WEBVTT - TechStuff Classic: TechStuff Investigates Operation Ghost Click 0:00:04.240 --> 0:00:07.240 Welcome to tech Stuff, a production of I Heart Radios 0:00:07.320 --> 0:00:13.840 How Stuff Works. Hey there, and welcome to tech Stuff. 0:00:13.880 --> 0:00:17.319 I'm your host, Jonathan Strickland. I'm an executive producer with 0:00:17.360 --> 0:00:19.800 How Stuff Works and iHeart Radio and I love all 0:00:19.960 --> 0:00:22.800 things tech, and it is time for another tech Stuff 0:00:22.880 --> 0:00:28.880 classic episode. This episode originally published on May two thousand twelve, 0:00:29.280 --> 0:00:32.400 and my former co host and editor Chris Pallette and 0:00:32.479 --> 0:00:36.360 I sat down to talk about operation ghost Click and 0:00:36.520 --> 0:00:41.360 domain name servers and this issue that was going on 0:00:41.479 --> 0:00:43.360 at the time, and I think it's pretty fascinating. It 0:00:43.360 --> 0:00:45.680 also gives you an idea of how d n S works. 0:00:46.320 --> 0:00:50.520 So I hope you enjoy this classic episode. To get there, 0:00:50.600 --> 0:00:53.560 you follow Highway fifty eight going northeast out of the city, 0:00:53.600 --> 0:00:57.639 and it is a good highway and new all right, 0:00:57.960 --> 0:01:00.400 we're talking about numbers today, yes we are. We're talking 0:01:00.440 --> 0:01:03.840 about getting to where you're going and getting diverted along 0:01:03.840 --> 0:01:07.399 the way. So, as of the recording of this podcast, 0:01:07.440 --> 0:01:11.840 which is in April, there is a story that's actually 0:01:11.840 --> 0:01:15.520 not a news story necessarily. It first started to kind 0:01:15.520 --> 0:01:18.760 of make the news way back in November of but 0:01:18.840 --> 0:01:22.000 it's kind of sort of bubbled up and It's an 0:01:22.000 --> 0:01:26.000 operation that the FBI, the Federal Bureau of Investigations, has 0:01:26.040 --> 0:01:31.360 headed up, and it all involves hacking into the Internet 0:01:31.680 --> 0:01:35.920 and uh and and messing around with Internet traffic. It's 0:01:36.040 --> 0:01:42.040 called Operation Ghost Click. That's a nice name. I always 0:01:42.120 --> 0:01:48.360 love hearing the operation names. It is a wacky doctors game. So, um, 0:01:48.400 --> 0:01:50.800 I think first, before we get into too much detail, 0:01:50.840 --> 0:01:54.000 we should probably talk about how internet traffic works. We've 0:01:54.040 --> 0:01:57.640 mentioned that on the podcast on a handful of occasions. 0:01:57.680 --> 0:01:59.920 I think when in fact we got into the domain 0:02:00.080 --> 0:02:05.000 name system DNS system or sorry that was redundant, the 0:02:05.080 --> 0:02:08.720 d N s uh no servers um well are both 0:02:08.960 --> 0:02:11.520 because DNS can can mean both, but right, right, right, 0:02:11.720 --> 0:02:14.359 So yeah, we talked about it before. And basically every 0:02:14.400 --> 0:02:20.280 website has a is um as an address, a physical address, 0:02:20.320 --> 0:02:23.680 well physical address on on a hard drive, a physical 0:02:23.680 --> 0:02:26.880 hard drive somewhere, and these numbers, there are are four 0:02:26.919 --> 0:02:31.000 sets of numbers separated by periods, and that address is 0:02:31.120 --> 0:02:36.639 unique to that UM space on that physical hard drive somewhere. 0:02:36.720 --> 0:02:39.600 And so if you typed in UM h T T 0:02:39.760 --> 0:02:43.079 P colon slash slash and these this number, you will 0:02:43.080 --> 0:02:46.040 get to a website. Of course, that's very inconvenient because 0:02:46.040 --> 0:02:47.959 then you neither have to write down these numbers or 0:02:47.960 --> 0:02:50.960 bookmark them, or you know, you have to have some 0:02:51.040 --> 0:02:54.960 sort of weird total recall thing going on where you 0:02:55.000 --> 0:02:59.600 can just easily remember any series of numbers, which would 0:03:00.240 --> 0:03:05.680 would would make you incredibly useful, but it would also 0:03:05.720 --> 0:03:07.400 make you very rare. Most of us, most of us 0:03:07.400 --> 0:03:11.359 are just not It's not something humans are particularly good 0:03:11.400 --> 0:03:14.880 at doing on average. So that is what kind of 0:03:14.919 --> 0:03:18.960 gave rise to the idea of having this domain name system. Yes, now, 0:03:19.120 --> 0:03:21.840 domain name system, what it does is it allows you 0:03:21.919 --> 0:03:27.560 to create a domain name as in words that correspond 0:03:27.639 --> 0:03:31.160 to whatever your site is, and then that itself is 0:03:31.240 --> 0:03:36.480 mapped to this series of numbers, this i P address right, 0:03:36.680 --> 0:03:40.280 the i P being Internet protocols UM, which is the 0:03:40.280 --> 0:03:43.760 the language that gets uh, you know, you from one 0:03:43.760 --> 0:03:45.960 place to another on the Internet, regardless of whether you're 0:03:46.040 --> 0:03:49.880 using a Windows machine, Mac or Linux or mobile thing. 0:03:49.960 --> 0:03:51.960 It gets you to the same place. And what allows 0:03:51.960 --> 0:03:55.200 you to type in how stuff works dot com and 0:03:55.560 --> 0:03:57.760 get to our website. Yes, so if you were to 0:03:57.800 --> 0:04:01.119 type how stuff works dot com, what have is that request? 0:04:01.520 --> 0:04:03.680 You know, you know, what you're essentially doing is you're 0:04:03.720 --> 0:04:06.800 telling your browser, I want access to this particular website. 0:04:07.720 --> 0:04:11.840 Your browser sends this message along up a chain of command, 0:04:12.600 --> 0:04:15.560 and uh, you know, it has to go out to 0:04:15.720 --> 0:04:19.400 the right computer that has the website living on it 0:04:20.040 --> 0:04:22.640 and retrieve that so that you get an instance of 0:04:22.680 --> 0:04:25.960 it back at your machine. In order to do that, 0:04:26.120 --> 0:04:29.479 it has to first map that one needs to have 0:04:29.560 --> 0:04:31.359 is the name that you're typing. It has to be 0:04:31.440 --> 0:04:36.400 mapped to that physical machine, that physical drive. Uh, and 0:04:36.480 --> 0:04:39.480 it does this by going through domain name servers. A 0:04:39.600 --> 0:04:42.200 domain name server is essentially like think of it kind 0:04:42.240 --> 0:04:45.760 of like a phone book. Yeah, so that all the 0:04:45.760 --> 0:04:48.520 different u r l s you could type in are 0:04:48.640 --> 0:04:54.640 indexed against these number numerical addresses. And then that way, 0:04:54.720 --> 0:04:57.080 once you type in the u r L, it looks 0:04:57.120 --> 0:05:02.400 for the corresponding numeric address, owls information from that that 0:05:02.440 --> 0:05:06.800 particular source, and then serves it back to you so 0:05:06.839 --> 0:05:10.080 that you get what you asked for. Well that you 0:05:10.160 --> 0:05:15.760 asked for it, you got it anyway. So, um, the 0:05:15.920 --> 0:05:19.000 whole deal here is that you are going to get 0:05:19.040 --> 0:05:23.039 the right information. Yeah, assuming that everything's working correctly, and 0:05:23.080 --> 0:05:26.839 occasionally stuff messes up. There might be uh, the computer 0:05:26.920 --> 0:05:29.640 that hosts, the site might be down, in which case 0:05:29.640 --> 0:05:31.240 you're going to get something like a four or four 0:05:31.360 --> 0:05:35.400 error because the Internet is not going to be able 0:05:35.400 --> 0:05:38.039 to find the file that you've requested. We're very sorry. 0:05:38.120 --> 0:05:41.200 The Internet is broken. The elders of the Internet called 0:05:41.279 --> 0:05:45.400 and they said, no more Internet for you. But most 0:05:45.440 --> 0:05:48.919 of the time it's gonna work just fine. However, what 0:05:49.120 --> 0:05:53.400 happened in the case of Operation ghost Click is that, uh, 0:05:53.640 --> 0:05:58.920 the FBI discovered there were some people who had created 0:05:59.000 --> 0:06:03.599 some rogue DNS servers. So, in other words, these get 0:06:03.640 --> 0:06:08.880 these folks, six Estonian nationals, according to the FBI, um 0:06:09.120 --> 0:06:13.880 got together and created these servers that acted just as 0:06:13.920 --> 0:06:17.039 a domain named server would. So in other words, it 0:06:17.160 --> 0:06:19.560 had a collection of u r l s and index 0:06:19.600 --> 0:06:22.920 of u r l s and an index of addresses 0:06:23.279 --> 0:06:26.240 numeric addresses. So it was like a fake phone book, 0:06:26.360 --> 0:06:30.200 right Exactly. Some of the entries in this fake phone 0:06:30.200 --> 0:06:35.239 book went to different phone numbers, so instead literally yeah, 0:06:35.640 --> 0:06:38.480 but we're we're sticking with the analogy, sticking with that analogy, 0:06:38.560 --> 0:06:41.760 just making so instead of the official phone number for 0:06:41.960 --> 0:06:44.920 a particular website, you would get a fake one, and 0:06:44.920 --> 0:06:46.960 it would in other words, that you would go to 0:06:47.000 --> 0:06:50.240 a fake numeric address for a real site. So you 0:06:50.320 --> 0:06:53.520 might type in the address perfect in your u r 0:06:53.680 --> 0:06:58.520 L bar. Right, So let's take a random example. Let's 0:06:58.520 --> 0:07:02.280 just say Yahoo. So you do www dot Yahoo dot com. 0:07:02.360 --> 0:07:05.560 You hit enter. Now, normally, in a regular DNS server, 0:07:05.680 --> 0:07:08.320 it would look up that you are L, look to 0:07:08.360 --> 0:07:11.800 see what the numeric address is for that you are L, 0:07:12.120 --> 0:07:14.920 send that information out, retrieve the website, and serve it 0:07:15.000 --> 0:07:18.640 up to you. A rogue DNS server would look up 0:07:18.680 --> 0:07:22.000 that u r L, look at the numeric address that 0:07:22.120 --> 0:07:25.120 was created for that u r L, But it isn't 0:07:25.320 --> 0:07:28.320 actually the address for Yahoo. It's an address for something else, 0:07:29.200 --> 0:07:32.400 and it serves that up to you. Now, why would 0:07:32.440 --> 0:07:35.000 anyone do this? There are a couple of different reasons. Now, 0:07:35.040 --> 0:07:38.200 in the case of the Estonians, and they were doing 0:07:38.240 --> 0:07:43.000 something I think that was kind of uh deviously clever. 0:07:43.920 --> 0:07:47.480 They were doing this in order to reroute traffic to 0:07:48.240 --> 0:07:52.120 break in advertising money. So in other words, what they 0:07:52.120 --> 0:07:55.119 wanted to do was the way advertising on the Internet 0:07:55.160 --> 0:07:57.600 works in general is that you get paid for a 0:07:57.640 --> 0:08:01.400 certain number of views of the ad. It's called impressions. 0:08:01.720 --> 0:08:05.960 The number of impressions and ad gets that translates to money. 0:08:06.040 --> 0:08:08.720 And if you get lots and lots and lots of impressions, 0:08:08.720 --> 0:08:11.360 you get lots of money. Um. Then in general a 0:08:11.440 --> 0:08:15.160 single impression is worth a fraction of assent. Yeah, but 0:08:15.240 --> 0:08:17.600 if you can say, hey, you know, I can promise 0:08:17.680 --> 0:08:20.840 you that five million people are going to say your ad, 0:08:21.000 --> 0:08:25.440 then you can command a good price for your services. Right, So, 0:08:25.640 --> 0:08:30.040 very popular websites can tend to charge more than sites 0:08:30.120 --> 0:08:32.800 that don't get a lot of traffic. Makes makes sense. Right. 0:08:33.120 --> 0:08:35.000 Let's say that you have a billboard next to a 0:08:35.000 --> 0:08:39.360 busy highway. The price for that billboard to to to 0:08:39.400 --> 0:08:41.520 put it out on that billboard's probably gonna be higher 0:08:41.840 --> 0:08:44.079 than a billboard that's next to a rural road that 0:08:44.120 --> 0:08:47.080 doesn't get a lot of traffic. So anyway, the same 0:08:47.120 --> 0:08:50.320 sort of logic applies on on the web. So what 0:08:50.480 --> 0:08:53.640 these guys were doing, I say guys, what these Estonians 0:08:53.679 --> 0:08:56.000 were doing because I don't know their gender, Uh, they 0:08:56.040 --> 0:08:59.480 were they were using these rogue DNS servers to reroute 0:08:59.480 --> 0:09:03.880 traffic to go to different websites and that had specific 0:09:03.920 --> 0:09:07.440 ads on them that the Estonians were administering, and then 0:09:07.480 --> 0:09:10.440 they were pulling in the money. So they were redirecting traffic. 0:09:10.480 --> 0:09:14.080 It's like putting in a detour in your route. And 0:09:14.200 --> 0:09:16.160 so you're going down your normal route to get to 0:09:16.160 --> 0:09:18.839 wherever you're going, and you see a sign that says, oh, nope, 0:09:18.840 --> 0:09:21.320 the road is out. Up ahead, take a right instead 0:09:21.360 --> 0:09:24.400 of going straight, and you will go through a different route. 0:09:24.559 --> 0:09:26.880 And along that route you decided to stop and eat. 0:09:27.080 --> 0:09:29.240 And normally you would stop and eat at your favorite restaurant, 0:09:29.280 --> 0:09:30.960 but you can't get to that one because it's on 0:09:31.000 --> 0:09:32.960 the road that's been closed. So you go to this 0:09:33.000 --> 0:09:35.560 other restaurant and it all turns out that it was 0:09:35.600 --> 0:09:38.000 employed by the other restaurant in the first place. They 0:09:38.000 --> 0:09:40.840 put that detour sign up because they wanted to get 0:09:40.880 --> 0:09:43.959 some more foot traffic or some more some more diners 0:09:44.160 --> 0:09:47.880 to come in. That was the general plan. Now, the 0:09:47.960 --> 0:09:52.040 question is how do you get that rogue DNS server 0:09:52.440 --> 0:09:55.240 to get in the line of traffic so that people 0:09:55.240 --> 0:09:57.640 will visit it in the first place. Yeah, because if 0:09:57.640 --> 0:10:00.720 you're typing in an address that you already know, say 0:10:00.760 --> 0:10:04.800 Discovery dot com, you should theoretically be routed to the 0:10:04.880 --> 0:10:07.240 right place. As long as your computer is configured correctly 0:10:07.600 --> 0:10:09.280 and the Internet is working. The way it's supposed to. 0:10:09.320 --> 0:10:10.679 I mean, what are they gonna do. Are they gonna 0:10:10.720 --> 0:10:14.920 go in and kick out the legitimate DNS machine and 0:10:15.000 --> 0:10:18.600 replace it. No, it was very clever. They created a 0:10:18.679 --> 0:10:22.319 kind of malware and the malware is essentially called d 0:10:22.520 --> 0:10:27.280 n s changer, and so DNS changer would change the 0:10:27.400 --> 0:10:31.880 DNS settings on your computer or other device or even router, 0:10:32.200 --> 0:10:35.800 which was particularly nasty because if it changed on the router, 0:10:36.320 --> 0:10:40.000 then any device that connects through that router would be affected. Also, 0:10:40.720 --> 0:10:43.760 it's unlikely that you're going to have anti virus software 0:10:44.240 --> 0:10:47.320 on your router, although you might on your computer now. 0:10:47.440 --> 0:10:49.200 The way that they did this with the router was 0:10:49.240 --> 0:10:52.400 the easiest way, and it's the easiest way for someone 0:10:52.440 --> 0:10:54.880 to prevent it from happening to them. The way that 0:10:54.920 --> 0:10:57.320 worked on the router was that they just ended up 0:10:57.400 --> 0:11:01.000 using a list of generic user and names and passwords 0:11:01.040 --> 0:11:05.960 that are that tend to be um UH administered over 0:11:06.040 --> 0:11:09.840 various routers. So you pick pick a router, like whatever 0:11:09.960 --> 0:11:13.520 router you you happen to use, that router tends to 0:11:13.559 --> 0:11:16.400 have a standard user name and standard password that you 0:11:16.480 --> 0:11:19.160 are supposed to change once you install it into your 0:11:19.200 --> 0:11:22.960 home network. But a lot of people never get around 0:11:22.960 --> 0:11:26.560 to doing that. They install the the the router and 0:11:26.600 --> 0:11:29.520 then they don't bother changing the user name and password, 0:11:29.559 --> 0:11:33.360 which means that anyone who knows what the standard user 0:11:33.400 --> 0:11:36.000 name and password is for that brand of router could 0:11:36.000 --> 0:11:39.200 get access to that network. That's what they were doing 0:11:39.240 --> 0:11:42.199 in this case. But in order to change the computers themselves, 0:11:42.600 --> 0:11:45.079 not the router, what they had to do was convince 0:11:45.160 --> 0:11:50.480 people to download some malware and execute that. Now, social engineering, yeah, 0:11:50.559 --> 0:11:53.000 lots of different ways of doing that. You know. There's 0:11:53.000 --> 0:11:57.839 the very standard way where they include some uh they 0:11:57.880 --> 0:12:00.120 put on on a website that you might encounter, or 0:12:00.400 --> 0:12:04.200 a little pop up that says, hey, your antivirus software 0:12:04.240 --> 0:12:06.360 is out of date. Install this and we will scan 0:12:06.480 --> 0:12:10.440 your computer for viruses and free, yeah, for free. And 0:12:10.480 --> 0:12:14.160 in fact it really is a virus itself that installs 0:12:14.200 --> 0:12:16.240 to your computer. You know, you think you are trying 0:12:16.280 --> 0:12:19.480 to head off some sort of malware and in fact 0:12:19.480 --> 0:12:22.320 you're actually installing malware to your computer at the time, 0:12:23.200 --> 0:12:26.040 or it can be through email attachments, you know, all 0:12:26.080 --> 0:12:30.400 the standard ways that malware propagates across the web. Any 0:12:30.480 --> 0:12:33.000 of that would work to get this this particular kind 0:12:33.000 --> 0:12:36.720 of malware onto your machine. Once you installed it, whether 0:12:36.760 --> 0:12:40.160 it was through a trojan program or whatever, it would 0:12:40.160 --> 0:12:44.640 go and reset the DNS settings on your computer, and 0:12:44.760 --> 0:12:47.320 it would direct your computer to go to these rogue 0:12:47.440 --> 0:12:52.560 DNS servers as opposed to your Internet Service providers DNS servers, 0:12:52.920 --> 0:12:55.760 because h I SP has its own right that passes 0:12:55.800 --> 0:13:00.440 the information up along the chain of command, so you 0:13:00.440 --> 0:13:03.040 would bypass your I s P S servers. You would 0:13:03.040 --> 0:13:04.920 go to these rogue servers, and then you would be 0:13:04.960 --> 0:13:08.400 directed to whatever website they wanted to direct YouTube for 0:13:08.480 --> 0:13:11.200 any particular u r L. For some u r l s, 0:13:11.400 --> 0:13:14.120 you might just get the regular website you you're sent 0:13:14.160 --> 0:13:17.719 along and nothing bad happens. For other u r l s, 0:13:17.760 --> 0:13:20.319 you might be directed to a site that looks very 0:13:20.360 --> 0:13:23.480 similar to the one you wanted, but something isn't quite right, 0:13:23.600 --> 0:13:25.640 and it tends that again, they were just doing it 0:13:25.679 --> 0:13:28.200 for the advertising money. The scary thing is they could 0:13:28.240 --> 0:13:31.120 have done this for any other reason and actually tried 0:13:31.160 --> 0:13:35.360 to steal stuff directly from the user. Now in this case, 0:13:35.559 --> 0:13:37.560 that doesn't seem to be what they were up to. 0:13:37.679 --> 0:13:41.240 They were up to just redirecting that traffic. So you 0:13:41.320 --> 0:13:43.680 might think, well, that's annoying. I mean, I'm not going 0:13:43.760 --> 0:13:45.200 to get to the website I want to go to 0:13:45.320 --> 0:13:49.680 unless I type in the actual uh numeric address physically, 0:13:49.920 --> 0:13:52.679 then I would go to it. But Uh, while it's 0:13:52.679 --> 0:13:54.200 annoying that I wouldn't go to the site that I 0:13:54.200 --> 0:13:56.200 wanted to go to, at least they're not stealing from me. 0:13:56.880 --> 0:13:59.400 But they could have. They could have directed things so 0:13:59.440 --> 0:14:02.480 that you would go to dummy websites that look similar 0:14:02.520 --> 0:14:06.320 to official ones and put in a system where you 0:14:06.360 --> 0:14:08.640 type in your user name and password and they would 0:14:08.720 --> 0:14:11.480 log it. They could have logged it, they didn't. They 0:14:11.520 --> 0:14:14.960 could have logged that information, thus getting access to various 0:14:15.000 --> 0:14:17.360 accounts across the Internet. They could have gotten access to 0:14:17.400 --> 0:14:21.400 email accounts, bank accounts, you know, any other sort of 0:14:22.080 --> 0:14:26.360 anything that would require authorization. They could have done that. Uh, 0:14:26.800 --> 0:14:28.760 And what would probably have happened is that you would 0:14:28.800 --> 0:14:30.320 have logged in. Let's say that you try to go 0:14:30.400 --> 0:14:34.560 to your banks online banking site and you might get 0:14:34.760 --> 0:14:37.960 a site that looks very much like your banks site. 0:14:38.000 --> 0:14:40.960 In fact, it might even look almost identical. Um, the 0:14:41.000 --> 0:14:43.520 address might look a little hinky, but if you were 0:14:43.560 --> 0:14:45.400 the type of you use the name and password. Likely 0:14:45.440 --> 0:14:48.840 you would get a response saying, oh, sites down for maintenance. 0:14:49.800 --> 0:14:52.480 But what's really happened is that that information has been 0:14:52.520 --> 0:14:56.000 logged by hackers. That could have happened, or they could 0:14:56.000 --> 0:14:58.760 have directed you to a site where you would have 0:14:58.880 --> 0:15:02.960 been encouraged to download even more malware, perhaps a back 0:15:03.000 --> 0:15:06.480 door access programs that you are your computer would become 0:15:06.480 --> 0:15:10.120 part of a bot net or any other kind of 0:15:10.120 --> 0:15:14.440 of hacking tool. It's it's really the options are pretty 0:15:14.520 --> 0:15:16.400 much unlimited. Now. In this case, again it was just 0:15:16.480 --> 0:15:21.320 to redirect traffic. However, there were some other problems that 0:15:21.600 --> 0:15:24.160 would happen if you were affected by this virus. You 0:15:24.240 --> 0:15:27.640 might not you know, you might not have anyone stealing 0:15:27.720 --> 0:15:30.400 from your bank account or anything. But one of the 0:15:30.440 --> 0:15:33.040 things the virus does, which is pretty much standard operating 0:15:33.040 --> 0:15:37.880 procedure for viruses, is it turned off the features on 0:15:37.920 --> 0:15:41.840 your operating system and your anti virus from updating so 0:15:41.880 --> 0:15:45.400 that you wouldn't be able to get the latest security 0:15:45.440 --> 0:15:49.640 patches that would prevent this this UH program from working. 0:15:50.320 --> 0:15:53.880 So first step pretty much of any malware is let's 0:15:53.920 --> 0:15:58.360 disable the stuff that can turn this off. So anything 0:15:58.360 --> 0:16:02.239 that would automatically turn the the malware off was disabled. 0:16:02.560 --> 0:16:04.800 So that's a problem because it means that even if 0:16:04.880 --> 0:16:12.160 you aren't being actively preyed upon by these particular hackers, uh, 0:16:12.440 --> 0:16:15.080 future attacks could hit you much more easily because you 0:16:15.080 --> 0:16:19.000 are no longer protected, which is pretty bad. That's what 0:16:19.080 --> 0:16:22.200 we call a bad thing and Internet security. And there 0:16:22.240 --> 0:16:24.800 were about what four million people around the world and 0:16:25.320 --> 0:16:28.240 about a hundred countries that were affected by this, and 0:16:28.240 --> 0:16:31.880 then thousand in the United States. And it wasn't just uh, 0:16:31.920 --> 0:16:36.440 you know, citizen users, it was also businesses, government, government computers. UM. 0:16:36.480 --> 0:16:38.440 I think there were even like a couple of computers 0:16:38.440 --> 0:16:41.880 over at NASA that were affected to this. And uh. 0:16:42.080 --> 0:16:45.080 And the good news that we have is that the 0:16:45.160 --> 0:16:49.960 FBI arrested these six Estonian nationals that were identified as 0:16:49.960 --> 0:16:53.200 being part of this running actually running this ring. Yeah, 0:16:53.200 --> 0:16:54.880 they were going to try to have them extraditedto the 0:16:54.920 --> 0:16:59.160 United States. Yeah. And they've also taken over the rogue 0:16:59.240 --> 0:17:01.960 DNS servers they have identified as being part of this, 0:17:02.640 --> 0:17:06.480 and those rogue DNS servers are now acting like legitimate 0:17:06.600 --> 0:17:09.879 DNS servers, which is great. That means that as a user, 0:17:10.160 --> 0:17:12.320 when you try to visit a website, you should get 0:17:12.359 --> 0:17:16.240 what you're supposed to get. However, there's a problem because 0:17:16.600 --> 0:17:20.439 your computers still have if you're affected, your computer still 0:17:20.520 --> 0:17:23.560 is directing you to the wrong set of servers. You're 0:17:23.560 --> 0:17:26.480 still getting the right result, but you're going and you're 0:17:26.480 --> 0:17:29.000 not going to the regular chain of command that you 0:17:29.040 --> 0:17:31.439 should go to. And the FBI is not going to 0:17:31.480 --> 0:17:35.399 be running these servers forever, and in fact, in in July, 0:17:36.320 --> 0:17:40.280 they're going to turn them off. And once those turn off, 0:17:40.320 --> 0:17:43.000 if your computer is being directed to those DNS servers, 0:17:43.040 --> 0:17:46.920 you may not have any more Web access, at least 0:17:46.920 --> 0:17:49.800 not through typing in a normal U r L, because 0:17:49.840 --> 0:17:51.679 your computer is going to try and go through a 0:17:51.720 --> 0:17:54.480 pathway that doesn't exist anymore. Chris and I have more 0:17:54.520 --> 0:17:57.760 to say about Operation Ghost Click, but before we get there, 0:17:57.840 --> 0:18:08.399 let's take a quick break to thank our spawn, sir. So, 0:18:08.840 --> 0:18:11.520 the important thing to do is to determine whether or 0:18:11.560 --> 0:18:16.240 not your computer has this infection, and if it does 0:18:16.280 --> 0:18:19.960 have the infection, to clear it up. And uh, it's 0:18:20.160 --> 0:18:22.720 the first one is easier than the second one. The 0:18:22.760 --> 0:18:26.840 FBI actually set up a website designed to help you 0:18:26.920 --> 0:18:30.520 identify whether or not you have been affected. Yes, um, 0:18:30.600 --> 0:18:33.520 you can go to the FBI's website and follow the 0:18:33.560 --> 0:18:38.680 links to find out about whether or not your computer 0:18:39.440 --> 0:18:42.760 has this problem. And there's actually a couple different ways 0:18:42.760 --> 0:18:44.720 of doing it. There's they've they've set up a u 0:18:44.800 --> 0:18:47.240 r L where what it does is it pings a 0:18:47.359 --> 0:18:49.760 server and if it gets a positive result saying that 0:18:49.920 --> 0:18:52.639 you're fine, uh, you get a screen that has this 0:18:52.680 --> 0:18:55.760 big green icon on it and says you're good. Um. 0:18:55.800 --> 0:18:58.280 If you're not fine, you get a big red icon 0:18:58.359 --> 0:19:00.720 which says this is saying that you're you know, it's 0:19:00.760 --> 0:19:04.240 going through one of the rogue DNS servers. They've also 0:19:04.280 --> 0:19:09.800 identified a range of the IP addresses that you know. 0:19:09.840 --> 0:19:12.280 You can check your DNS settings on your computer yourself. 0:19:12.320 --> 0:19:14.960 If you're using a Windows machine, you go to a 0:19:15.040 --> 0:19:18.760 run command and you type an IP configured slash all uh, 0:19:18.800 --> 0:19:22.040 and then that'll pull up your DNS settings and you 0:19:22.080 --> 0:19:26.080 can see what the what the numeric address is for 0:19:26.119 --> 0:19:28.600 the server that you go to, and if it falls 0:19:28.600 --> 0:19:31.399 within the range that's been identified by the FBI, you 0:19:31.520 --> 0:19:35.320 know that your DNS settings are wrong. Clearing this up 0:19:35.680 --> 0:19:38.440 and getting rid of the malware is a little tricky. Uh. 0:19:38.480 --> 0:19:40.960 The easiest way I can think of to do it 0:19:41.000 --> 0:19:43.040 if I were doing it myself. Is going to a 0:19:43.040 --> 0:19:48.040 computer that I know has not been affected and downloading 0:19:48.160 --> 0:19:52.480 the latest antivirus software I can find and putting Most 0:19:52.520 --> 0:19:55.880 of them have an option where you can put a 0:19:56.000 --> 0:19:59.880 version of that onto a thumb drive. Do that, then 0:20:00.000 --> 0:20:03.399 take the thumb drive over to the infective machine and 0:20:03.440 --> 0:20:06.520 booted into safe mode, and load up the anti virus 0:20:06.560 --> 0:20:09.520 software from the thumb drive, and that should be able. 0:20:09.600 --> 0:20:12.600 Depending upon the anti virus software, it should be able 0:20:12.640 --> 0:20:16.159 to scan it and remove it. Um. The FBI also 0:20:16.240 --> 0:20:20.800 points to several web assets that can help you if 0:20:20.920 --> 0:20:23.320 your computer does appear to be one of the ones 0:20:23.359 --> 0:20:25.840 that infected, and those may work very well for you. 0:20:26.240 --> 0:20:28.959 I tend to go with the anti virus approach whenever 0:20:29.000 --> 0:20:33.800 I can. UM it just I don't know, I don't 0:20:33.800 --> 0:20:36.399 know it is. I just have a preference for that 0:20:36.440 --> 0:20:40.920 as opposed to going like a web based route. Yeah. Yeah, um, 0:20:40.960 --> 0:20:44.040 but it is. It is fairly easy to uh to 0:20:44.080 --> 0:20:46.280 get rid of the problem in this case. It's not 0:20:46.359 --> 0:20:48.960 like some of the others where you have to UH 0:20:49.040 --> 0:20:51.439 reformat your hard drive to get it back. Yeah. I mean, 0:20:52.080 --> 0:20:56.600 there's there's something depending on how tech savvy you are, 0:20:57.200 --> 0:20:59.840 it's pretty easy. If you're not terribly tech savvy, it 0:21:00.040 --> 0:21:02.199 maybe it may be worth it to take it to 0:21:02.440 --> 0:21:05.800 a computer professional to have them scan it and remove 0:21:05.800 --> 0:21:08.560 it and take care of it for you, because the 0:21:08.600 --> 0:21:11.360 more you mess with your computer settings, the more you 0:21:11.520 --> 0:21:17.560 may inadvertently cause some problems that can turn your machine 0:21:17.640 --> 0:21:21.760 into a nightmare. Um and and sometimes depending on the malware, 0:21:21.800 --> 0:21:23.960 like if you've had this on your computer for a while, 0:21:24.480 --> 0:21:26.879 that might not be the only malware that's affecting you. 0:21:27.640 --> 0:21:30.679 You might have other problems, in which case, uh, you know, 0:21:30.720 --> 0:21:34.359 a simple scan and remove may not be enough. In 0:21:34.400 --> 0:21:37.240 a worst case scenario, you might have to do something 0:21:37.280 --> 0:21:40.560 like wipe your computer and reinstall the operating system, in 0:21:40.600 --> 0:21:42.200 which case the first thing you want to do is 0:21:42.240 --> 0:21:44.400 back up as much of your data as you possibly 0:21:44.440 --> 0:21:48.600 can and then you do the wipe. But that even 0:21:48.640 --> 0:21:51.360 that is I mean, that's that's like a worst case 0:21:51.359 --> 0:21:55.640 scenario type of thing, and hopefully none of our listeners 0:21:55.640 --> 0:21:57.080 are in that well. First of all, hopefully none of 0:21:57.080 --> 0:21:59.840 our listeners have been affected by this malware, but if 0:21:59.840 --> 0:22:02.600 they have, hopefully it's not so severe. Letting they don't 0:22:02.600 --> 0:22:06.760 have other forms of malware that they can't you know, uh, 0:22:06.880 --> 0:22:10.560 take care of it themselves. Yeah. Um, and of course 0:22:10.600 --> 0:22:12.160 it's always a good idea to back up your hard 0:22:12.200 --> 0:22:15.040 drive on a regular basis anyway, just to make sure 0:22:15.040 --> 0:22:17.600 they always back up your hard drive to h to 0:22:17.680 --> 0:22:20.400 make sure that you have a version of your operating 0:22:20.400 --> 0:22:23.320 system uh installed on there that you can go back 0:22:23.320 --> 0:22:27.679 to that you know is not infected at least hopefully. Yeah. 0:22:28.160 --> 0:22:30.439 But that's that's that's pretty impressive. I mean, the FBI 0:22:30.520 --> 0:22:33.840 has really been promoting the fact that they they had 0:22:33.840 --> 0:22:37.040 this success in taking down or apparent success I should say, 0:22:37.080 --> 0:22:40.520 and taking down this uh this ring, this ring, because um, 0:22:41.280 --> 0:22:43.200 you know this is this is pretty significant. They took 0:22:43.200 --> 0:22:48.680 away traffic from uh legitimate websites in addition to making 0:22:48.720 --> 0:22:53.359 money for themselves with the the alternate fake websites. Um. 0:22:53.400 --> 0:22:57.040 And it does expose the fact that most people are 0:22:57.080 --> 0:23:00.760 are you know, still having to to think about what 0:23:00.840 --> 0:23:04.399