Wednesday, November 09, 2011

Operation Ghost Click: DNSChanger Malware Ring Dismantled

Since 2007 computers around the internet have been suffering from a secret ailment. Sometimes when their owners clicked on a link, they didn't go where they were supposed to go! The problem was caused by a fairly simple piece of malware called a DNSChanger. This family of malware only does one thing -- it changes the DNS settings on your computer from the one that you are supposed to use, to one that a cyber criminal has chosen for you to use.

Today the FBI and NASA's Office of the Inspector General (NASA-OIG) announced "Operation: Ghost Click" and the arrests of six Estonian criminals who have been involved in this scam since 2007.

Those arrested by the Estonian Police and Border Guard Board were:

Vladimir Tsastsin, age 31
Timur Gerassimenko
Dmitri Jegorov
Valeri Aleksejev
Konstantin Poltev
Anton Ivanov

Andrey Taame, age 31, Russian, is still at large

We were especially pleased by the sidebar entitled "Success Through Partnerships".

A complex international investigation such as Operation Ghost Click could only have been successful through the strong working relationships between law enforcement, private industry, and our international partners.

Announcing today’s arrests, Preet Bharara, (above left) U.S. Attorney for the Southern District of New York, praised the investigative work of the FBI, NASA’s Office of Inspector General (OIG), the Estonian Police and Border Guard Board, and he specially thanked the National High Tech Crime Unit of the Dutch National Police Agency. In addition, the FBI and NASA-OIG received assistance from multiple domestic and international private sector partners, including Georgia Tech University, Internet Systems Consortium, Mandiant, National Cyber-Forensics and Training Alliance, Neustar, Spamhaus, Team Cymru, Trend Micro, University of Alabama at Birmingham, and members of an ad hoc group of subject matter experts known as the DNS Changer Working Group (DCWG).

The Manhattan U.S. Attorney's office released a much more detailed announcement with the headline Manhattan U.S. Attorney Charges Seven Individuals for Engineering Sophisticated Internet Fraud Scheme That Infected Millions of Computers Worldwide and Manipulated Internet Advertising Business:
Malware Secretly Re-Routed More Than 4 Million Computers, Generating at Least $14 Million in Fraudulent Advertising Fees for the Defendants

Congratulations to all who were involved! Especially to the FBI's Botnet Threat Focus Cell, NASA's incredible Office of the Inspector General, the FBI's Southern District of New York office, and those who attended Bar-Con in 2009.

What is DNS? DNS, or Domain Name Services, is what tells your computer how to find the website you are looking for by turning the name you type, such as, into an IP address, such as For most users, this happens by asking the Name Server at your Internet Service Provider.

Pay Per Click Fraud

If you were infected by this DNSChanger malware, instead of asking your ISP for that information, you would be asking a criminal. MOST of the time the criminals would simply give you the same answer that your ISP would give you ... but whenever they wanted to make some extra money, they could tell your computer the wrong answer!

In an example taken from the indictment, an infected user goes to Google and types in "itunes". The first link that they are returned shows the destination "" which the real Apple website where someone can download the iTunes software.

(source: Tsastsin Indictment)

When an infected computer clicks the link, the user's computer would go to the criminal's nameserver who would send them to the wrong computer. In this case, instead of going to "" the user is sent to "" which looks just like the Apple store, but which charges your credit card to sell you iTunes! The criminals received a payment each time they sent someone to this fake websites.

In other examples, the company where the traffic is sent to is a legitimate company. For example, H&R Block, the Tax preparation people, have an affiliate program. If you have a website, you can put an ad on your website that advertises the H&R Block website. If people click on your ad, you might receive a tiny amount of money, and if they buy something at the H&R website, you might receive a larger amount of money. Instead of advertising, the criminals made a link that redirected you to the H&R Block website if you tried to visit So, because you were using the criminal's nameserver, if you typed or clicked on "" you could be redirected to H&R Block, earning an "affiliate payment" for the criminals!

Ad Replacement

The other way the criminal earned money was to replace your ads with their ads. How does that earn money? The most common way is that when your computer is told to go get an advertisement from a certain website, such as Google or Bing or Yahoo, instead of showing you the advertisement from those organizations, it would show you an ad from an organization that was run by the criminal instead.

In an example for the court documents, a visitor to ESPN's webpage should have seen an advertisement for Dr. Pepper. But when the infected computer visited the webpage, the criminal's nameserver redirected the request to an advertisement for a timeshare instead!

More than 4 million computers in 100 countries, including 500,000 computers in the United States were infected with this malware. The earnings generated by these young men from the false advertisements exceeded $14 Million Dollars!

Blocking Antivirus

In addition to using the nameserver to send false advertisements, the criminals also used the nameserver to stop infected computers from being able to reach their anti-virus vendors. This prevented the user from being able to install new anti-virus products or to update the definitions on their existing anti-virus products. If the computer attempted to visit any major anti-virus, it would simply give an error saying the server was unavailable.

The Charges

All the criminals are charged with:
1. Wire fraud conspiracy
2. Computer intrusion conspiracy
3. Wire fraud
4. Computer intrusion (furthering fraud)
5. Computer intrusion

In addition, the ringleader, Vladimir Tsastsin was charged with:
6. Money laundering
7. Engaging in monetary transactions of value over $10,000 involving fraud proceeds.

So, Are you infected?

The Protective Order associated with this case lists the IP addresses involved in the fake nameserver business. through through through through through through

The FBI has provided a helpful document that explains how to check your DNS settings to see whether you are using one of these "Rogue DNS Servers". See DNSChanger Malware.

If your IP address is on the list, you are encouraged to fill out the form Register as a Victim of DNS Malware.

The criminals used many different data centers, some of which were featured more prominently in the case than others.

Pilosoft, in New York City known as "The Manhattan Data Center" in the court documents.

ColoSecure, in Chicago, Illinois

ThePlanet, in Houston, Texas

Multacom Corporation, in Canyon County, California

Layered Technologies, in Plano, Texas

Network Operation Center, in Scranton, Pennsylvania

Wholesale Internet, in Kansas City, Missouri

SingleHop, in Chicago, Illinois

PremiaNet, in Las Vegas, Nevada

Interserver, in Secaucus, New Jersey

ISPrime, in Weehawken, New Jersey

Global Net Access, in Atlanta, Georgia

The Challenge

The big challenge faced by this case was this -- if the FBI were to simply "turn off" all of these nameservers, four million computers would no longer be able to find anything on the Internet! If your computer has been programmed by the DNSChanger malware to look up names using the criminals' nameserver, and that nameserver goes away, there is no "fall back" to use some other nameserver, your computer just stops being able to look up names! If that had happened, when you typed in "" your computer would say something like "No Such Server" or "Host Unknown". Then you couldn't play Farmville! How sad!

To address this challenge, the FBI filed a Protective Order that identified all of the Rogue DNS Servers, and assigned the IP addresses belonging to those servers to the Internet Systems Consortium, or ISC. ISC established "replacement DNS servers" that would behave properly, and replaced all of the "Rogue DNS servers" with properly configured DNS servers. After this was accomplished, none of the infected computers would be redirected to the wrong content anymore, and they would once again be able to update their anti-virus software.

The other benefit of this action is that ISC is now in a position to be able to compile a list of the computers that have been infected. Each time a computer uses one of the formerly Rogue DNS servers, ISC will log that action so that we can have accurate knowledge of how many computers have been infected, and this class of victims can be offered assistance.

The Protective Order was approved by the Honorable William H. Pauly III on November 3rd in the Southern District of New York.

The Criminal Companies

The Estonian criminals controlled a number of corporations to enable this activity.

Rove Digital, in Estonia, was a software development company that created and managed the malware.

Tamme Arendus, also in Estonia, was a real estate development business that acquired most of Rove's assets.

SPB Group was the name of the company that leased the Manhattan Data Center from Pilosoft.

Cernel Inc, in California, Internet Path Limited, in New York, Promnet Limited, in Ukraine, ProLite Limited, in Russia, Front Communications, in New York, and others were involved with registering thousands of IP addresses that were used by the criminals for various activities.

Furox Aps (, Onwa Limited (, Lintor Limited ( and others were used to create and broker advertising deals which would be used in the Replacement Ad schemese.

Other Things You Must Read

TrendMicro's Malware Blog - EstHost Taken Down - Biggest Cybercriminal Takedown in History - An important link that must be pointed out. Vladimir Tsastsin, the CEO of Rove Digital, was also the CEO of EstHost, one of the first registrars to have its ICANN Accreditation pulled because of criminal activity.

TrendMicro: A Cybercrime Hub - this report, in August 2009, laid out the basics of the criminal activity that Trend had been able to identify. Industry contributions such as this are part of the "Partnership for Success" that the FBI spoke about today, and TrendMicro really lead the way on this case!

Brian Krebs authoritative journalism on Vladimir - "EstDomains: A Sordid History and a Storied CEO"

SpamHaus ROKSO file on Rove Digital - ROKSO File (Registry Of Known Spam Offenders) on Rove Digital

Newsweek calls Rove Digital one of the "Top Ten Spammers" -(December 2009).

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.