TWO INTERNET PROTOCOL (IP) ADDRESSES in London have been responsible for infecting more than a quarter of a million routers around the world.
Security researchers from specialist internet security consulting firm Team Cymru have found an exploit that has already switched 300,000 router domain name system (DNS) servers, which could in turn be used to redirect web traffic.
There are a lot of unanswered questions, though. Why is the culprit doing it? Why has it gone undetected for so long? And who is behind the mysterious 3NT Solutions, the hosting company that registered the two DNS servers? But perhaps strangest of all, given that as yet there is no evidence that the DNS servers are doing anything differently than normal ones, what are they for and what are they doing?
The two-year old exploit has mostly been patched in the US, UK and Western Europe, but Asia, Eastern Europe and Asia still have significant numbers of vulnerable routers. It is said that a particularly large number of infected machines are in Vietnam.
Although there is no evidence of any malicious use of the network it has created, at least so far, there is no reason not to believe that at some point the machines' true purpose could be realised. The DNS servers could, for example, be used to direct customers to a dummy internet banking website in order to steal credentials.
For now however, the origin of this attack on the integrity of the internet is a mystery and Team Cymru is cooperating with law enforcement efforts to trace the culprits. µ