HDTV/3D TV News
The FBI have taken down a botnet which is thought to have infected 4 million computers worldwide with a DNS changing trojan.
Six Estonian nationals have been arrested and charged, following a two year operation in which Estonian and US officials collaborated called Operation Ghost Click.
More than 100 servers in New York and Chicago have also been seized and replaced with legitimate servers to ensure that infected computers can still access the internet.
It is thought that the botnet was used to redirect surfers to bogus web pages that allowed the controllers to manipulate the internet advertising industry, allowing crooks to make more than $14 million in fees.
The indictment, said Janice Fedarcyk, assistant director in charge of the FBI New York office, “describes an intricate international conspiracy conceived and carried out by sophisticated criminals.”
“The harm inflicted by the defendants was not merely a matter of reaping illegitimate income,” she added.
The cyber criminals began their own operation in 2007 and the malware is thought to have affected computers in more than 100 countries with 500,000 in the US.
“They were organized and operating as a traditional business but profiting illegally as the result of the malware,” said an agent who worked on the case.
“There was a level of complexity here that we haven’t seen before.”
On infected computers, the DNS settings were changed in order to redirect users to foreign IP addresses, guiding users to potentially malicious websites.
This allowed the botnet controllers to replace advertisements on sites which are loaded, hijack search results and install more malware.
The malware also had the capability of disabling updates for AV software so that it would remain undetected. This also meant that other malware could be installed without the victim’s knowledge.
The FBI worked in partnership with security specialists and AV software developer Trend Micro.
The security firm say that they knew who was behind the botnet for years but decided not to publish details to allow law enforcement officials to take action against the controllers.
The botnet controllers were a seemingly legitimate business known as Rove Digital working out of Tartu in Estonia.
Trend discovered that not only was Rove Digital hosting trojans, they were also controlling C&C servers and rogue DNS servers. It is also thought that they spread fake anti-virus software and were involved in the sale of “questionable pharmaceuticals” as well as other undisclosed crimes.
“The evidence we collected in the past years leaves no doubt of Esthost and Rove Digital’s direct involvement in cybercrime and fraud,” Trend said.
“In 2009 we obtained a copy of the hard drives of two C&C servers that replaced advertisements on websites when loaded by DNS Changer victims. On the hard drives we found public SSH keys of several Rove Digital employees,” they went on to explain.
“These keys allowed the Rove Digital employees to log in on the C&C servers without [a] password, but with their private key. From log files on the servers we were able to conclude that the C&C servers were controlled from Rove Digital’s office in Tartu.”
Trend went on to collect a large amount of evidence against the rogue firm which they say “indicate that Rove Digital is committing cybercrimes on a large scale indeed and is directly responsible for the large DNS Changer botnet.”
The FBI and Trend recommend that computer users who fear they may be affected by the DNS changer have their machine checked by a computer professional.
Comments (0)
