Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:04):
Welcome to tech Stuff, a production of I Heart Radios
How Stuff Works. Hey there, and welcome to tech Stuff.
I'm your host, Jonathan Strickland. I'm an executive producer with
How Stuff Works and iHeart Radio and I love all
things tech, and it is time for another tech Stuff
classic episode. This episode originally published on May two thousand twelve,
(00:29):
and my former co host and editor Chris Pallette and
I sat down to talk about operation ghost Click and
domain name servers and this issue that was going on
at the time, and I think it's pretty fascinating. It
also gives you an idea of how d n S works.
So I hope you enjoy this classic episode. To get there,
(00:50):
you follow Highway fifty eight going northeast out of the city,
and it is a good highway and new all right,
we're talking about numbers today, yes we are. We're talking
about getting to where you're going and getting diverted along
the way. So, as of the recording of this podcast,
which is in April, there is a story that's actually
(01:11):
not a news story necessarily. It first started to kind
of make the news way back in November of but
it's kind of sort of bubbled up and It's an
operation that the FBI, the Federal Bureau of Investigations, has
headed up, and it all involves hacking into the Internet
and uh and and messing around with Internet traffic. It's
(01:36):
called Operation Ghost Click. That's a nice name. I always
love hearing the operation names. It is a wacky doctors game. So, um,
I think first, before we get into too much detail,
we should probably talk about how internet traffic works. We've
mentioned that on the podcast on a handful of occasions.
(01:57):
I think when in fact we got into the domain
name system DNS system or sorry that was redundant, the
d N s uh no servers um well are both
because DNS can can mean both, but right, right, right,
So yeah, we talked about it before. And basically every
website has a is um as an address, a physical address,
(02:20):
well physical address on on a hard drive, a physical
hard drive somewhere, and these numbers, there are are four
sets of numbers separated by periods, and that address is
unique to that UM space on that physical hard drive somewhere.
And so if you typed in UM h T T
P colon slash slash and these this number, you will
(02:43):
get to a website. Of course, that's very inconvenient because
then you neither have to write down these numbers or
bookmark them, or you know, you have to have some
sort of weird total recall thing going on where you
can just easily remember any series of numbers, which would
would would make you incredibly useful, but it would also
(03:05):
make you very rare. Most of us, most of us
are just not It's not something humans are particularly good
at doing on average. So that is what kind of
gave rise to the idea of having this domain name system. Yes, now,
domain name system, what it does is it allows you
to create a domain name as in words that correspond
(03:27):
to whatever your site is, and then that itself is
mapped to this series of numbers, this i P address right,
the i P being Internet protocols UM, which is the
the language that gets uh, you know, you from one
place to another on the Internet, regardless of whether you're
using a Windows machine, Mac or Linux or mobile thing.
(03:49):
It gets you to the same place. And what allows
you to type in how stuff works dot com and
get to our website. Yes, so if you were to
type how stuff works dot com, what have is that request?
You know, you know, what you're essentially doing is you're
telling your browser, I want access to this particular website.
Your browser sends this message along up a chain of command,
(04:12):
and uh, you know, it has to go out to
the right computer that has the website living on it
and retrieve that so that you get an instance of
it back at your machine. In order to do that,
it has to first map that one needs to have
is the name that you're typing. It has to be
mapped to that physical machine, that physical drive. Uh, and
(04:36):
it does this by going through domain name servers. A
domain name server is essentially like think of it kind
of like a phone book. Yeah, so that all the
different u r l s you could type in are
indexed against these number numerical addresses. And then that way,
once you type in the u r L, it looks
(04:57):
for the corresponding numeric address, owls information from that that
particular source, and then serves it back to you so
that you get what you asked for. Well that you
asked for it, you got it anyway. So, um, the
whole deal here is that you are going to get
(05:19):
the right information. Yeah, assuming that everything's working correctly, and
occasionally stuff messes up. There might be uh, the computer
that hosts, the site might be down, in which case
you're going to get something like a four or four
error because the Internet is not going to be able
to find the file that you've requested. We're very sorry.
The Internet is broken. The elders of the Internet called
(05:41):
and they said, no more Internet for you. But most
of the time it's gonna work just fine. However, what
happened in the case of Operation ghost Click is that, uh,
the FBI discovered there were some people who had created
some rogue DNS servers. So, in other words, these get
(06:03):
these folks, six Estonian nationals, according to the FBI, um
got together and created these servers that acted just as
a domain named server would. So in other words, it
had a collection of u r l s and index
of u r l s and an index of addresses
numeric addresses. So it was like a fake phone book,
(06:26):
right Exactly. Some of the entries in this fake phone
book went to different phone numbers, so instead literally yeah,
but we're we're sticking with the analogy, sticking with that analogy,
just making so instead of the official phone number for
a particular website, you would get a fake one, and
it would in other words, that you would go to
(06:47):
a fake numeric address for a real site. So you
might type in the address perfect in your u r
L bar. Right, So let's take a random example. Let's
just say Yahoo. So you do www dot Yahoo dot com.
You hit enter. Now, normally, in a regular DNS server,
it would look up that you are L, look to
(07:08):
see what the numeric address is for that you are L,
send that information out, retrieve the website, and serve it
up to you. A rogue DNS server would look up
that u r L, look at the numeric address that
was created for that u r L, But it isn't
actually the address for Yahoo. It's an address for something else,
(07:29):
and it serves that up to you. Now, why would
anyone do this? There are a couple of different reasons. Now,
in the case of the Estonians, and they were doing
something I think that was kind of uh deviously clever.
They were doing this in order to reroute traffic to
break in advertising money. So in other words, what they
(07:52):
wanted to do was the way advertising on the Internet
works in general is that you get paid for a
certain number of views of the ad. It's called impressions.
The number of impressions and ad gets that translates to money.
And if you get lots and lots and lots of impressions,
you get lots of money. Um. Then in general a
single impression is worth a fraction of assent. Yeah, but
(08:15):
if you can say, hey, you know, I can promise
you that five million people are going to say your ad,
then you can command a good price for your services. Right, So,
very popular websites can tend to charge more than sites
that don't get a lot of traffic. Makes makes sense. Right.
Let's say that you have a billboard next to a
busy highway. The price for that billboard to to to
(08:39):
put it out on that billboard's probably gonna be higher
than a billboard that's next to a rural road that
doesn't get a lot of traffic. So anyway, the same
sort of logic applies on on the web. So what
these guys were doing, I say guys, what these Estonians
were doing because I don't know their gender, Uh, they
were they were using these rogue DNS servers to reroute
(08:59):
traffic to go to different websites and that had specific
ads on them that the Estonians were administering, and then
they were pulling in the money. So they were redirecting traffic.
It's like putting in a detour in your route. And
so you're going down your normal route to get to
wherever you're going, and you see a sign that says, oh, nope,
the road is out. Up ahead, take a right instead
(09:21):
of going straight, and you will go through a different route.
And along that route you decided to stop and eat.
And normally you would stop and eat at your favorite restaurant,
but you can't get to that one because it's on
the road that's been closed. So you go to this
other restaurant and it all turns out that it was
employed by the other restaurant in the first place. They
put that detour sign up because they wanted to get
some more foot traffic or some more some more diners
(09:44):
to come in. That was the general plan. Now, the
question is how do you get that rogue DNS server
to get in the line of traffic so that people
will visit it in the first place. Yeah, because if
you're typing in an address that you already know, say
Discovery dot com, you should theoretically be routed to the
(10:04):
right place. As long as your computer is configured correctly
and the Internet is working. The way it's supposed to.
I mean, what are they gonna do. Are they gonna
go in and kick out the legitimate DNS machine and
replace it. No, it was very clever. They created a
kind of malware and the malware is essentially called d
n s changer, and so DNS changer would change the
(10:27):
DNS settings on your computer or other device or even router,
which was particularly nasty because if it changed on the router,
then any device that connects through that router would be affected. Also,
it's unlikely that you're going to have anti virus software
on your router, although you might on your computer now.
(10:47):
The way that they did this with the router was
the easiest way, and it's the easiest way for someone
to prevent it from happening to them. The way that
worked on the router was that they just ended up
using a list of generic user and names and passwords
that are that tend to be um UH administered over
various routers. So you pick pick a router, like whatever
(11:09):
router you you happen to use, that router tends to
have a standard user name and standard password that you
are supposed to change once you install it into your
home network. But a lot of people never get around
to doing that. They install the the the router and
then they don't bother changing the user name and password,
which means that anyone who knows what the standard user
(11:33):
name and password is for that brand of router could
get access to that network. That's what they were doing
in this case. But in order to change the computers themselves,
not the router, what they had to do was convince
people to download some malware and execute that. Now, social engineering, yeah,
lots of different ways of doing that. You know. There's
the very standard way where they include some uh they
(11:57):
put on on a website that you might encounter, or
a little pop up that says, hey, your antivirus software
is out of date. Install this and we will scan
your computer for viruses and free, yeah, for free. And
in fact it really is a virus itself that installs
to your computer. You know, you think you are trying
to head off some sort of malware and in fact
(12:19):
you're actually installing malware to your computer at the time,
or it can be through email attachments, you know, all
the standard ways that malware propagates across the web. Any
of that would work to get this this particular kind
of malware onto your machine. Once you installed it, whether
it was through a trojan program or whatever, it would
(12:40):
go and reset the DNS settings on your computer, and
it would direct your computer to go to these rogue
DNS servers as opposed to your Internet Service providers DNS servers,
because h I SP has its own right that passes
the information up along the chain of command, so you
(13:00):
would bypass your I s P S servers. You would
go to these rogue servers, and then you would be
directed to whatever website they wanted to direct YouTube for
any particular u r L. For some u r l s,
you might just get the regular website you you're sent
along and nothing bad happens. For other u r l s,
you might be directed to a site that looks very
similar to the one you wanted, but something isn't quite right,
(13:23):
and it tends that again, they were just doing it
for the advertising money. The scary thing is they could
have done this for any other reason and actually tried
to steal stuff directly from the user. Now in this case,
that doesn't seem to be what they were up to.
They were up to just redirecting that traffic. So you
might think, well, that's annoying. I mean, I'm not going
(13:43):
to get to the website I want to go to
unless I type in the actual uh numeric address physically,
then I would go to it. But Uh, while it's
annoying that I wouldn't go to the site that I
wanted to go to, at least they're not stealing from me.
But they could have. They could have directed things so
that you would go to dummy websites that look similar
to official ones and put in a system where you
(14:06):
type in your user name and password and they would
log it. They could have logged it, they didn't. They
could have logged that information, thus getting access to various
accounts across the Internet. They could have gotten access to
email accounts, bank accounts, you know, any other sort of
anything that would require authorization. They could have done that. Uh,
(14:26):
And what would probably have happened is that you would
have logged in. Let's say that you try to go
to your banks online banking site and you might get
a site that looks very much like your banks site.
In fact, it might even look almost identical. Um, the
address might look a little hinky, but if you were
the type of you use the name and password. Likely
you would get a response saying, oh, sites down for maintenance.
(14:49):
But what's really happened is that that information has been
logged by hackers. That could have happened, or they could
have directed you to a site where you would have
been encouraged to download even more malware, perhaps a back
door access programs that you are your computer would become
part of a bot net or any other kind of
(15:10):
of hacking tool. It's it's really the options are pretty
much unlimited. Now. In this case, again it was just
to redirect traffic. However, there were some other problems that
would happen if you were affected by this virus. You
might not you know, you might not have anyone stealing
from your bank account or anything. But one of the
(15:30):
things the virus does, which is pretty much standard operating
procedure for viruses, is it turned off the features on
your operating system and your anti virus from updating so
that you wouldn't be able to get the latest security
patches that would prevent this this UH program from working.
So first step pretty much of any malware is let's
(15:53):
disable the stuff that can turn this off. So anything
that would automatically turn the the malware off was disabled.
So that's a problem because it means that even if
you aren't being actively preyed upon by these particular hackers, uh,
future attacks could hit you much more easily because you
(16:15):
are no longer protected, which is pretty bad. That's what
we call a bad thing and Internet security. And there
were about what four million people around the world and
about a hundred countries that were affected by this, and
then thousand in the United States. And it wasn't just uh,
you know, citizen users, it was also businesses, government, government computers. UM.
(16:36):
I think there were even like a couple of computers
over at NASA that were affected to this. And uh.
And the good news that we have is that the
FBI arrested these six Estonian nationals that were identified as
being part of this running actually running this ring. Yeah,
they were going to try to have them extraditedto the
United States. Yeah. And they've also taken over the rogue
(16:59):
DNS servers they have identified as being part of this,
and those rogue DNS servers are now acting like legitimate
DNS servers, which is great. That means that as a user,
when you try to visit a website, you should get
what you're supposed to get. However, there's a problem because
your computers still have if you're affected, your computer still
(17:20):
is directing you to the wrong set of servers. You're
still getting the right result, but you're going and you're
not going to the regular chain of command that you
should go to. And the FBI is not going to
be running these servers forever, and in fact, in in July,
they're going to turn them off. And once those turn off,
if your computer is being directed to those DNS servers,
(17:43):
you may not have any more Web access, at least
not through typing in a normal U r L, because
your computer is going to try and go through a
pathway that doesn't exist anymore. Chris and I have more
to say about Operation Ghost Click, but before we get there,
let's take a quick break to thank our spawn, sir. So,
(18:08):
the important thing to do is to determine whether or
not your computer has this infection, and if it does
have the infection, to clear it up. And uh, it's
the first one is easier than the second one. The
FBI actually set up a website designed to help you
identify whether or not you have been affected. Yes, um,
(18:30):
you can go to the FBI's website and follow the
links to find out about whether or not your computer
has this problem. And there's actually a couple different ways
of doing it. There's they've they've set up a u
r L where what it does is it pings a
server and if it gets a positive result saying that
you're fine, uh, you get a screen that has this
(18:52):
big green icon on it and says you're good. Um.
If you're not fine, you get a big red icon
which says this is saying that you're you know, it's
going through one of the rogue DNS servers. They've also
identified a range of the IP addresses that you know.
You can check your DNS settings on your computer yourself.
If you're using a Windows machine, you go to a
(19:15):
run command and you type an IP configured slash all uh,
and then that'll pull up your DNS settings and you
can see what the what the numeric address is for
the server that you go to, and if it falls
within the range that's been identified by the FBI, you
know that your DNS settings are wrong. Clearing this up
(19:35):
and getting rid of the malware is a little tricky. Uh.
The easiest way I can think of to do it
if I were doing it myself. Is going to a
computer that I know has not been affected and downloading
the latest antivirus software I can find and putting Most
of them have an option where you can put a
(19:56):
version of that onto a thumb drive. Do that, then
take the thumb drive over to the infective machine and
booted into safe mode, and load up the anti virus
software from the thumb drive, and that should be able.
Depending upon the anti virus software, it should be able
to scan it and remove it. Um. The FBI also
(20:16):
points to several web assets that can help you if
your computer does appear to be one of the ones
that infected, and those may work very well for you.
I tend to go with the anti virus approach whenever
I can. UM it just I don't know, I don't
know it is. I just have a preference for that
(20:36):
as opposed to going like a web based route. Yeah. Yeah, um,
but it is. It is fairly easy to uh to
get rid of the problem in this case. It's not
like some of the others where you have to UH
reformat your hard drive to get it back. Yeah. I mean,
there's there's something depending on how tech savvy you are,
(20:57):
it's pretty easy. If you're not terribly tech savvy, it
maybe it may be worth it to take it to
a computer professional to have them scan it and remove
it and take care of it for you, because the
more you mess with your computer settings, the more you
may inadvertently cause some problems that can turn your machine
(21:17):
into a nightmare. Um and and sometimes depending on the malware,
like if you've had this on your computer for a while,
that might not be the only malware that's affecting you.
You might have other problems, in which case, uh, you know,
a simple scan and remove may not be enough. In
a worst case scenario, you might have to do something
like wipe your computer and reinstall the operating system, in
(21:40):
which case the first thing you want to do is
back up as much of your data as you possibly
can and then you do the wipe. But that even
that is I mean, that's that's like a worst case
scenario type of thing, and hopefully none of our listeners
are in that well. First of all, hopefully none of
our listeners have been affected by this malware, but if
they have, hopefully it's not so severe. Letting they don't
(22:02):
have other forms of malware that they can't you know, uh,
take care of it themselves. Yeah. Um, and of course
it's always a good idea to back up your hard
drive on a regular basis anyway, just to make sure
they always back up your hard drive to h to
make sure that you have a version of your operating
system uh installed on there that you can go back
(22:23):
to that you know is not infected at least hopefully. Yeah.
But that's that's that's pretty impressive. I mean, the FBI
has really been promoting the fact that they they had
this success in taking down or apparent success I should say,
and taking down this uh this ring, this ring, because um,
you know this is this is pretty significant. They took
away traffic from uh legitimate websites in addition to making
(22:48):
money for themselves with the the alternate fake websites. Um.
And it does expose the fact that most people are
are you know, still having to to think about what
they do because they they may very well be letting
somebody in. It could have been a lot worse than
it was. Yeah, exploiting the DNS system, which again I know, redundant,
(23:11):
a t M machine, uh, exploiting that pin number, Um,
it was pretty ingenious, you know, Essentially, it just shows
that understanding how the Internet works and building this parallel
system that exploits the way Internet works was very clever. Now,
of course, it's still depended upon user behavior to work,
(23:34):
because if no one had downloaded the malware, if no
one had installed the malware, it wouldn't have um nothing
would have happened. You would have had these DNS, these
rogue DNS servers that would be online and would be
ready to redirect traffic to wherever they wanted it to go.
But if no one downloaded the malware, the traffic would
never have been redirected. So really, the other lesson to
(23:57):
take away from this is just practice good Internet security
rules of thumb, things like don't open strange attachments from
you know, in random emails, make sure you ask people
if they've sent you an attachment, asked them like, did
you really send this to me? Because sometimes people their
email address gets compromised and they randomly start sending out
(24:21):
files to people, often in uncharacteristically uh worded ways, Like
you might read a message and think, either my friend
is taking a terrible fall and decided to email me
immediately afterward, or is under the influence of some powerful
(24:44):
alcohol or you know, it just doesn't make any sense.
Like you read it and you're like, this doesn't sound
like Chris. Chris never emails me in all caps with
lots of letters missing. Um, you know, send this to
everyone you know. Um, Bill Gates will give you twenty
five cents for every email that you've forard anyway, don't
(25:04):
don't open those email attachments. Yeah, and you know what
I recently realized. Um, every once in a while, I
find a story that I want to send to somebody,
and I've I've realized that I was sending it. I'd say, hey,
I just saw this, you should check it out. You
know what. That sounds just like something a spam or
would writ right, So I try to make it a
little more personally personal so that the well, for one thing,
(25:27):
the spam filter will on a lot of these uh
uh services will we'll pull it right out of there
if you if it's something that that minimal. So if
it fits that pattern of hey I saw this, check
it out, and then yeah, it can fall into the
spam filter pretty easily. Also, And it doesn't just go
with attachments like I mean, or links. There are links,
(25:50):
plenty of links are problems, but think about gosh, I've
seen this so many times on Facebook. Click jacking on Facebook.
We're in the home stretch for Operation Click. But before
we click on any more ghosts, we're gonna take a
quick break to thank our sponsor. So if you've ever gone,
(26:15):
I'm sure most of you have. Anyone who's had a
Facebook account long enough has seen this happen with their friends.
You'll look and there'll be some video link. You know,
it'll say. It won't be an embedded video, so it's
not something that plays within Facebook, but you'll see like
a link to some incredible video and it usually has
(26:36):
to do with either violence or sex. Those tend to
be the two big ones. Yeah. Yeah, you go for
those base instincts that we humans have and uh and
you get a lot of results, which is kind of
a sad commentary, but that's a different podcast. Anyway, there's
a you know, you'll you'll see this link And I
saw one recently and immediately I was like, my red
(26:58):
flag went up as soon as I thought. First of all,
I was like, this doesn't seem like the kind of
thing this person would have shared, Like they might have
clicked on a link but it doesn't seem like something
they would have themselves shared. And it was a supposedly
a video about Justin Bieber being stabbed at a concert,
and as soon as I saw it, I thought, uh,
this has click clickjacking written all over it, And immediately
(27:22):
I went to one of my favorite references for this
sort of thing, snopes dot com. So Snopes is all
about urban legends, but they also look at things like
internet hoaxes and and click jacking. And I did a
quick search and sure enough, this is something that's been
around for a while, and it just it's just like
a lot of other clickjacking. It has these cycles that
(27:43):
goes through where you'll have an initial pop up of
this and then it dies down, and then it'll pop
up again, and I'll do that three or four times.
Current events are often yeah, and I mean it's it's
you'll find some of these that are that have lasted
for years that basically they don't necessarily you have to
be about Justin Bieber, for example, that maybe the uh
(28:04):
the click jack to jure, Yeah exactly, or you know,
five years ago it could have been about for example,
Britney Spear. Yeah, that would be a very popular one
and Jennifer Anniston or somebody somebody that's in the news
right that moment. Yeah, and it tends to be like
or or it'll be like this this this news anchor
had an embarrassing moment on the news. Click to find
(28:26):
out that sort of stuff. And what happens is if
you do click that, you'll get a message that essentially
says usually something like, uh, your your you need to
install this extension or you need to install this video
player in order to watch this video. And if you
allow it, then it gets access to things like your
Facebook feed and as well as possibly other stuff. It
(28:49):
may involve other, you know, kinds of malware, but in general,
you've seen see this get propagated across Facebook where someone
who has fallen from the trick agrees to it, and
then it continues to go across Facebook because it starts
to use that person's feed. So whenever I see one
of these, here's what I do, guys. I immediately, you know,
(29:11):
I see something that that raises a red flag like that,
first way I do is I do a search on
on Google for whatever the video supposedly shows, because nine
times out of ten, it's just completely made up, and
you can usually find up I find an article written
on it, or it'll be on Snopes or something like
that where I'll say, you know, this new Facebook scam
(29:33):
is going around, so watch out for it. Once I
have confirmed that it's a scam, I go back to
Facebook and I comment on the entry and I say, Hey,
it looks like this is a clickjacking attempt. You may
want to go and and change your Facebook password and
delete this post because by deleting the post, you're going
to help remove that that step for other people to
(29:56):
fall victim to that same problem. So I that fairly
regularly because I've got a lot of friends on Facebook,
and this sort of thing can happen to anyone. It's
uh and it's not necessarily something that's that's sort of
either appealing to violence or sex. Sometimes it's something that's
just interesting and it has nothing to do with any
(30:18):
of those uh uh kind of more base subject matter.
And also, I mean in general, when there's a link
in Facebook, if it's a link in Facebook, I tend
to go to Google anyway and try and get to
that link without going through Facebook, because you never know
when it's a clickjacking attempt. If it's an embedded video
(30:39):
within Facebook, like a YouTube video that's been embedded in
Facebook something like that, I'm all right with that. I'll
watch it that way. But for links, I tend to
go outside of Facebook to do it, just to be
on the safe side, which I'm sure Facebook hates. That's
not what Facebook wants to hear. But until they want
to track you, right, until there's better security around that
(30:59):
so that I'm not throwing caution to the wind and
infecting my computer, I just I can't justify it. So
that's just my own personal approach. Guys. I'm sure all
of you probably have your own sort of way of
dealing with this and avoiding problems, but it's always something
that's good to keep in mind. Uh and UM. Anyway,
So if you guys, suspect that you might have this
(31:21):
DNS change your malware on your computer, go to the
FBI's website. Use their tool first of all to see
if you get a result back. If you don't get
a result back, you're probably okay, not necessarily okay. You
can pull up that list of addresses that do map
to these rogue servers and go through your computer settings
(31:43):
and confirm it that way warning rogue servers, So just
check your computers, make sure you're you're fine, because if
you're not fine, then once the FBI turns these servers off,
you may have some problems accessing stuff over the web.
And then you're thinking, what the heck happened? And that
wraps up another classic episode of tech Stuff. Hope you
(32:05):
guys enjoyed. It gives you a little bit of a
glimpse into the past and this operation Ghost Click problem
that was plaguing us in the spring of If you
guys have any questions or maybe suggestions for future episodes,
you can send me an email the addresses tech Stuff
at how stuff works dot com, or pop on over
(32:27):
to our website that's text stuff podcast dot com. That's
where you're going to find links to all our classic episodes,
including all of our new episodes. You'll also find links
to our social media presence and a link to our
online merchandise store, and every purchase you make there and
goes to help the show, and we greatly appreciate it,
(32:48):
and I'll talk to you again really soon. Text Stuff
is a production of I Heart Radio's How Stuff Works.
For more pod casts from my Heart Radio visit the
I heart Radio app, Apple podcasts, or wherever you listen
to your favorite shows. H