Guardians of the web
Cleaning up Switzerland’s internet sites
The methods for distributing malware are legion (imagepoint)
Viruses and other malware are lurking not just on porn sites, but in places you might never expect. To make it safer to surf, the Switch foundation monitors the Swiss web for malicious code. As a result, Swiss computers are the least infected in the world.
“Error: the webpage cannot be displayed”. It’s not uncommon to get this kind of message when surfing on the web. So you check that the address has been typed correctly and try again, but the page still does not come up. Annoying? Yes, but it might be for your own good.
There are a number of reasons why a site may be inaccessible: connection problems, servers down, or updates in progress. But the site may also have been blocked deliberately for the sake of IT security.
“Some sites have got malicious code hidden in them that can infect a computer. The consequences can be serious: personal data and passwords may be stolen, or the whole system may crash”, explained IT expert Michael Hausding, who belongs to the Computer Emergency Response Team (CERT) at Switch, the organisation that looks after Switzerland’s Internet access. “My job is to block infected sites and prevent the spread of malware and other harmful code.”
Although invisible to the Internet user, CERT is successfully holding the line for Switzerland against malware. According to the most recent report of the Panda Security company, Switzerland is the country with the least number of infected computers in the world (see sidebar). “Apart from our work there are the actions of the major Internet service providers, who inform their customers periodically about the current threats”, adds Hausding.
500 dollars for a global attack
The methods for distributing malware are legion, as Hausding pointed out. “Spreading them through ‘drive-by downloads’ has increased recently. Exploiting a gap in the content management software, hidden code is placed on the website without changing the look or feel of it. When users visit the infected page, the code can install viruses and Trojan horses on their computers.”
These “drive-by” attacks, which are responsible for spreading three quarters of the malware in circulation, now tend to be automated. “There are actually companies which will create scripts to spread harmful code all over the web for 500 dollars,” Hausding warned.
The goal of these people is to create a network of infected computers, he explained. Whoever controls one of these “botnets” can get into the data stored on systems or use the computers’ connections - for example, to spy on bank transactions or send infected e-mail and spam on a huge scale.
“Last year there were a number of DDoS (Distributed Denial of Service) attacks on the Swiss Federal Railways and PostFinance. When this happens, the web site or server is knocked out by bombarding it with requests.”
Contrary to popular belief, porn sites or sites offering pirated music, films, programmes and so on are not necessarily the most dangerous, according to Hausding. “Malicious code can just as easily be found on the web sites of voluntary associations, sports clubs and small businesses. Whoever created the site was just using out-of-date software or unsecured passwords.”
The owners of these domain names, he emphasised, are not criminals. “They are the unwilling helpers of whoever is controlling the botnet. But then it’s our job to step in.”
Cleaning up their act
On Michael Hausding’s computer screen there is a list of Internet addresses. These are suspect sites which specialised firms and some individuals have identified and told Switch about. “On average we get fifty of these notifications a week.”
Once they have confirmed that these pages can really infect a computer, the CERT experts inform the owner or the administrator of the domain name. “It’s up to them to remove the malicious code from the site”, said Hausding. “For technical staff, this is a fairly straightforward operation that can be done quickly. People who don’t know much about computing ask us to come in and help.”
If there is no response within 24 hours, Switch takes down the whole domain. The web page is no longer accessible.
“If there is no reaction even to this, we ask the owner to identify him or herself with proof of residence or proof of company registration as the case may be. If no such identification is forthcoming, the domain name itself is scrapped.”
Between February 2011 and July 2012, CERT cleaned up 2,828 Swiss sites. “The owners of domain names usually get back to us in a hurry. Often enough, having a web site down means losing money,” Hausding said, adding (but without mentioning any names) that among those contaminated have been the sites of major Swiss firms.
The measures taken to fight malware in Switzerland are unique in the world, according to Hausding.
“Switzerland is the only country in which there is a clear legal framework. The 2010 revision of the regulations on addresses in the telecommunication sector has given us the power to block domain names.”
In Switzerland responsibility for a site rests with whoever has registered it. In other countries, it rests with the Internet hosting provider. “That turns out to be an important feature, when you think that a third of the 1.7 million Swiss domains are hosted on servers in other countries,” Hausding pointed out.
At the end of the interview, we asked Hausding to do us a favour: check the state of health of the swissinfo.ch site. It was a relief to see all the buttons in the analysis programme turning green. The site is safe and there is no malware lurking on it. Not at the moment, anyway.