How the most massive botnet scam ever made millions

Computer, engineering, and other technical assistance.

Moderators: genlock, sportsvoice

Post Reply
Posts: 2060
Joined: Mon Sep 05, 2005 10:30 am

How the most massive botnet scam ever made millions

Post by CoolBreeze » Fri Nov 11, 2011 8:06 am

More details have emerged about how the seven alleged Estonian and Russian hackers indicted by the US Wednesday managed to hijack over 4 million computers worldwide—many of them at government agencies and large companies—and rake in over $14 million from legitimate businesses. The scheme, which dates back to 2007, made use of a common botnet trojan to divert Web traffic from its intended destination to that of advertisers who paid for traffic delivery—thinking that it was being provided through paid links.

The malware at the center of the scam, called "Operation Ghost Click" by the FBI, is the DNSChanger botnet. It is a trojan that, once installed on a system, redirects its Domain Name Service requests to a server and effectively takes control of all of the outbound Internet traffic from the infected system. The trojan also seeks other systems on the local network that use the Dynamic Host Configuration Protocol (DHCP) and attempts to change their DNS settings, thereby taking control of computers on the LAN that haven't been infected.

The botnet and DNS servers were controlled by Rove Digital—an Estonian company that has made millions off botnets—and its hosting subsidiary Esthost. Trend Micro senior threat researcher Feike Hacquebord wrote in a blog post that his company had known the identity of the company controlling the DNS Changer botnet since 2006, but had held off on publishing the information to allow law enforcement to take action.

Rove Digital had also been operating a fake antivirus scam "affiliate program" called Nellicash, through which it sold information stolen from victims of FAKEAV downloads. And the company even operated its own domain registrar, Estdomains—until it was taken down in 2008 when it lost ICANN accreditation after Rove Digital CEO Vladimir Tsastsin was convicted of credit card fraud in Estonia.

DNSChanger has been a known threat for years; its installer is disguised as a codec required for watching website video content, and has been spread widely through pornographic websites. "Victims’ computers became infected with the Malware when they visited certain websites or downloaded certain software to view videos online," the FBI stated in its release on the case. The DNSChanger botnet can affect both PCs and Apple computers. (An explanation of just how a porn-site trojan ended up on hundreds of NASA and other government computers was not part of the government's statement on the case.)

Wednesday, Estonian police arrested Tsastsin and five others at Rove Digital, and authorities in the US disabled the command-and-control network, including rogue DNS servers in New York and Chicago. Because the DNS servers are still providing name resolution for millions of infected computers, the FBI commissioned Internet Systems Consortium to replace them with legitimate DNS servers so that users' Internet access would not be interrupted.

The easiest way to tell if your system has been infected by DNSChanger is to check the IP address for the DNS server in your computer's network settings. The FBI has provided a Web tool for users to check if their DNS server is one of the rogue servers, and provided a list of their IP addresses: through through through through through through

If your computer is configured with a DNS server with an IP address in those ranges, congratulations: you've been infected. Contact the FBI to register as a victim of the DNSChanger botnet

Web Tool ... -rogue-DNS
"I know I've got a lot against me: I'm White, I'm Protestant, I'm hard working. Don't you have an Amendment to protect me"? Archie Bunker

Post Reply