Operation Ghost Click: FBI bags crime ring responsible for $14 million in losses

Published: 2011-11-09. Last Updated: 2011-11-09 22:37:14 UTC
by Russ McRee (Version: 1)
5 comment(s)

Source: http://www.fbi.gov/news/stories/2011/november/malware_110911/malware_110911

The FBI has unsealed a federal indictment that includes details of the two-year FBI investigation called Operation Ghost Click, as announced today in New York.
The article describes the arrest of six Estonian nationals who have been charged with "running a sophisticated Internet fraud ring that infected millions of computers worldwide with a virus and enabled the thieves to manipulate the multi-billion-dollar Internet advertising industry."

The FBI offers details on determining if you've been affected by DNSChanger in this PDF.
This cybercrime ring used "DNSChanger to redirect unsuspecting users to rogue servers controlled by the cyber thieves, allowing them to manipulate users’ web activity."

The DNS Changer Working Group (DCWG), with cooperation from SANS handlers, will be publishing more details soon as they have been closely monitoring this class of malware.
As you may well be aware, several different malware families modify DNS to redirect customer traffic in the past,  including Zlob and others. This particular version uses TDSS and possibly other malware; while it has been installed in many different ways, it isn't a single malware, but more a class of malware that exhibits certain characteristics.

ISC handlers have published many diaries over the years about various DNSChanger malware including a recent Mac version:

New Mac Trojan: BASH/QHost.WB

(Minor) evolution in Mac DNS changer malware

DNS changer Trojan for Mac (!) in the wild

ISC Handler Donald Smith, who provided the details for this diary entry, advises that:
"ISPs and corporations that wish to assist their customers can route the rogue space to their resolvers and NAT/PAT from the rogue DNS space to their resolver space, their resolvers will answer the query and the answer gets re-NAT/PAT and the customers get the correct dns response. Add logging and you have a list of infected customers." It is recommended though that  you "be extremely careful in what you consider rogue address space and how long you keep things considered as such: that's the tricky part." [Swa Frantzen]

Finally, thanks to a coordinated effort of trusted industry partners, a mitigation plan commenced today to replace rogue DNS servers with clean DNS servers to keep millions online, while providing ISPs the opportunity to coordinate user remediation efforts. Such effort means that  those infected with DNSChanger, who otherwise would have had no DNS and basically no Internet ability, still get to use the Intarwebs. :-)

Stay tuned for more, and feel free to share your experiences with DNSChanger via comments.

 

 

 

 

 

Keywords: DNSChanger
5 comment(s)

Comments

Can someone please provide at least the destination IP addresses of the rogue DNS servers? I would like to be able to check my FW logs.
Here is a German URL that has IPs:

http://www.heise.de/newsticker/meldung/Operation-Ghost-Click-FBI-nimmt-DNSChanger-Botnetz-hoch-1376540.html
Primary source:

http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf
Andre reminded us of OS X DNS Changers part three as well.
http://isc.sans.edu/diary.html?storyid=5390 as a related story of interest.
English version of the German article.

http://www.h-online.com/security/news/item/Operation-Ghost-Click-FBI-busts-DNSChanger-botnet-1376746.html

Diary Archives