Share This

Showing posts with label FBI. Show all posts
Showing posts with label FBI. Show all posts

Tuesday, 15 October 2024

GT Exclusive: Latest report shows US cyber weapon can ‘frame other countries’ for its own espionage operations

China's National Computer Virus Emergency Response Center on Monday released its latest report on Volt Typhoon, once again exposing cyber espionage and disinformation operations conducted by US government agencies, including a US cyber weapon that can mislead investigation and frame other countries for its own cyber espionage activities. 

This is also the first time for the center to release the report in multiple languages, including Chinese, English, French, German and Japanese. 

The Monday report is the third report on Volt Typhoon released by National Computer Virus Emergency Response Center and National Engineering Laboratory for Computer Virus Prevention Technology. It further disclosed the cyber espionage operations targeting China, Germany and other countries which were launched by the US and other Five Eyes countries. 

On May 24, 2023, the cybersecurity authorities from The Five Eyes countries, 
the US, the UK, Australia, Canada and New Zealand, issued a joint cybersecurity advisory, claiming that they had discovered cluster of activity of interest associated with a "China state-sponsored cyber actor," known as Volt Typhoon, and these activities "affected networks across US critical infrastructure sectors."

On April 15 and July 8, the National Computer Virus Emergency Response Center, National Engineering Laboratory for Computer Virus Prevention Technology and 360 Digital Security Group jointly released two investigation reports disclosing the US government's narrative regarding Volt Typhoon is purely a fabrication crafted by the US. The two reports also expose how US government agencies, in order to maintain control over the so-called "warrantless surveillance rights," conduct indiscriminate monitoring of global telecommunications and internet users. This is done to enable related interest groups to gain greater political and economic benefits by fabricating nonexistent Chinese cyberattack threats. The nature of the event resembles a "house of cards" conspiratorial swindling campaign scheme targeting the US Congress and taxpayers.

"After we released the reports in April and July on Volt Typhoon, more than 50 cyber security experts from US, Europe, Asia and other countries and regions have contacted us through various ways. They believed that the US government and Microsoft have attributed Volt Typhoon to Chinese government without any concrete evidence, and they also expressed concern about the US government's fabrication of Volt Typhoon," a research fellow from the National Computer Virus Emergency Response Center told the Global Times on Monday. 

Secret weapons

The US is the world's largest arms dealer and its cyber weapon arsenal is not only large in scale, but also sophisticated in function. Previously, the National Computer Virus Emergency Response Center publicly disclosed multiple types of cyber weapons which were developed by the National Security Agency (NSA) and Central Intelligence Agency (CIA).

The Monday report unveiled information on a customized stealth "toolkit" codenamed "Marble" that the US agencies have developed to cover up their Computer Network Exploitation (CNE) operations, mislead attribution analysis and shift the blame on other countries. 

The toolkit is a framework that can be integrated with other cyber weapon development projects, assisting developers to obfuscate various identifiable strings in program code, effectively "erasing" the "fingerprints" of cyber weapon developers, according to the report.

For a long time, the US has kept pushing a "Defend Forward" strategy in cyberspace, and implement the "Hunt Forward" operations, which means to deploy cyber-war forces in the surrounding areas of adversary countries to conduct close-in reconnaissance and network penetration. In order to satisfy those tactical needs, the toolkit "Marble" was developed, said the anonymous researcher. 

The framework also has a "dirty" feature, which is the ability to insert strings in other languages at will, such as Chinese, Russian, Korean, Persian, and Arabic. This is intended to mislead investigators and defame China, Russia, North Korea, Iran, and Arab countries, said the researcher. 

By tracing and analyzing the source code and comments of "Marble" framework, researchers also found that it has been identified as a secret weapon development program, which is not allowed to share with any foreign country, starting no later than 2015. This secret weapon was tailored by US intelligence agencies for themselves, and was even kept a secret from the so-called ally countries. 

Recent findings in the report have once again highlighted who poses the greatest threat to global cyberspace security. The US government not only disregards the report but also continues to disseminate false information about Volt Typhoon, said Chinese Foreign Ministry spokesperson Mao Ning on Monday. China condemns US' irresponsible actions and urges it to immediately cease its global cyberattacks and stop using cybersecurity issues to slander and malign China, Mao said.

 'False flag' operation 

A "False Flag" is a deceptive act or operation carried out to make it appear as if it was conducted by another party. According to the report, the "Marble" framework fully exposes the indiscriminate and bottomless cyber espionage activities around the world carried out by US intelligence agencies, and their conspiracy to mislead investigators and researchers through "false flag" operations, so that to frame "adversary countries."

The anonymous researcher said that in conjunction with previous investigation findings, the hackers from US cyber forces and intelligence agencies disguise themselves like chameleons in cyberspace, pretend to come from other countries to carry out cyberattacks and espionage activities around the world, and pouring dirty water on non-ally countries of the US.

The report also noted that the "False Flag" operation is actually an important component of the US intelligence agency's "EFFECTS Operation," known as the "Online Covert Action" in the UK. The secret documents from the US and Five Eyes Alliance show that, the "EFFECTS Operation" includes two broad categories, "Information Operations" and "Technical Disruption Operations." 

The Internal documents of the US and Five Eyes Alliance clearly indicate that the implementation of this "EFFECTS Operation" must adhere to four main principles, which are "Deny," "Disrupt," "Degrade," "Deceive." And these four main principles precisely cover all the core elements of the Volt Typhoon operation, said the report.

Subsea cable tapping sites

According the top secret files of NSA, the US has been controlling the world's most important internet "choke points," such as the Atlantic and Pacific subsea cables, constructing at least seven full-traffic tapping sites. All these sites are operated by NSA, FBI and NCSC from UK. Each packet through the sites is being intercepted and deeply inspected indiscriminately, according to the report. 

The US National Security Agency is not content with merely focusing on the specific areas covered by submarine cables, and the data intercepted by these surveillance systems falls far short of meeting its intelligence needs. Therefore, the US has conducted CNE operations on specific targets located in the "blind spots" of its surveillance systems.

Top secret documents from the NSA show that the Office of Tailored Access Operation (TAO) of NSA has launched massive CNE operations around the world and implanted more than 50,000 spyware implants. Victims are mainly concentrated in Asia, Eastern Europe, Africa, the Middle East and South America. The internal documents of the NSA showed that almost all major cities in China are within the scope of NSA's operations, a large number of entities and their network assets have been compromised, said the report. 

Spying on 'allies'

The report also cites instances of the US conducting surveillance on countries such as France, Germany, and Japan. 

The anonymous researcher said US intelligence agencies have established a large-scale global Internet surveillance network, providing a large amount of high-value intelligence to the US government agencies, which offers the US government great advantage in the diplomatic, military, economic, scientific and technological fields. The US government and its intelligence agencies could put anyone on the "list" of monitoring. 

For example, from 2004 to 2012, the US carried out a long-term espionage operation against France, monitoring the movements of the French government on policy, diplomacy, finance, international exchanges, infrastructure construction, business and trade. Some important intelligence was authorized by the US to be shared with the other "Five Eyes" countries. This shows that the countries of the "Five Eyes" alliance are also beneficiaries of US espionage operations.

A 'snooper' in cyberspace

The report said that the US global Internet surveillance programs and stations are like ubiquitous "snoopers" in cyberspace and steal user data from the global internet in real time, and this eavesdropping capability has become an indispensable foundation of the US efforts to build the "Empire of Hacking" and the "Empire of Surveillance."

To maintain such a huge surveillance program, the annual funding budget is quite huge, and with the explosive growth of internet data, the demand for funding is bound to "rise." This is also one of the main reasons why the US government conspired with its intelligence agencies to plan and promote the Volt Typhoon operation, said the report.

Over the years, the US government has kept politicizing the issue of cyberattack attribution in a way that serves its own self-interests. Some companies, such as Microsoft and CrowdStrike, have been influenced by the desire to appeal to US politicians, government agencies and intelligence agencies, as well as to enhance commercial interests. They kept using a variety of names with geo-political features to describe the hacking groups in the absence of sufficient evidence and rigorous technical analyses, such as "Typhoon," "Panda" and "Dragon." 

In its last part, the report said that the international communications in cybersecurity industry is vital as the geopolitical landscape is growing increasingly complex and cybersecurity requires extensive international collaboration. 

"We look forward to seeing that all cybersecurity firms and research institutes will keep focusing on the research of cybersecurity threat prevention technology and how to provide users with higher-quality products and services, which will then keep the internet developing in a healthy way along with the progress of human society," said the report.


https://www.cverc.org.cn/head/zhaiyao/futetaifeng3_CN.pdf
https://www.cverc.org.cn/head/zhaiyao/futetaifeng3_EN.pdf
https://www.cverc.org.cn/head/zhaiyao/futetaifeng3_FR.pdf
https://www.cverc.org.cn/head/zhaiyao/futetaifeng3_JP.pdf
https://www.cverc.org.cn/head/zhaiyao/futetaifeng3_DE.pdfSource link

Related posts:

Saturday, 22 June 2013

No privacy on the Net !

Revelations about PRISM, a US government program that harvests data on the Internet, has sparked concerns about privacy and civil rights violations. But has there ever been real privacy and security on the WWW?

 Demonstrators hold posters during a demonstration against the US Internet surveillance program of the NSA, PRISM, at Checkpoint Charlie in Berlin, Germany, ahead of US President Barack Obama’s visit to the German capital.

IMAGINE a time before email, when all your correspondence was sent through the post. How would you feel if you knew that somebody at the post office was recording the details of all the people you were corresponding with, “just in case” you did something wrong?

I think quite a few of you would be upset about it.

Similarly, some Americans are furious over revelations made about a system called PRISM. In the last few weeks, an allegation has been made that the US government is harvesting data on the Internet by copying what travels through some of its Internet Service Providers.

The US Director of National Intelligence has said that PRISM “is not an undisclosed collection or data mining program”, but its detractors are not convinced that this doesn’t mean no such program exists.

I think there are mainly two kinds of responses to this revelation: “Oh my God!” and “What took them so long?”.

The Internet has never really been secure. Because your data usually has to travel via systems owned by other people, you are at their mercy as to what they do with it. The indications are that this is already being done elsewhere.

Countries such as China, India, Russia, Sweden and the United Kingdom allegedly already run similar tracking projects on telecommunications and the Internet, mostly modelled on the US National Security Agency’s (unconfirmed) call monitoring programme. For discussion, I’ll limit myself for the moment to just emails – something that most people would recognise as being private and personal.

I find many people are surprised when I tell them that sending email over the Internet is a little bit like sending your message on a postcard. Just because you need a password to access it, doesn’t mean it’s secure during transmission.

The analogy would be that your mailbox is locked so only you can open it, but those carrying the postcard can read it before it reaches its final destination. Of course, there are ways to mitigate this. One has to be careful about what one put in emails in the first place. Don’t send anything that would be disastrous if it were forwarded to someone else without your permission.

You could also encrypt your email, so only the receiver with the correct password or key could read it, but this is difficult for most end users to do. (For those interested in encrypting emails, I would recommend looking at a product called PGP.)

The analogy holds up for other Internet traffic. It’s easy to monitor, given enough money and time. And as easy as it is for the Good Guys to try to monitor the Bad Guys, it’s just as easy for the Bad Guys to monitor us hapless members of the public.

But who do we mean by the Bad Guys? Specifically, should the government and law-enforcement agencies be categorised as ‘Bad Guys’ for purposes of privacy? Generally, the line oft quoted is “if you have nothing to hide, then you have nothing to worry about”.

Yet, I think we all accept that there should be a fundamental right to privacy, for everybody from anybody. An interesting corollary to being able to express your thoughts freely is that you should also be able to decide when and how you make them public.

The fault in relying on organisations that say “trust us” isn’t in the spirit of their objectives, but in how the humans in them are flawed in character and action.

An example quoted regularly at the moment is how the FBI collected information about Martin Luther King because they considered him the “most dangerous and effective Negro leader in the country”.

One way of defining the boundaries are by codifying them in laws. For example, the Malaysian Personal Data Protection Act prohibits companies from sharing personal data with third parties without the original owner’s consent.

However, this law explicitly does not apply to the federal and state governments of Malaysia. Another clause indicates that consent is not necessary if it is for the purpose of “administration of justice”, or for the “exercise of any functions conferred on any person by or under any law”.

In relation to the revelations of PRISM, several questions come to mind: Can Internet traffic (or a subset of it) be considered “personal data”? Is it possible for government agencies to collect and store such data without your consent?

And if so, what safeguards are there to ensure that this personal data is accurate, is used correctly and is relevant for storage in the first place?

This should be a sharp point of debate, not just in terms of which of our secrets the government can be privy to, but also of which of the government’s information should be readily accessible by us.

True, there is so much data out there that analysing it is not a trivial task. However, companies such as Google are doing exactly that kind of work on large volumes of unstructured data so that you can search for cute kittens. The technology is already on its way.

Perhaps I am being over-cautious, but it seems a bit fantastical that people can know your deepest and darkest secrets by just monitoring a sequence of 1’s and 0’s. But, to quote science fiction author Phillip K. Dick, “It’s strange how paranoia can link up with reality now and then”.

Contradictheory
By DZOF AZMI

> Logic is the antithesis of emotion but mathematician-turned-scriptwriter Dzof Azmi’s theory is that people need both to make sense of life’s vagaries and contradictions. Speak to him at star2@thestar.com.my.

Related post:

US Spy Snowden Says U.S. Hacking China Since 2009

Sunday, 16 June 2013

Upset over US cyber spying!

There are increasingly strong reactions to revelations that United States agencies are spying on Internet use by Americans and foreigners as well as planning cyber actions on foreign targets.

 
Weekend News Round-up: US cyber spying whistle-blower revealed; is Snapchat worth US$1bn?

THE revelations of data collection on a massive scale by the United States’ security agencies of details of telephone calls and Internet use of its citizens and foreigners are having reverberations around the world.

Much of the responses have been on the potential invasion of privacy of individuals not only in the United States but anywhere in the world who use US-based Internet servers.

Also revealed is a US presidential directive to security agencies to draw up a list of potential overseas targets for US cyber-attacks.

This lays the Unites States open to charges of double standards and hypocrisy: accusing other countries of engaging in Internet snooping or hacking and cyber warfare, when it has itself established the systems to do both on a mega scale.

The revelations, published in the Guardian and Wall Street Journal, and based on a leak by a former US intelligence official, include that US security agencies have access to telephone data of Verizon Communications, AT&T and Sprint Nextel, as well as from credit card transactions.

They also can access data from major Internet companies – Google, Yahoo, Microsoft, Facebook, AOL, Apple, PalTalk, Skype and YouTube—under the Prism surveillance programme.

Millions of Internet users around the world use the servers or web-based services of the companies mentioned.

Two American citizen groups, the American Civil Liberties Union (ACLU) and the New York Civil Liberties Union, have filed a lawsuit against the US administration.

“Those programmes constitute unreasonable intrusions into American’s private lives that’s protected by the Fourth Amendment (on search and seizure),” said Brett Kaufman of the ACLU, as quoted by IPS news agency.

Governments and people outside the United States are equally upset, or more so, that they apparently are also covered by the massive US surveillance programme.

The European Union’s commissioner of justice Viviane Reding has written to the US attorney general asking if European citizens’ personal information had been part of the intelligence gathering, and what avenues are available for Europeans to find out if they had been spied on.

In China, commentators and opinion makers are citing double standards on the part of the United States.

An article in the China Daily commented that the massive US global surveillance programme as revealed is certain to stain Washington’s overseas image and test developing China-US ties.

An editorial in another Chinese paper, Global Daily, stated: “China needs to seek an explanation from Washington.

“We are not bystanders. The issue of whether the United States as an Internet superpower has abused its powers touches on our vital interests directly.”

In their summit last week in California, United States President Barack Obama reportedly pressed Chinese President Xi Jinpeng to curb cyber-spying by Chinese agencies and companies.

The breaking news about the United States snooping on Internet users must have caused some discomfort to Obama when bringing up this issue.

A Chinese Foreign Ministry spokesperson last week reiterated that “China is also a victim to the most sophisticated cyber hacking”.

Though less publicised, a part of the leaks published in the Guardian, was a 18-page directive from President Obama to his security and intelligence officials to draw up a list of potential overseas targets for US cyber-attacks.

The October 2012 directive states that what it calls Offensive Cyber Effects Operations (OCEO) “can offer unique and unconventional capabilities to advance US national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging”, according to the June 7 Guardian article by Glenn Greenwald and Ewen MacAskill.

The directive says the government will “identify potential targets of national importance where OCEO can offer a favorable balance of effectiveness and risk as compared with other instruments of national power”.

The aim of the document was “to put in place tools and a framework to enable government to make decisions” on cyber actions, a senior administration official told the Guardian.

Obama’s move to establish a potentially aggressive cyber warfare doctrine will heighten fears over the increasing militarisation of the Internet, comments the Guardian article.

It adds that the United States is understood to have already participated in at least one major cyber attack, the use of the Stuxnet computer worm targeted on Iranian uranium enrichment centrifuges, the legality of which has been the subject of controversy.

In the presidential directive, the criteria for offensive cyber operations in the directive is not limited to retaliatory action but vaguely framed as advancing “US national objectives around the world”.

Obama further authorised the use of offensive cyber attacks in foreign nations without their government’s consent whenever “US national interests and equities” require such non-consensual attacks. It expressly reserves the right to use cyber tactics as part of what it calls “anticipatory action taken against imminent threats”.

The Guardian commented: “The revelation that the US is preparing a specific target list for offensive cyber-action is likely to reignite previously raised concerns of security researchers and academics, several of whom have warned that large-scale cyber operations could easily escalate into full-scale military conflict.”

Meanwhile, UN Human Rights Council’s Special Rapporteur Frank La Rue issued a report on June 4 on the increasing use of surveillance, warning that unfettered state access to surveillance technologies could compromise human rights to privacy and freedom of expression, as protected by the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights (ICCPR).

The report warned too against the use of “an amorphous concept of national security” as a reason to invade people’s rights to privacy and freedom of expression, arguing that such an invasion potentially “threatens the foundations of a democratic society”.

Global Trends
By MARTIN KHOR

Related posts:
US Spy Snowden Says U.S. Hacking China Since 2009 
New China-US relationship can avoid past traps 
Xi-Obama summit aims to boost ties, aspirations between China and USA 

US Spy Snowden Says U.S. Hacking China Since 2009

Support: Protesters shout slogans in support of former US spy Edward Snowden as march to the US consulate in Hong Kong

Video:
Director Robert Mueller says Edward Snowden has caused damage to national security.
http://www.dailymail.co.uk/news/article-2341451/Whistleblower-Edward-Snowden-smuggled-secrets-everyday-thumb-drive-banned-NSA-offices.html

 
The United States has hacked hundreds of Chinese civilians since 2009. But its favored hacking technique isn't to target individual PCs via advanced persistent threat (APT) attacks, in the manner of the Chinese military. Instead, it prefers to compromise foreign network backbones, thus potentially gaining access to hundreds of thousands of systems at once. 

 That revelation was delivered by whistle-blower Edward Snowden, until recently a contractor for the National Security Agency. He emerged from hiding Wednesday to grant an interview to Hong Kong's South China Morning Post.

"We hack network backbones -- like huge Internet routers, basically -- that give us access to the communications of hundreds of thousands of computers without having to hack every single one," he told the Post.

According to NSA documents reviewed by the Post, which haven't been verified, targets of the NSA's Prism program have included computers in both mainland China and Hong Kong. People targeted included systems at Hong Kong's Chinese University, as well as government officials, businesses and students in the region. But the Post reported that the program didn't appear to target Chinese military systems.

 [ Security standoff at recent U.S.-China summit: Read U.S.-Chinese Summit: 4 Information Security Takeaways. ]
 
According to Snowden, he learned of at least 61,000 such NSA hacking operations globally. The Post didn't specify whether those operations all allegedly occurred since 2009.

Why go public with the NSA's alleged hacking campaign? Snowden said he wanted to highlight "the hypocrisy of the U.S. government when it claims that it does not target civilian infrastructure, unlike its adversaries."

"Not only does it do so, but it is so afraid of this being known that it is willing to use any means, such as diplomatic intimidation, to prevent this information from becoming public," he said.

Snowden first arrived in Hong Kong May 20, and said that the choice of venue wasn't accidental. "People who think I made a mistake in picking Hong Kong as a location misunderstand my intentions. I am not here to hide from justice, I am here to reveal criminality," he said, noting that he planned to stay until "asked to leave." Noting that the U.S. government had already been "bullying" Hong Kong authorities into extraditing him, Snowden said that he would legally fight any such attempt.

How will Hong Kong handle Snowden's case? "We can't comment on individual cases," Hong Kong's chief executive, Leung Chun-ying, told Bloomberg Wednesday. "We'll handle the case according to our law."

Hong Kong is a special administrative region of China, and Beijing could influence the government's legal thinking. But when asked in a Thursday press conference if the Chinese government had received any requests from Washington related to Snowden's case, Hua Chunying, a spokeswoman for China's foreign ministry, said only: "We have no information to offer," reported The Hindu in India.

Snowden previously said he would prefer to "seek asylum in a country with shared values," and named Iceland. Asked to respond to a spokesman for Russian president Vladimir Putin recently saying that were Snowden to apply for asylum in his country, authorities would consider his request, Snowden replied: "My only comment is that I am glad there are governments that refuse to be intimidated by great power."

Snowden said he hadn't contacted his family since leaving the country, but feared for both their safety as well as his own. He also appeared disinclined to glorify what he'd done. "I'm neither traitor nor hero. I'm an American," he said. "I believe in freedom of expression. I acted in good faith but it is only right that the public form its own opinion."

How has China reacted to Snowden's revelations that the NSA is spying on the Chinese? Chinese foreign ministry spokewoman Hua said in a regular press conference Thursday that the government has been following the revelations of NSA monitoring detailed by Snowden, and she repeated calls from the Chinese government -- agreed to in principle at last week's U.S.-China summit in California -- to launch a cybersecurity working group to increase "dialogue, coordination and cooperation" between the two countries.

"We also think adoption of double standards," she said, "will bring no benefit to settlement of the relevant issue."

By  Mathew J. Schwartz
IT finally has its security priorities right, our annual survey shows. Also in the new, all-digital Strategic Security issue of InformationWeek: Five counterintuitive insights on innovation from our recent CIO Summit.

Related posts:
New China-US relationship can avoid past traps 
Xi-Obama summit aims to boost ties, aspirations between China and USA  

 

Sunday, 10 June 2012

Warning DNSChanger victims, check for malware!

Facebook joins Google in warning DNSChanger victims

Warnings follow decision to withdraw safety net on 9 July


Federal authorities will not seek a further extension to a DNSChanger safety net, meaning an estimated 360,00 security laggards will be unable to use the internet normally unless they clean up their systems before a 9 July deadline.

DNSChanger changed the domain name system (DNS) settings of compromised machines to point surfers to rogue servers – which hijacked web searches and redirected victims to dodgy websites as part of a long-running click-fraud and scareware distribution racket. The FBI dismantled the botnet's command-and-control infrastructure back in November, as part of Operation GhostClick.

In place of the rogue servers, a bank of duplicate machines was set up to resolve internet look-up queries from compromised boxes. This system was established under a court order, which has already been extended twice. The move meant users of compromised machines could use the internet normally – but the safety net by itself did nothing to change the fact that infected machines needed to be cleaned.

At its peak as many four million computers were infected by DNSChanger. An estimated 360,000 machines are still infected and there's no sign that further extending the safety net will do any good, hence a decision to try other tactics while withdrawing the DNS safety net, which has served its purpose of granting businesses with infected machines time to clean up their act.

Last week Facebook joined Google and ISPs in notifying DNSChanger victims‎ that they were surfing the net using a compromised machine.

"The warnings are delivered using a 'DNS Firewall' technology called RPZ (for Response Policy Zones)," Paul Vixie, chairman and founder of Internet Systems Consortium, told El Reg. "This allows infected users (who are using the 'replacement' DNS servers) to hear different responses than uninfected users (who are using 'real' DNS servers). We can control how an infected user reaches certain websites by inserting rules into the RPZ," he added.

More information – along with clean-up advice – can be found on the DNS Changer Working Group website here. ®

 By John Leyden • Get more from this author

 Newscribe : get free news in real time 

PC users urged to check for malware

PETALING JAYA: Come July 10, thousands of computers infected with the DNSChanger malware (malicious software) will be disconnected from the Internet if their users don't take some necessary steps.

The problem is that many PC users may not even know that their computers have been infected.

F-Secure Labs Malaysia security adviser Goh Su Gim explained that the United State Federal Bureau of Investigation (FBI) planned to shut down hacker-controlled servers that had been reprogrammed to prevent infected PCs from being suddenly disconnected, causing support-call chaos.

Security issue: The F-Secure response lab in Kuala Lumpur. The cybersecurity company warns that thousands of infected PCs worldwide may be affected if the DNSChanger malware is not removed by July 10.
 
The servers were temporarily reprogrammed after the arrest of six Estonians believed to have created the malware in November last year.

The servers, located in Estonia and the United States, will be deactivated on July 9 and PCs still infected with DNSChanger will not function normally as they will not be able to access these servers.

For more story in The Star Tue 14, June 2012

Wednesday, 9 November 2011

Is Your Computer Infected by DNS Malware? Seven accused in $14 million click-hijacking scam



Seven accused in $14 million click-hijacking scam

by Elinor Mills 
This graphic shows how the DNSChanger malware worked.
This graphic shows how the DNSChanger malware worked.
(Credit: FBI)
 
The U.S. Department of Justice said today that it has uncovered a large, sophisticated Internet scam ring that netted $14 million by infecting millions of computers with malware designed to redirect their Web searches to sites that generated ad revenue.

Six people have been arrested in Estonia and a Russian is being sought on charges of wire fraud and computer intrusion, the FBI said. They are accused of infecting about 4 million computers in more than 100 countries--500,000 in the U.S. alone, including NASA--with malware called DNSChanger. The malware altered the Domain Name Server settings on the computers so they could be automatically redirected to rogue DNS servers and then on to specific Web sites.



In essence, the malware hijacked the computers when certain Web searches were done, redirecting them to sites that would pay them money when people visited or clicked on ads.

"When users of infected computers clicked on the link for the official Web site of iTunes, for example, they were instead taken to a Web site for a business unaffiliated with Apple Inc. that purported to sell Apple software," an FBI statement said.

In addition, the malware would redirect infected computers searching for Netflix to a business called "BudgetMatch" and searches or the IRS to H&R Block, according to the FBI.

Defendants also allegedly replaced legitimate ads on sites with ads that triggered payments to them. For instance, they are accused of replacing an American Express ad on the Wall Street Journal home page with an ad for "Fashion Girl LA," and an Internet Explorer 8 ad on Amazon.com with one for an e-mail marketing firm.

Computers became infected with DNSChanger when they visited certain Web sites or downloaded particular software to view videos online. In addition to altering the DNS server settings, the malware also prevented antivirus and operating systems from updating, according to officials.

The defendants allegedly created companies that masqueraded as legitimate advertising publisher networks. The operation began in 2007 and ended in October with the completion of the two-year FBI investigation called "Operation Ghost Click," the FBI alleges.

The rogue DNS servers used in the operation have been replaced with legitimate servers in the hopes that infected computers will still be able to access the Internet. Owners of infected computers will need to clean the malware off their machines. People can see if their computer is infected by typing in their DNS information on this FBI Web page.

The indictment filed in the U.S. District Court of New York was unsealed today.


Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press.

 Newscribe : get free news in real time