Thursday, November 10, 2011

DNS Changer Malware / Operation Ghost Click

Spread the word about Defence Intelligence. Sharing is caring.
Trend Micro recently announced, along with the FBI, the dismantling of a cyber criminal gang based out of Estonia. The gang was allegedly responsible for compromising millions of computers and redirecting them to online ads through the implementation of rogue DNS servers.

Over four million computers across 100 countries had inadvertently downloaded malware onto their systems, many through installing what they thought was a needed codec to view certain movies online. Compromised systems would then have their DNS settings altered to use servers controlled by the gang, rerouting the end users to locations on the Internet they never intended to visit.

These locations contain ads which, upon click-through or even viewing, generated revenue for the gang, resulting in over $14 million made through advertising fraud. The U.S. Attorney's Office is seeking to extradite the gang for prosecution, likely due to the large number of U.S. government and businesses systems compromised by the gang and the fact that some of the rogue DNS servers were based in Chicago and New York.

DNS provides the IP address location of a website so a user who types "google.com" into a browser is actually taken to "72.14.204.103" (or one of their other IP locations). By forcing a system to use a specific DNS server, like this gang did, users would receive false IP address locations for websites they were trying to visit or ads they normally would have viewed, benefiting the gang while not maliciously harming the user. Examples provided during the indictment of the six Estonian members of the gang included:

"When the user of an infected computer clicked on a domain name link for Netflix, the user was instead taken to a website for an unrelated business called 'BudgetMatch.'"

"When the user of an infected computer visited the home page of the Wall Street Journal, a featured advertisement for the American Express 'Plum Card' had been fraudulently replaced with an ad for 'Fashion Girl LA.'"

The malware which compromised these systems also prevented updates to anti-virus software and the operating system. This helped the malware stay on the compromised systems over an extended period of time. For those concerned that they may be compromised the FBI has provided a document which aids in understanding the malware and how to check for DNS settings changes on your computer, for both Windows and Mac systems.
The FBI doc

In this document the IP address ranges of the known rogue DNS servers are listed, indicating server locations in Russia, Ukraine, U.S., and Amsterdam. You can see the ranges below:

85.255.112.0 through 85.255.127.255
67.210.0.0 through 67.210.15.255
93.188.160.0 through 93.188.167.255
77.67.83.0 through 77.67.83.255
213.109.64.0 through 213.109.79.255
64.28.176.0 through 64.28.191.255

-Matt Sully

No comments: