Cameroon the New Hotbed of Malware

garg0yle writes "According to McAfee, more than a third of Cameroon domains (TLD of .cm) are infested with viruses or other not-so-fun party treats. Given that it's very easy to mis-type .com as .cm, this puts the computers of a lot of fat-fingered typists in peril. Second place on the most-infested domains list goes to China (.cn), while Hong Kong (last year's 'winner') is now comfortably middle-of-the-pack."

Mistype

[Lunoria]

While I can believe that .cm is a mistype for .com, what about .co, .con, .om? They don't seem to be high risk websites. I also bet that .con is a more common mistype than .cm I also wonder whether slashdot.og is infested with viruses.

Re:Mistype

[DavMz]

I have n "" letter n my keybard, yu insensitive cld!

Re:Mistype

what about .co, .con, .om?

.co is Colombia, .om is Oman, but .con doesn't exist.

They don't seem to be high risk websites.

What is "they" in that sentence, or did you mean "TLDs" instead of "websites"?

I also wonder whether slashdot.og is infested with viruses.

.og doesn't exist. You might want to consult a list of TLDs before you ask a bunch of "what about" questions. Or install a robust browser and try to load the url instead of just wondering about it.

Re:Mistype

[tsalmark]

Some one with mod points give this guy a boost, I was about to say the same thing but, it's already been said by an anon.

Re:Mistype

[jrumney]

It depends on the policies of the registrar for those top level domains. Some countries allow free for all registration of domain names, others restrict registration to local companies and citizens only. Also many country tlds require specific sub-domains such as .com.co, which reduce the usefulness of those domains for typo-squatters.

Re:Mistype

[Potor]

I can't remember the last time I typed "com".

Seriously - with ctrl+enter, who needs to?

Re:Mistype

I just went there, and BUY CHEAP VIAGRA yes, it is WILL MAKE YOU 9 INCHES LARGER full of viruses. SO BIG YOU COULD PUT IT ON A BUN AND EAT IT!

Re:Mistype

[grcumb]

While I can believe that .cm is a mistype for .com, what about .co, .con, .om? They don't seem to be high risk websites. I also bet that .con is a more common mistype than .cm

It hardly matters. What many of the press reports (including El Reg) seem to ignore is the second most risky TLD in the world: .com.

I'll bet you dollars to donuts that, because of the size and popularity of the TLD, .com is significantly more of a threat to the average Internet user than .cm.

And while we're at it, how about a link to the actual report? (warning: PDF)

Re:Mistype

.CONNNNNNNNNNNNNNN!!!!!!!

Re:Mistype

[icannotthinkofaname]

It's a bit of a stretch for me to believe that .cm is a typo of .com. When I mistype .com, it's usually .co or .cmo. But I never just forget the o like that.

Re:Mistype

[Antiocheian]

'But wheah's the necessity? It seems an uncommonly woundabout and hopelessly wigmawolish method of getting anywheahs. Look heah now, I've got the wuhks of the mastahs -- the gweat ahchaeologists of the past. I wigh them against each othah -- balance of the disagweements -- analyze the conflicting statements -- decide which is pwobably cowwect- and come to a conclusion. That is the scientific method. At least' -- patronizingly -- 'as I see it. How insuffewably cwude it would be to go to Ahctuwus, oah to Sol, foah instance, and blundah about, when the old mastahs have covahed the gwound so much moah effectually than we could possibly hope to.'

-- Isaac Asimov, Foundation

Re:Mistype

[jez9999]

.co is Colombia, .om is Oman, but .con doesn't exist.

That's a shame, coz then we could have all the malware and phishing websites under one roof like porn is with .xxx. :-(

Re:Mistype

[Fred_A]

Yes, I meant TLD's not webistes. (sic) I wasn't aware that .con wasn't a valid TLD . And .og was meant to be a joke.

Which makes your comment worthwhile how, exactly ? Please refrain if you have no idea what you're talking about or take a minute to use your search engine of choice to see what the hell it is that people are talking about. As a rule geographic TLDs match the two letter country codes (as defined by ISO, see ISO-3166-1, relevant table is "alpha 2") most of the time.
See the handy table at http://en.wikipedia.org/wiki/ISO_3166-1#Officially_assigned_code_elements or http://www.iana.org/domains/root/db/ for the real (internet-related) thing.

I'm not an internet expert, [...]

You don't say...
But that's not a handicap. We all start that way, and then we learn (if we are so inclined).

Re:Mistype

[Fred_A]

I typed "Ctrl+Enter" and nothing happened.

I want my money back !

Re:Mistype

[tehcyder]

You should be grateful you're not here where we have .co.uk addresses. You wouldn't believe the number of times I've typed in .cock and got something unexpected popping up on my monitor...

Re:Mistype

[halcyon1234]

...second most risky TLD in the world: .com.

Are you sure? Can you provide a link?

And while we're at it, how about a link to the actual report? [mcafee.com] (warning: PDF)

Mcafee and a PDF. Two pieces of malware from one .com site. Excellent evidence, sir.

Re:Mistype

[petermgreen]

what about .co, .om?
assigned to colombia and oman respectively but don't allow registrations directly under the tld so not useful for cybersquatters. .con
doesn't exist.

I also wonder whether slashdot.og is infested with viruses. .og doesn't exist either

Re:Mistype

Sounds you got one of those keyboards left by the W Bush admin for the next president.

Re:Mistype

[Spazztastic]

I wasn't aware that .con wasn't a valid TLD (It should be valid for the scammers).

Really? We should dedicate a whole TLD just for scammers? Was that supposed to be a joke?

And .og was meant to be a joke.

Ok, I guess you did mean it as a joke if you thought that one would fly too. It went over like a lead balloon, though.

Here's a tip from an internet professional: Do research before you make posts on a site that you can't delete or edit your comments on. If you make a mistake, reply to yourself and correct it. Otherwise people who have karma to burn will correct you, much like myself.

Missing keys?

[TheProphet92]

I rarely miss the 'o' key altogether, more commonly I press a different one accidentally, like 'cpm' or 'con'.

Re:Missing keys?

shtrrf/ o jsyr ejrm o fp yjsy/

Re:Missing keys?

[Spad]

My usual typo is .copm

POLL: have you ever mistyped .cm for .com?

[theNAM666]

Really? I've never done it. Never. /me goes to point .cm to 127.0.0.1 .

Wouldn't it be safer to...

[Antony-Kyre]

to just block the whole Net? That way, you can't visit any website, thus avoid all websites hosting malware. Either that or have a patched, updated browser, and use smart surfing habits.

Re:Wouldn't it be safer to...

[mysidia]

Blocking .cm can be a helpful step, because it blocks a portion of the hostnames that (A) if you visit has a very high probability of infecting you, and (B) that an intentional visit to is unlikely.

So you can block .cm with a notable increase in safety, with a minimal decrease in usefulnes of your internet access.

The same could not be said of blocking the whole net. Blocking the whole net reduces the utility of your network connection, since it means you can no longer navigate to the sites that you do want to, with high probability.

Re:Wouldn't it be safer to...

[srussia]

Blocking .cm can be a helpful step

I live in Cameroon, you insensitive clod! But then again, malware is not at the top of my worry list... carry on then.

Re:Wouldn't it be safer to...

[water-and-sewer]

Seriously, do away with it and go back to gopherspace. No viruses there, probably. The WWW is overrated.

.com default

[feedayeen]

Most modern browsers insert .com automatically if no top level domain exist in the URL.

I am Naga Eboko, exchange student from Cameroon.

[fucket]

Beef jerky time.

No, I don't think it is

[93+Escort+Wagon]

Given that it's very easy to mis-type .com as .cm, ...

I can safely say I've never done this. I've made other errors - such as ending up in Estonia's (.ee) web space on occasion, since I work in an electrical engineering department. But I can't believe leaving out the "o" from ".com" is particularly easy or at all common.

Now if you wanted to talk about Colombia (.co) being a frequent typo for .com domains, then I might find it more believable. I have done that on rare occasions.

Re:No, I don't think it is

[trawg]

I can safely say I've never done this. I've made other errors - such as ending up in Estonia's (.ee) web space on occasion, since I work in an electrical engineering department. But I can't believe leaving out the "o" from ".com" is particularly easy or at all common.

I can't figure out how you think ending up at a domain ending in .ee because you're an electrical engineer is less weird than mistyping .com

Re:No, I don't think it is

[imakemusic]

So missing the m key, or not pressing it hard enough is logical but missing out the o is just crazy talk?

I guess that makes sense...if you have a particularly weak index finger.

Re:No, I don't think it is

[BetterSense]

I always seem to type c.om, but maybe it's because I type dvorak. My mistakes are different.

Yes, but...

[InspectorxGadget]

...they make those delightful coconut cookies. I think we can forgive them.

Re:Yes, but...

[Opportunist]

Hate to break it to you, but those ain't coconut cookies that they sent to your browser...

Auto-Correcting Domains

[cshbell]

It's water under the bridge, but in hindsight, it would have been better to not create the alternate TLDs .cm, .co. While I'm at it, tell me there's a good reason we have augmented reality iPhones and 60 MPG cars but not web browsers that autocorrect non-existent TLDs.

Seriously, why doesn't every browser have a "I don't live in Cameroon or Colombia; auto-correct .cm and .co to .com, don't warn me when doing it, and don't bother me about this again" option? (I know, I know, .hosts and/or Firefox extensions. Still.)

Re:Auto-Correcting Domains

[MichaelSmith]

I knew a guy called Teh but unfortunately Microsoft tools auto correct that to The.

Re:Auto-Correcting Domains

[syousef]

I knew a guy called Teh but unfortunately Microsoft tools auto correct that to The.

Clearly he should change his name. I'd like to suggest Meh.

Re:Auto-Correcting Domains

[Tynin]

Maybe because it is a world wide web, and some people who live in the US may not have as limited of interests as you?

stuck key

[wizardforce]

typing *.cm instead of .com is as simple as having an o key that gets stuck occasionally and not noticing the typo. All it takes is a keyboard that needs a good cleaning and a user that isn't paying enough attention.

Re:stuck key

[daveime]

typing *.cm instead of .cm is as simple as having an key that gets stuck ccasinally and nt nticing the typ. All it takes is a keybard that needs a good cleaning and a user that isn't paying enough attentin.

FTFY ;-)

OpenDNS has an option to fix this

[robbak]

Opendns has an option to automatically 'correct' .cm requests to .com, which I always turn on. If Cameroon does not want people doing this, then it would have to police it's domain closely, instead of using it as a cash cow.

Re:OpenDNS has an option to fix this

OpenDNS also rewrites NXDOMAINS to host advertisements.

Why do people keep spamming this service like it doesn't suck?

Re:OpenDNS has an option to fix this

[QuoteMstr]

OpenDNS really is an abomination unto the Domain Naming System as bad as any ISP's NXDOMAIN redirection.

But IOKIYFTM --- It's Okay If You're Fighting The Man

(Or have a PR department that creates that impression.)

Re:OpenDNS has an option to fix this

[shentino]

Because it's opt-in and doesn't hijack your DNS unless you tell it to?

I don't use it myself though sicne I run bind and do my own DNS caching.

Re:OpenDNS has an option to fix this

[KazW]

OpenDNS breaks the DNS standard, as it returns a search page for non-existent domains, there was actually a /. article about sites doing this not too long ago. Lastly, not to mention, you're letting a 3rd party track almost 100% of your net activity.

In closing, "smart" DNS is a dumb decision, even for dumb people.

Re:OpenDNS has an option to fix this

[dissy]

OpenDNS breaks the DNS standard, as it returns a search page for non-existent domains, there was actually a /. article about sites doing this not too long ago.

That is an option that can be turned on and off to your own desire.
Just uncheck the checkbox on your preferences page and it will not rewrite nxdomain.

FYI, most people like that feature. For the rest, who either don't like it, or do like it but for technical reasons can not have it, you can just not enable it.

Lastly, not to mention, you're letting a 3rd party track almost 100% of your net activity.

You say that like it is only true when using opendns and not true all other times.

All you are doing is changing 3rd party from your ISP into opendns, so in those cases that option is always there.
And no, it does not matter if you run your own DNS server, since it needs to get records from some upstream service too...

I can understand not trusting your ISP (some ISPs simply have proven themselves untrustworthy), but I don't see why you would trust ICANN that much more than OpenDNS. ICANN has done some really rotten things too (Including rewritting NXDOMAIN but without any option to disable it!)

Re:OpenDNS has an option to fix this

[gad_zuki!]

On top of it there's nothing open about them. No source, no open development, community, etc. Its just a company that tracks people and breaks NXDOMAIN. Man, is running bind on something so hard? There's even a pretty nice dumbed down GUI windows port called Treewalk.

Re:OpenDNS has an option to fix this

[forerunner403]

Yeah, this option is definitely a life saver.

Re:OpenDNS has an option to fix this

[RocketRabbit]

You and the four other people using OpenDNS must really be sitting pretty.

Cameroon is in Africa!

[mi]

I hereby denounce this article — and the pseudo-statistics in it — as racist!

Gebyy zl nff!..

Re:POLL: have you ever mistyped .cm for .com?

[Opportunist]

I prolly shouldn't do that, this machine I'd point to is full of current malware.

(if I'm on my analysis machine, that is...)

Is omitting a letter really a problem?

[Opportunist]

If so, change keyboards.

I see the real threat in letters getting mixed up (which probably does not matter so much in 3 letter TLDs, since I don't know of a cmo or ogr TLD) or a typo (.con, .prg), which also usually don't really result in anything damaging. .cm being mistyped as .cn might be a problem, though. But then again, it's like missing the flood to reach the drought, so...

In any case...

[BrokenHalo]

In any case, if (as the article claims) one third of Cameroon domains host malware, the implication is that two thirds don't. I would be very curious to know what percentage of US domains host malware.

Regardless of the answer, the appropriate response is to use a robust browser and block individual sites, not block out whole nations. Otherwise one might just as well move to China.

To that I'll add

[Sycraft-fu]

That different nations treat their TLDs differently. Some sell them to anyone who wants one. You can register them as long as you are willing to pay whatever fee it is they ask. The .tv domain is one such domain. Others make the domains available, but only to people or organizations that meet certain requirements like citizenship. Canada (.ca) would be one like that. Any Canadian can have a .ca domain if they are willing to pay for it, but non-Canadians can't buy one. Still others only use their domain for government or internal functions. The .us domain was like that at one time. You could get it only as an entity like a county government or a high school or something (it is now open for registration). Finally some countries simply don't do anything with their TLD, it just isn't used at all and there's no way to get it.

So just because a TLD exists, doesn't mean it can be used for any given purposes.

Re:To that I'll add

[dissy]

Reminds me of the time I tried to get an Antarctica domain (.aq), and the first email I got back stated "Sorry, to register you must live on the ice"

As for the history of the .us cctld, even back in the late 80s, one could register a subdomain out of it being an individual (and it was free too! Then again, so was .com)

However they did have and enforce a strict organizational structure.
From what I recall, you had to get [something].county.state.us
Later they opened it up more, but was still state/group sectioned at the second level, IE blah.k12.us for a school. These days for the right price anyone can get a blah.us

I also had a Canadian .ca domain, but the admin contact was my mailing address in Canada instead of my US one. So I think resident was the only requirement, not citizen.
That or they just had poor checking of citizenship back then ;}

The world is infected! Buy our stuff!

[tjstork]

Let's get real and understand that the real purpose of providing this "information" is marketing. It is there to reinforce the message that the world is hopelessly infected with computer viruses and you absolutely MUST have the offerings of McAffee and other anti-virus software vendors. I'm not even sure why anyone would believe it is true.

Re:The world is infected! Buy our stuff!

[dskzero]

So you are arguing that it's better to avoid antivirus completely?

Re:The world is infected! Buy our stuff!

[aBaldrich]

So you are arguing that it's better to avoid antivirus completely?

There is hope beyond McAffee. Repent and convert to Linux.

Re:The world is infected! Buy our stuff!

[dskzero]

I don't need to convert to anything. I'd rather use NOD32 and continue my windows ways that haven't failed me. Sorry. :)

Always one rotten apple

[hesaigo999ca]

There will always be a worst and best in this category, as in anything you do in life. The problem is when it is deliberately set to that which happens to be .cm (which could be a mistype for many people)...if you think of whether this was intentional on the hackers part, you better believe it.

It could be any of the countries that have domains, and have no real talent for programming websites, but in the end,
you have to wonder, most are hosted on regular ISPs that offer the .cm extension, so should they not be partially responsible too, for at least quick testing the sites vulnerability with a tool or something....and if they find anything, the website owners are responsible to fix it, or get their vulnerable or compromised websites taken down.

That's just my 2 cents though

Re:I am Naga Eboko, exchange student from Cameroon

[NevarMore]

HAPPY CHRISTMAS!

Re:POLL: have you ever mistyped .cm for .com?

[Nimey]

Once just recently - I was holding my infant daughter so had to type one-handed.

OpenDNS caught the error and warned me away from a malware site. Don't remember where I was going at the time.

Is there an easy way......?

[jameskojiro]

To block any top level domain? I mean like an entry in the hosts file, etc.....

Re:Is there an easy way......?

[gad_zuki!]

Nope, a host file is static and wont support and wildcards like *.cm.

You can run bind and play with the configuration or you can set your firewall to not let you make connections to cameroon's netblocks. That's assuming the cm stuff is actually hosted there. If not then you need to block via DNS.

# Country: CAMEROON
# ISO Code: CM
# Total Networks: 16
# Total Subnets: 100,864
41.92.128.0/17
41.190.224.0/22
41.191.100.0/22
41.202.192.0/19
41.204.64.0/19
41.205.0.0/19
41.205.64.0/19
41.211.96.0/19
41.216.176.0/20
41.217.128.0/19
41.223.28.0/22
193.17.215.0/24
195.24.192.0/19
195.234.120.0/22
196.3.90.0/24
196.202.232.0/21

http://www.countryipblocks.net/country-blocks/select-formats/

Wow, another reference to Cameroon!

[motherpusbucket]

I have not heard that country mentioned since Eddie Murphy disguised himself as an exchange student from Cameroon in 'Trading Places' back in the 80's.