By JULIAN E. BARNES And DANIEL LIPPMAN
WASHINGTON—The malware threat to the Internet likely has been tamed.
Leading Internet-service providers said Sunday that they had moved to ensure that computers infected with malware left behind by a hacking spree that started in 2007 continue to access the Internet normally, and expect relatively few Internet users to face a disruption.
Since November the Federal Bureau of Investigation has authorized the operation of servers to allow infected computers to run normally, but those servers were scheduled to go offline at midnight.
Comcast Corp. has reached out to customers with infected machines. Verizon Communications Inc. plans to link those who lose connectivity to the Internet with technicians who can remove the malware. And AT&T Inc. said it has taken steps to make sure none of its customers lose their Internet connections.
DCWG/Associated Press
A Web page used to diagnose whether a malware problem exists.
Officials from the companies played down the threat, and some cybersecurity experts said computer antivirus programs and updated operating systems have cleaned most infected computers. The FBI estimated that 64,000 computers were affected.
Tom Kellermann, vice president of cybersecurity at Trend Micro, an Internet-security firm, warned that service providers won't be able to help all of their users. "This is a real thing," he said.
The malware, which cybersecurity experts said had once infected millions of computers, was created by a group of hackers to route computers attempting to visit legitimate websites to look-a-like alternatives. Last year, the FBI's "Operation Ghost Click" shut down the ring and indicted six Estonians and one Russian for their involvement in the malware scam.
The malware, however, remained on computers. The FBI obtained a court order that allowed the Internet Systems Consortium, a nonprofit group that supports parts of the Internet's infrastructure, to maintain "clean" servers. But those servers will stop running Monday, leaving it to Internet-service providers to help users scrub the malware from their computers.
The Estonian group's manipulation of Internet addresses was a particularly clever and insidious way to hijack computers, cybersecurity experts say.
"Domain-name translation is considered part of the network infrastructure, and so it is interesting that the infrastructure itself is now being targeted," said Sami Saydjari of Cyber Defense Agency, a security consulting firm. "We can expect to see more of this in the future."
A malicious malware bug will kick thousands of computers off the Internet come Monday. Scott Austin discusses what to look for on digits. Photo: Getty Images.
Mr. Kellermann said the Estonian group represented a new kind of dangerous hacker. "They provide hacking as a service to the highest bidder," he said. "They are mercenaries for hire."
Officials at the FBI's Washington headquarters and New York field office didn't reply to requests for comment Sunday.
Other experts said the next attack on the domain-name system by a similar criminal group could be worse. "We should treat this as a bit of an exhibition game," said Frank Cilluffo, director of the Homeland Security Policy Institute at George Washington University. "We had time in this case. Steps were taken, which we won't necessarily have in a no-notice kind of attack in the future."
Internet-service providers emphasized that they believe only a small number of computers in the U.S. remain infected. Comcast has called and emailed customers that the company believes have infected computers, said Charlie Douglas, a company spokesman. "We feel pretty confident that it will be a tiny, minuscule fraction of our customers who will be affected when they unplug that server," he said.
Mark Siegel, a spokesman for AT&T, said the company plans to redirect infected computers to the proper websites. "We will operate legitimate domain-name servers through the end of the year, and that will give the very, very small number of customers whose computers may be affected time to remove it from their computer and avoid any service interruption," he said. "They will not be cut off."
Harry Mitchell, a Verizon spokesman, said the company will give its customers step-by-step instructions on how to rid their computers of the malware, or link them with contractors who can offer professional assistance to clean the infected machines.
Since the ring was indicted, the FBI has offered a website for consumers to check whether their computers were infected. Some voices on the Internet have warned of an FBI conspiracy. But Internet-security experts said there was little likelihood that the FBI was using the servers it had maintained after busting the crime ring to track Internet usage; they also said there was little possibility that the FBI was using its antimalware site for other than its stated purpose.
"That would be incredibly stupid and easily detectable by the technical community," said Cyber Defense Agency's Mr. Saydjari.
—Shira Ovide contributed to this article.
Write to Julian E. Barnes at julian.barnes@wsj.com and Daniel Lippman atdaniel.lippman@dowjones.com
A version of this article appeared July 9, 2012, on page B3 in the U.S. edition of The Wall Street Journal, with the headline: Malware Threat to Internet Corralled
No comments:
Post a Comment