Friday, July 6, 2012

300,000 Infected Computers to Go Offline Monday


As many as 300,000 PCs and Macs will drop off the Internet in about 65 hours unless their owners heed last-minute calls to scrub their machines of malware.
According to a group of security experts formed to combat DNSChanger, between a quarter-million and 300,000 computers, perhaps many more, were still infected as of July 2.
DNSChanger hijacked users' clicks by modifying their computers' domain name system (DNS) settings to send URL requests to the criminals' own servers, a tactic that shunted victims to hacker-created sites that resembled real domains.
At one point, as many as 4 million PCs and Macs were infected with the malware, which earned its makers $14 million, U.S. federal authorities have said.
Infected machines will lose their link to the Internet at 12:01 a.m. ET Monday, July 9, when replacement DNS servers go dark.
The servers, which have been maintained under a federal court order by Internet Systems Consortium (ISC), the non-profit group that maintains the popular BIND DNS open-source software, were deployed last year after the Federal Bureau of Investigation (FBI) seized more than 100 command-and-control (C&C) systems during the take-down of the hacker gang responsible for DNSChanger.
The FBI's "Operation Ghost Click" ended with arrests of six Estonian men -- a seventh, a Russian, remains at large -- the C&C seizures, and the substitution of the replacement servers. Without the substitutes, DNSChanger-infected systems would have been immediately knocked off the Internet.
Originally, the stand-in servers were to be turned off March 8, but a federal judge extended the deadline to July 9.
It's not just consumer PCs and Macs -- DNSChanger was equal-opportunity malware -- that remain infected, but also corporate computers and systems at government agencies, said Tacoma, Wash.-based Internet Identity (IID), which has been monitoring cleanup efforts.
Last week, IID said that its scans showed 12% of Fortune 500 firms, or about one out of every eight, harbored DNSChanger-compromised computers or routers. And two out of 55 scanned U.S. government departments or agencies -- or 3.6% -- also had failed to scrub all their PCs and Macs.
The newest numbers were down from earlier scans by IID. In March, for example, the company pegged the Fortune 500 DNSChanger infection rate at 19% and the government agency rate at 9%.
In January, both groups' rate was an amazing 50%.
But there are still tens of thousands of laggards who have not cleaned their computers, even after a months-long effort by the DNSChanger Working Group (DCWG), a volunteer organization of security professionals and companies.
"We're all struggling with this," said Rod Rasmussen, chief technology officer of IID and a member of the DCWG. "There are a lot of people who just haven't gotten the word."
The cleanup, Rasmussen said, has been the tough part of the DNSChanger takedown.
"There was a lot of planning done for the initial takedown, the arrests, the swapping of servers, but there wasn't as much for after the take-down," said Rasmussen. "How do we clean things up? Victim remediation is a challenge for our industry. Everyone wants to do it, but how do you pay for it?"
The DCWG worked extensively with ISPs (Internet service providers) to help them alert customers with infected computers -- identified by their being shuttled through the replacement servers -- and advise them on removing the malware. The group also reached out to enterprises, government agencies and other organizations to offer the same assistance.
At times, that worked.
"Some ISPs have been very draconian," said Rasmussen, citing providers that repeatedly called, emailed or phoned members with infected computers. "Some worked hard at a fair amount of expense."
Others instead prepared for the support calls they expect to field starting Monday when startled customers realize they can't get online. "They're staffing up for [Monday], they know that they're going to get [a large number of calls]."
For those that have done nothing, Monday will be rough, Rasmussen predicted. "For some ISPs, this may be a real flap," he said.
But the project was sometimes frustrating.
One company, which Rasmussen would not name, had cleaned all its machines of DNSChanger, but was repeatedly re-infected. Finally, the firm discovered that laptops connecting to its public Wi-Fi network were spreading the malware, and even narrowed the list of suspects to the media because the timing of the re-infections coincided with press events the corporation held on its campus.
Even so, the effort has been worthwhile, not simply to ameliorate the impact, but as a learning experience for future such takedowns, or of "sinkholing" botnets in general.
"What we need in the future is a real-time alerting capability," said Rasmussen, and described a system that would immediately notify a user if his or her computer had been shunted to a substitute server. The idea was discussed by the DCWG, but never implemented because it would have required much more hardware and support than was available.
"Someone has to support this volunteer effort," said Rasmussen, who didn't have an answer for where that support, whether financial or other resources, would come from.
Two of the Internet biggest companies have also pitched with their own anti-DNSChanger campaigns.
In late May, Google began warning infected users with a bannered message at the top of the company's search results page. Several days later, Facebook kicked off a similar alert for its members.
Users have access to several free tools that identify infected computers, including several that just debuted under the DCWG's auspices. In the U.S., for example, users can steer to the dns-ok.uswebsite. Other detection sites are listed on the DCWG's domain.
The DCWG's website also has links to free tools that remove the malware.
But perhaps the loss of the Web is the only wake-up call some users will hear, Rasmussen said.
A few in the DCWG lobbied to stick to the original March 8 deadline and against an extension, believing that only a "tough love" approach would work, said Rasmussen.
"Some people haven't been paying attention to the messages," he said. "It's not a lot, but they're very reticent to do anything."

Apple Siri Versus Google Jelly Bean: Voice Search Showdown


Google Jelly Bean on a Galaxy Nexus bests Apple's Siri on iOS in our mobile voice search face-off.

Apple's Siri Versus Google Jelly Bean: Voice Search ShowdownOne of the big enhancements in the Android 4.1 (Jelly Bean) operating system update that Google announced on June 27 is improved voice recognition in search. You can now ask your Android phone questions in a natural way--meaning you no longer have to sound like a robot to get answers.
We wondered which service is better at answering questions: Android's Voice Search or Apple's much-touted Siri. To test the services, we assembled a list of 17 questions or commands, and asked them of a Galaxy Nexus running Jelly Bean and an iPhone 4S running iOS 5.
A quick disclaimer: Apple has greatly improved Siri in iOS 6, but we weren't able to get our hands on the beta to test it. And the version of Jelly Bean we received from the Google I/O developer conference was not the final version, which will come to phones in mid-July.
Our results? Siri and the new voice recognition software in Jelly Bean each have their fair share of pros and cons. In the end, Android came out ahead on 8 of the 17 questions and commands we posed.
Here's a breakdown of how well each phone handled each question or task.

Question 1: "Where Is the Empire State Building?"

Siri seemed to have trouble understanding this question, while Jelly Bean produced a map that gave us the address of the Empire State Building in New York. For now, Android has the upper hand when it comes to locating famous buildings.
Winner: Android Jelly Bean

Question 2: "Will I Need an Umbrella on Sunday?"

The first few times we asked this question, Siri gave us directions to the nearest department stores. We believe that it may have been trying to point us to places that sold umbrellas, rather than answering our weather question.
When Siri finally realized that we were asking about the weather, it informed us that it could not predict what the weather would be on Sunday, and showed us a graphic displaying the local weather forecast for the next five days. Android told us that we wouldn't need an umbrella on Sunday, and also produced a five-day forecast.
Winner: Android Jelly Bean

Question 3: "Show Me Pictures of Mount Rushmore"

Android automatically brought up a small grid of images, while Siri asked if we wanted to perform a Web search. Siri finally showed us what we had asked for, but it required an extra step.
Winner: Android Jelly Bean

Question 4: "Where Can I Get a Taco Around Here?"

Siri, which pulls its results from Yelp, brought up 20 restaurants in the area that had tacos on the menu. Android presented a map of places that served tacos, but only one establishment was nearby; the rest were spread throughout the city. We have to hand it to Siri on this one, due to the number of results and owing to how close they were to our approximate location.
Winner: Apple Siri

Question 5: "What's the Capital of Canada?"

Both phones came up with an answer, but Android was faster at fetching a result.
Winner: Android Jelly Bean

Question 6: "Get Me Directions to the California Academy of Sciences"

As with the Empire State Building question, Android immediately brought up a map with the location of the California Academy of Sciences in San Francisco, and started opening Google Maps to give us directions.
Siri found two entries for the California Academy of Sciences, and required us to select the correct entry before proceeding to give us directions.
Winner: Android Jelly Bean

Question 7: "How Old Is Stan Lee?"

Both Siri and Android gave us an answer, but Google showed us a picture of Marvel's Stan Lee and read the answer to us.
Winner: Android Jelly Bean

Question 8: "Who Was the Number One Pick in the NBA Draft Last Year?"

Neither Siri nor Android had an answer to this question, and both defaulted to performing a Google search instead.