The FBI, together with authorities in Estonia, have achieved the most important botnet takedown in history and arrested six Estonians behind a five-year-old scheme that generated upwards of $14 million in fraudulent Online advertising revenue, per the FBI and Trend Micro, probably the most security companies desirous about taking down the botnet.
It's nice to have a win; it sends a message to those guys that simply because you're in Eastern Europe doesn't suggest you're out of reach.Paul Ferguson
Trend Micro
Operation Ghost Click was executed Tuesday when officials from the FBI and the Estonian national police made the arrests in Tartu, Estonia, and simultaneously shut down data centers in The big apple and Chicago that served because the command-and-control infrastructure for the botnet.
Rove Digital, an Estonian Web host, was behind an expansive scheme that used malware called DNS Changer that might change the Domain Name System (DNS) settings on infected computers to indicate to foreign IP addresses; the criminals were in charge of 14,000 such illicit domains.
Infected machines were used to interchange legitimate advertisements with ads the criminals were attempting to monetize via click fraud. The DNS Changer botnet infected four million computers worldwide, including a half-million machines in the United States, the FBI said.
“The malware can be removed from machines using traditional antivirus software,†said Trend Micro Advanced Threats Researcher Paul Ferguson. “But the problem is, that doesn't change the DNS settings back to where they should be.†Ferguson said ISPs would have to help with the cleanup; the FBI has also provided a tool on its website that detects DNS Changer infections.
Ferguson said Trend Micro saw the first signs of DNS Changer infections in 2006 and alerted authorities. The attacks were traced to Rove Digital, a legitimate Estonian company on the surface that was in control of millions of compromised machines, redirecting them to sites hosting their illegitimate ads. Rove Digital was parent company to several illegal shell companies, Trend Micro said in a blog post today, including Esthost, which was taken down in 2008 when its San Francisco provider Atrivo was shut down. At that time, Rove Digital spread its C&C infrastructure around the world, including to the Pilosoft data center in New York.
“It was very profitable and very clever,†Ferguson said. “They probably thought they were safe because there was no big target on their back such as others who are stealing bank accounts and using money mules to move money. They thought they were under the radar because they were monetizing and replacing ad revenue.â€
Years of investigative work culminated yesterday when officials arrested the six Estonians. The U.S. will seek to extradite them, the FBI said. Rogue DNS servers were seized within the raids in New York and Chicago; legitimate DNS servers were installed sooner than the takedown to circumvent interruption of Internet service for infected users, the FBI said.
“There was extensive coordination. The FBI got on a plane and along with Estonia national police executed the arrests early yesterday, local time,†Ferguson said. “Slowly but surely, we're having successes in taking down criminals like this across jurisdictions. It's nice to have a win; it sends a message to those guys that simply because you're in Eastern Europe doesn't mean you're out of reach.â€
Nessun commento:
Posta un commento
Comments links could be nofollow free