Operation Ghost Click

[Baddcog]

Looks like Hackers in Estonia figured out a way to re-route a ton of internet services across the globe to route through their servers so they could profit from the ads generated.

 

http://www.huffingtonpost.com/2012/04/20/hundreds-of-thousands-may-lose-internet-in-july_n_1441260.html

 

There's a link that can tell you if you are infected. It says the most (per country) were about 85,000 USA users.

 

It also says that if you are infected and don't clean your computer before July when the FBI shuts down the server they set-up to continue traffic until everyone was clean then you will completely loose internet service.

 

 

My connection came up 'green', ie: not infected. Interesting story nevertheless.

[jaxa]

Clean. Thanks for the heads up.

[Melan]

Something seems iffy about it, especially the "you will completely lose internet service" part, which has all the hallmarks of sensationalist media scaremongering. Just a hunch, although my computer came up all right.

Edited April 21, 2012 by Melan

[ungoliant]

I think I could tell if my shit was being routed through estonia from the US because my latency would be absolutely godawful. To lose internet service completely would pretty much imply that absolutely all of your traffic is being routed. and if this was wide-spread you'd think the congestion and bottlenecking would get pretty extreme. I'm not sure I believe any of this, and I'm not running whatever 'scan' is on that link. Besides, routing is a router problem. Once my traffic is passed off beyond my default gateway (my personal router), the route becomes somebody elses problem. This doesn't seem like a problem that endusers should be concerned with if its legit, unless its a total browser hijack.

Edited April 21, 2012 by ungoliant

[Tels]

Something seems iffy about it, especially the "you will completely lose internet service" part, which has all the hallmarks of sensationalist media scaremongering. Just a hunch, although my computer came up all right.

 

The media protraied it wrong. They didn't route everything through their servers, they just changed your DNS.

 

DNS is the system where your computer looks up names (like forums.darkmod.com) to IPs (e.g. 1.2.3.4) because everything actually works underneath with the IP.

 

The malware in case changed your DNS server entry, so that instead using the one of your provider, or google or whatever, it used the rogue one.

 

The FBI seized the servers and set up replacements that return the real IP again, but now have the problem they can't switch it off, because everyone who hasn't yet cleaned their computer will have no DNS after the switch off. And no DNS effectively means no internet for most users.

 

(Imagine that instead of having a by street navigation, you can only navigate to places by entering the number that the local office for land uses allocated the home owner - that would mean you effectively lose your navigation even tho technically, it still works.)

 

@ungoiant: No you wouldn't. See above.

[ungoliant]

Didn't even think of that. seems legit, but I'd still expect a higher initial latency that would give it away, (maybe an extra second or 2) waiting for an initial response to a query. I wonder which websites they cloned that tricked all those people.

Edited April 21, 2012 by ungoliant

[Tels]

Didn't even think of that. seems legit, but I'd still expect a higher initial latency that would give it away, (maybe an extra second or 2) waiting for an initial response to a query. I wonder which websites they cloned that tricked all those people.

 

The latency difference between Estonia and New York is very small, and depending on where you sit (e.g. near Estonia), it might even be faster quering a server in Estonia than one in New York. Also, quering DNS is quite fast and heavily cached, so you are unlikely to notice any changes.

 

Don't know which things they cloned, but I think it was just the ads (and these load very slow, anyway) and maybe some login pages (to get the passwords from people).

[ungoliant]

I think it was just the ads

 

If that's the case, I have more sympathy for them, not to pry open the subject of internet advertising ethics or lack-thereof.

Still, forcing dependency on their own servers is pretty douchebaggerous.

[STiFU]

Shouldn't you receive a new DNS Server through DHCP from your provider, once you lost connection to your current one? Or does that virus or whatever it is simply prevent DHCP requests?

[stumpy]

am not affected but yesterday there was a flash cookie for firefox that took control of firefox and instead of opening windows in a new window or in the same pane it opened in a new tab instead and put the window there, even thou I have tabs turned off in options.

 

deleting the cookie fixed the problem.

 

I think the system is different in the uk anyway, we have to log into the isp server first before we get access to the internet, so its the dns settings on the isp server that needs to be checked. cos for me there's a dns address in my computer then a dns address in my router and the next dns address is my isp server address. on another note this system screws up windows live thou which is expecting to find two dns adresses and not three.

Edited April 21, 2012 by stumpy