Security Experts:

Authorities Disrupt Massive Botnet in International Cybercrime Bust

Estonian Cybercrime Group Infected More Than 4M Computers with DNS Changing Malware 

The FBI and international authorities have disrupted a massive cybercrime scheme that infected more than four million computers with malware, and generated an estimated $14 million for a group of cybercriminals over a period of several years.

Operation Ghost Click The announcement came following a two-year investigation of a cybercriminal gang based in Estonia, and resulted in the arrest of six of individuals in Estonia by Estonian authorities. The U.S. Attorney’s Office said it would seek their extradition to the United States. A seventh defendant, a Russian national, remains at large, the FBI said.

During the operation, dubbed “Operation Ghost Click”, the FBI raided data centers in New York City and Chicago, taking down more than 100 servers that made up the command & control (C&C) infrastructure to support the massive botnet operation.

Trend Micro, which provided support to the FBI during its investigation, shared some additional details yesterday, saying it had known who was behind the operation since 2006. “We, at Trend Micro knew what party was most likely behind the DNS Changer botnet since 2006,” said Feike Hacquebord Senior Threat Researcher at Trend Micro in a blog post. “We decided to hold certain data and knowledge we had from publication in order to allow the law enforcement agencies to take legal action against. Now that the main perpetrators have been arrested and the botnet has been taken down, we can share some of the detailed intelligence we gathered in the last 5 years.”

To carry out the scheme, the cybercriminals (ahem.. allegedly) installed malware designed to modify the DNS server settings on infected systems. Once victims’ computers became infected with the malware, when they attempted to visit certain Web sites, their Web browsers would be re-routed to other Web sites and servers, and presented with ads that the criminals profited from through “click hijacking” and “advertising replacement fraud” schemes.

As alleged in the indictment, from 2007 until October 2011, the defendants controlled and operated various companies that masqueraded as legitimate publisher networks, typically getting paid when infected users clicked on the links or viewed online ads as a result of its malware being installed.

Examples of the “click hijacking” tactics used by the defendants, illustrated in the Indictment include:

▪ When the user of an infected computer clicked on the domain name link for the official website of Apple-iTunes, the user was instead taken to a website for a business unaffiliated with Apple Inc. that purported to sell Apple software.

▪ When the user of an infected computer clicked on a domain name link for Netflix, the user was instead taken to a website for an unrelated business called “BudgetMatch.”

▪ When the user of an infected computer clicked on the domain name link for the official government Web site of the Internal Revenue Service, the user was instead taken to the website for H&R Block, a major tax preparation business.

Using the DNS Changer Malware and rogue DNS servers, the defendants also replaced legitimate ads on Web sites with substituted advertisements that also resulted in them generating advertising revenue. Examples of the advertising replacement fraud described in the Indictment include:

▪ When the user of an infected computer visited the home page of the Wall Street Journal, a featured advertisement for the American Express “Plum Card” had been fraudulently replaced with an ad for “Fashion Girl LA.”

▪ When the user of an infected computer visited the website, a prominent advertisement for Windows Internet Explorer 8 had been fraudulently replaced with an ad for an email marketing business.

▪ When the user of an infected computer visited the ESPN website, a prominent advertisement for “Dr. Pepper Ten” had been fraudulently replaced with an ad for a timeshare business.

The malware also interfered with the installation of anti-virus products, and operating system updates, leaving those infected more even more exposed to other forms of malware and attacks.

The FBI said some of the systems infected included those belonging to U.S. government agencies, such as NASA, educational institutions, non-profit organizations and commercial businesses.

According to the FBI, as a result of these fraudulent advertising schemes, the defendants and co-conspirators earned at least $14 million. The Indictment further alleges that the defendants laundered the proceeds of the scheme through numerous companies including, among others, Rove Digital, an Estonian corporation, and others listed in the Indictment.

According to Trend Micro, Rove Digital was the mother company of several others, including Esthost, Estdomains, Cernel, UkrTelegroup and others. “Rove Digital is a seemingly legitimate IT company based in Tartu with an office where people work every morning. In reality, the Tartu office is steering millions of compromised hosts all over the world and making millions in ill-gained profits from the bots every year,” Hacquebord said.

Vladimir Tsastsin, RoveDigital EstoniaHacquebord provided some additional background and details on the group in his blog post on Wednesday:

Esthost, a reseller of webhosting services, was in the news in the fall of 2008 when it went offline at the time its provider Atrivo in San Francisco was forced to go offline by actions of private parties. Around the same time a domain registrar company of Rove Digital, called Estdomains, lost its accreditation from ICANN because the owner, Vladimir Tsastsin, was convicted of credit card fraud in his home country, Estonia.

These actions were the result of public pressure that arose from the suspicion that Esthost was mainly serving criminal customers. Rove Digital was forced to stop the hosting services offered by Esthost, but it continued with its criminal activities. In fact those behind Rove Digital learned their lesson, and they spread the C&C infrastructure all over the world and moved a great deal of the servers previously hosted at Atrivo to the Pilosoft datacenter in New York City where they already had some servers running.

In 2008, it was widely known that Esthost had many criminal customers. Not publicly known was that Esthost and Rove Digital were heavily involved in committing cybercrime.

Trend Micro also noted that Rove Digital had been running a FAKEAV / rogue DNS affiliate program called Nelicash. "We were able to download a schema of the infrastructure for the FAKEAV part. From a Nelicash C&C server we discovered data on victims who bought fake AV software," they said.

U.S. authorities froze the defendants’ financial accounts and coordinated with their foreign counterparts to freeze assets located in other countries.

The FBI said that they were able to replace the rogue DNS servers with legitimate ones, as remediation efforts were immediately needed to minimize any disruption of Internet service to the users of computers infected with the Malware. Because the infected computers had been set to use the groups rogue DNS servers, once they are taken offline the users would be left in the dark with no DNS server to translate their queries.

Internet Systems Consortium (“ISC”) was appointed by the court to administer the replacement DNS servers for a period of 120 days. While the replacement DNS servers will keep users connected, it won’t help remove the malware.

To see if you may have been a victim of the scheme, the FBI created an online tool where users can check their DNS settings against its database to see if their DNS server settings may have been tampered with. Regardless, users should always be sure an up-to-date anti-virus product from a reputable vendor in installed. If you have been a victim, you can register and tell the FBI here.

Earlier this week, it was reported that millions of people in Brazil were potentially been exposed to malware as a result of a nationwide DNS attack. After being compromised remotely, scores of routers and modems had their DNS settings altered to redirect traffic.

view counter
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.