Clean-up begins after biggest ever botnet takedown

Ghost (Click) Busters


A clean-up operation following the takedown of what has been described as the biggest cyber-scam scam ever has begun.

Six Estonian suspects have been charged, and one Russian suspect remains at large, over a malware-based DNS changer scam that affected 4 million PCs worldwide, generating an estimated $14m in the process. The botnet – spread over 100 countries – was used to hijack browsing on infected machines in order to redirect users towards sites under the control of cyber-crooks, instead of the locations they were actually trying to visit. The technique was used to run click-fraud scams, to punt scareware at unwitting victims and to promote unlicensed pharmaceutical stores, among other scams that ran for almost five years since early 2007.

Fraudulent web pages appeared when victims attempted to visit Netflix, the US Internal Revenue Service, Apple's iTunes and other services. Infected Windows PCs and Mac machines were roped into the scam, as explained in our earlier story here.

Details of the two-year FBI-led investigation, codenamed Operation Ghost Click, were announced in New York on Wednesday after a federal indictment was unsealed. The FBI worked with the National High Tech Crime Unit of the Dutch National Police Agency on the case as well as security industry partners and academics. Trend Micro, Team Cymru, Georgia Tech University, Mandiant, Neustar, Spamhaus, University of Alabama at Birmingham and others formed the DNS Changer Working Group (DCWG) that figured out how the scam was operating and assisted law enforcement in its investigation.

Trend Micro ha published a detailed write-up of the how the scam worked from a technical perspective, and the shady firms involved, here.

As a result of the investigation, six suspected cyber-crooks were arrested in Estonia. Many are linked to Rove Digital, the Estonian firm at the centre of the probe, whose principals previously ran Esthost, an unsavoury reseller of web hosting services that was taken offline in 2008.

Botnet army commanded by 100 servers

The US has applied for extradition warrants against the six Estonian suspects, including Vladimir Tsastsin, 31, chief exec of Rove Digital. In the meantime a clean-up operation is getting under way.

US authorities seized computers and rogue DNS servers at various locations. The rogue DNS servers will be replaced by legitimate servers, a move that will mean that those infected with the malware will realise that something is wrong. The command & control (C&C) infrastructure behind the scam included more than 100 servers.

In a parallel move, Dutch police have advised RIPE (the Regional Internet Registry of Europe and the Middle East) to not change the registration of four specific blocks of IPv4 addresses until next March.

Simply swapping out DNS servers will not remove the DNSChanger malware — or other viruses it may have facilitated — from infected machines. The FBI wants DNSChanger victims to notify them about infections, a move seemingly designed to strengthen its hand in upcoming extradition proceedings against the accused.

The FBI has published an online tool designed to allow concerned punters to check if their DNS server settings have been tampered with. Advice on how to use the tool, which involves checking settings on your machine prior to entering DNS details, as well as links to Trend Micro's freebie anti-malware scanner, can be found in a blog post by Rik Ferguson here. ®

Similar topics

Broader topics


Other stories you might like

  • Now that's wafer thin: Some manufacturers had less than five days of chip supplies, says Uncle Sam

    Components fabbed using 40nm-plus process nodes hit hard

    Hardware manufacturers hit hardest by the global semiconductor shortage had less than five days of chips in their inventories last year – and should expect supply chain issues to continue throughout 2022 – the US Department of Commerce said this week.

    Demand for semiconductors skyrocketed during the pandemic as folks purchased more PCs, laptops, and tablets to work or learn from home, and cloud giants scaled up their backend systems to cope. Supply, however, couldn't keep up. The median inventory of semiconductor buyers in 2019 was 40 days of supply. By 2021 that figure was down to less than five days for certain key US sectors, the department said in a report, while demand was up 17 per cent.

    Production was initially slowed at factories around the world due to shelter-at-home orders as the coronavirus pandemic took hold. Some facilities had to temporarily shut down after they were hit with natural disasters, such as fires and snowstorms. But between Q2 2020 and the end of 2021 fabs were operating at over 90 per cent capacity and still couldn't meet global demand.

    Continue reading
  • Baidu's AI predictions for 2022: Autonomous driving! Quantum computing! Space! Human-machine symbiosis!

    Did a computer program tell them to write this?

    Baidu Research's AI-centric "Top 10 Tech Trends in 2022" report has outlined the Middle Kingdom megacorp's predictions for technology over the coming year.

    Baidu CTO Haifeng Wang describes AI as a "key driving force of innovation and development," thanks to rapidly evolving core technologies, cross-domain connectivity, and expanding applications.

    It's no surprise that the list focuses on AI given Baidu's business domain. The Beijing-based company's search engine captures over 70 per cent of the Chinese market while also developing other products, particularly AI research and cloud computing. The research arm takes a deeper look at its associated technologies. Think Google but Chinese.

    Continue reading
  • Nvidia reportedly prepares for un-Arm'd fight with rivals: $40bn takeover may be abandoned

    Softbank, meanwhile, remains 'hopeful' it can offload Brit chip designer

    Nvidia is quietly preparing to give up on the purchase of Arm, according to Bloomberg, after repeatedly butting heads with competition regulators amid a wave of opposition from the tech industry.

    A report by the newswire states Nvidia privately told its partners it does not expect the Arm transaction to close. The report also claims Arm's current owner SoftBank is pressing ahead with an IPO of Arm.

    The $40bn bid Nvidia lodged for Arm in September 2020 has proved controversial: Arm licences its chip designs to multiple clients and some felt that buying the company will give Nvidia the power to stifle competition.

    Continue reading

Biting the hand that feeds IT © 1998–2022