DNS Changer botnet smashed in major cyber crime bust

A botnet that is thought to have earned its controllers $14 million is dismantled.

botnet

A botnet sitting on more than four million computers has been taken down by the FBI, with six suspects arrested.

Two datacentres in New York and Chicago were raided and over 100 servers taken offline as the botnet's infrastructure was dismantled as part of Operation Ghost Click.

Machines in over 100 countries were infected with the DNS Changer malware, which silently changed systems' DNS settings to point to foreign DNS servers.

We've managed to dismantle the infrastructure we've managed to disrupt the entire criminal operation.

This allowed the attackers to point victims to malicious IP addresses when users visited certain domains. When redirected in this way, users are at risk of getting yet more malware on their systems.

The FBI said 500,000 machines in the US were infected, including Government and NASA computers. The malware also prevented anti-virus installation and OS updates.

Six Estonian nationals were arrested under suspicion of running the illegal campaign, whilst another suspect, Russian Andrey Taame, is still at large, the FBI said.

It is believed they monetised the operation by inserting ads onto websites or forcing people to visit certain web pages. The perpetrators would get money for every click on an advertisement, or each time a victim was redirected to a particular site. They were able to acquire $14 million along the way, the FBI said.

In one example included in the FBI indictment, an infected user clicked on a link for the official Apple iTunes website only to be taken to a website unaffiliated with the tech giant and yet purportedly sold its wares.

Trend Micro, which helped supply information to the FBI on DNS Changer, hailed the law enforcement operation as the "biggest cyber criminal takedown in history."

"It's not the biggest botnet in terms of bots and that's why the headlines don't say the biggest botnet takedown in history," Rik Ferguson, director of security research at Trend, told IT Pro.

"We've seen botnet takedowns in the past and what you're actually getting rid of, although the activity is commendable and it should continue, is a symptom. What we've managed to achieve here, in working in partnership with the FBI, Team Cymru and the other partners, is that we've managed to dismantle the infrastructure we've managed to disrupt the entire criminal operation."

There have been a number of significant botnet takedowns in recent months, including Rustock and Kelihos, both of which were taken apart thanks to collaborative work led by Microsoft.

Ferguson believes the DNS Changer case has shown the war on botnets does not require Microsoft to lead the way.

"The fight against cyber crime and effective cooperation with law enforcement isn't dependent on any one company," Ferguson added. "The whole industry welcomes these kinds of successes."

He revealed Trend is continuing to work with law enforcement on various other cases.

Who was running it?

An Estonian company known as Rove Digital, a seemingly legitimate IT company, was allegedly responsible for controlling the DNS Changer botnet, Trend revealed in a blog post.

Vladimir Tsastsin, one of those arrested by the FBI and who had previously been convicted of credit card fraud in Estonia, was the owner of one of Rove's domain registrar companies called Estdomains, Trend explained.

Another of Rove's companies called Esthost was asked to cease activities in 2008 after many believed it was hosting criminal activities, but it continued to operate. Once Rove recognised law enforcement was on its back, it moved the command and control infrastructure across the world, shifting many of its servers to New York.

Trend claimed Esthost and Rove Digital were also spreading fake anti-virus and Trojan clickers, as well as "selling questionable pharmaceuticals" amongst other cyber crimes.

Each defendant has been charged with five counts of wire and computer intrusion crimes. Tsastsin has been charged with an additional 22 counts of money laundering.

"Today, with the flip of a switch, the FBI and our partners dismantled the Rove criminal enterprise," said Janice Fedarcyk, the FBI's New York assistant director in charge.

"Thanks to a coordinated effort of trusted industry partners, a mitigation plan commenced today, beginning with the replacement of rogue DNS servers with clean DNS servers to keep millions online, while providing ISPs the opportunity to coordinate user remediation efforts."

Whilst the rogue DNS servers have been replaced, many may still be infected. Head here to learn about how to check if your system is part of the DNS Changer botnet.

Featured Resources

Shining light on new 'cool' cloud technologies and their drawbacks

IONOS Cloud Up! Summit, Cloud Technology Session with Russell Barley

Watch now

Build mobile and web apps faster

Three proven tips to accelerate modern app development

Free download

Reduce the carbon footprint of IT operations up to 88%

A carbon reduction opportunity

Free Download

Comparing serverless and server-based technologies

Determining the total cost of ownership

Free download

Recommended

Access brokers are making it easier for ransomware operators to attack businesses
cyber security

Access brokers are making it easier for ransomware operators to attack businesses

1 Dec 2021
Pizza chain exposed 100,000 employees' Social Security numbers
data breaches

Pizza chain exposed 100,000 employees' Social Security numbers

19 Nov 2021
83% of critical infrastructure companies have experienced breaches in the last three years
cyber security

83% of critical infrastructure companies have experienced breaches in the last three years

11 Nov 2021
Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021

Most Popular

How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

24 Nov 2021
What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

12 Nov 2021