Internet Security

Operation Ghost Click: FBI bags crime ring responsible for $14 million in losses
Source: http://www.fbi.gov/news/stories/2011/november/malware_110911/malware_110911 The FBI has unsealed a federal indictment that includes details of the two-year FBI investigation called Operation Ghost Click, as announced today in New York. The article describes the arrest of six Estonian nationals who have been charged with "running a sophisticated Internet fraud ring that infected millions of computers worldwide with a virus and enabled the thieves to manipulate the multi-billion-dollar Internet advertising industry." The FBI offers details on determining if you've been affected by DNSChanger in this PDF. This cybercrime ring used "DNSChanger to redirect unsuspecting users to rogue servers controlled by the cyber thieves, allowing them to manipulate users’ web activity." The DNS Changer Working Group (DCWG), with cooperation from SANS handlers, will be publishing more details soon as they have been closely monitoring this class of malware. As you may well be aware, several different malware families modify DNS to redirect customer traffic in the past, including Zlob and others. This particular version uses TDSS and possibly other malware; while it has been installed in many different ways, it isn't a single malware, but more a class of malware that exhibits certain characteristics. ISC handlers have published many diaries over the years about various DNSChanger malware including a recent Mac version: New Mac Trojan: BASH/QHost.WB (Minor) evolution in Mac DNS changer malware DNS changer Trojan for Mac (!) in the wild ISC Handler Donald Smith, who provided the details for this diary entry, advises that: "ISPs and corporations that wish to assist their customers can route the rogue space to their resolvers and NAT/PAT from the rogue DNS space to their resolver space, their resolvers will answer the query and the answer gets re-NAT/PAT and the customers get the correct dns response. Add logging and you have a list of infected customers." It is recommended though that you "be extremely careful in what you consider rogue address space and how long you keep things considered as such: that's the tricky part." [Swa Frantzen] Finally, thanks to a coordinated effort of trusted industry partners, a mitigation plan commenced today to replace rogue DNS servers with clean DNS servers to keep millions online, while providing ISPs the opportunity to coordinate user remediation efforts. Such effort means that those infected with DNSChanger, who otherwise would have had no DNS and basically no Internet ability, still get to use the Intarwebs. :-) Stay tuned for more, and feel free to share your experiences with DNSChanger via comments.	Russ McRee 203 Posts ISC Handler Nov 9th 2011
Thread locked Subscribe	Nov 9th 2011 1 decade ago
Can someone please provide at least the destination IP addresses of the rogue DNS servers? I would like to be able to check my FW logs.	Anonymous
Quote	Nov 10th 2011 1 decade ago
Here is a German URL that has IPs: http://www.heise.de/newsticker/meldung/Operation-Ghost-Click-FBI-nimmt-DNSChanger-Botnetz-hoch-1376540.html	Jens 42 Posts
Quote	Nov 10th 2011 1 decade ago
Primary source: http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf	Jens 42 Posts
Quote	Nov 10th 2011 1 decade ago
Andre reminded us of OS X DNS Changers part three as well. isc.sans.edu/… as a related story of interest.	Russ McRee 203 Posts ISC Handler
Quote	Nov 10th 2011 1 decade ago
English version of the German article. http://www.h-online.com/security/news/item/Operation-Ghost-Click-FBI-busts-DNSChanger-botnet-1376746.html	Russ McRee 2 Posts
Quote	Nov 10th 2011 1 decade ago