. Well, what he says is exactly right. If you now get an email from your internet service provider saying, hey we've detected you're infected, how do you know you should trust that? We don't know who to trust. So instead it took so long because they actually have to reach out individually and call these people, talk and convince them they're the ISP.
So again it comes down to just thinking about what you're doing, making sure that you have a way of knowing that you're doing the right thing and who you're actually talking to.
And just a quick side note here, we also announce the criminals that call users. So you may get automated phone calls that tell you you're infected and that trick you into going to a URL and install malware.
Johannes Ulrich. He is a network security researcher who heads up the SANS Internet Storm, an early warning system that monitors internet threats for network administrators and security professionals. Johannes, thank you for joining us.
David Hoelzer is a computer security specialist and senior faculty member with the SANS Technology Institute. David, thank you for joining us.
We're going to take a short break. When we come back, an Olympic gold medalist talks about heading to London as coach of the U.S. track and field team even as he explains why he's struggling to keep the men's track team where he coaches at the University of Maryland. We'll talk with Andrew Valmon. I'm Kojo Nnamdi.
Transcripts of WAMU programs are available for personal use. Transcripts are provided "As Is" without warranties of any kind, either express or implied. WAMU does not warrant that the transcript is error-free. For all WAMU programs, the broadcast audio should be considered the authoritative version. Transcripts are owned by WAMU 88.5 FM American University Radio and are protected by laws in both the United States and international law. You may not sell or modify transcripts or reproduce, display, distribute, or otherwise use the transcript, in whole or in part, in any way for any public or commercial purpose without the express written permission of WAMU. All requests for uses beyond personal and noncommercial use should be referred to (202) 885-1200.