The FBI, along with authorities in Estonia, have achieved the largest botnet takedown in history and arrested six Estonians behind a five-year-old scheme that generated upwards of $14 million in fraudulent Internet advertising revenue, according to the FBI and Trend Micro, one of the security companies involved in taking down the botnet.
It’s nice to have a win; it sends a message to these guys that just because you’re in Eastern Europe doesn’t mean you’re out of reach.
Operation Ghost Click was executed Tuesday when officials from the FBI and the Estonian national police made the arrests in Tartu, Estonia, and simultaneously shut down data centers in New York and Chicago that served as the command-and-control infrastructure for the botnet.
Rove Digital, an Estonian Web host, was behind an expansive scheme that used malware called DNS Changer that would change the Domain Name System (DNS) settings on infected computers to point to foreign IP addresses; the criminals were in control of 14,000 such illicit domains. Infected machines were used to replace legitimate advertisements with ads the criminals were trying to monetize via click fraud. The DNS Changer botnet infected four million computers worldwide, including a half-million machines in the United States, the FBI said.
“The malware can be removed from machines using traditional antivirus software,” said Trend Micro Advanced Threats Researcher Paul Ferguson. “But the problem is, that doesn’t change the DNS settings back to where they should be.” Ferguson said ISPs would have to help with the cleanup; the FBI has also provided a tool on its website that detects DNS Changer infections.
Ferguson said Trend Micro saw the first signs of DNS Changer infections in 2006 and alerted authorities. The attacks were traced to Rove Digital, a legitimate Estonian company on the surface that was in control of millions of compromised machines, redirecting them to sites hosting their illegitimate ads. Rove Digital was parent company to several illegal shell companies, Trend Micro said in a blog post today, including Esthost, which was taken down in 2008 when its San Francisco provider Atrivo was shut down. At that time, Rove Digital spread its C&C infrastructure around the world, including to the Pilosoft data center in New York.
“It was very profitable and very clever,” Ferguson said. “They probably thought they were safe because there was no big target on their back such as others who are stealing bank accounts and using money mules to move money. They thought they were under the radar because they were monetizing and replacing ad revenue.”
Years of investigative work culminated yesterday when officials arrested the six Estonians. The U.S. will seek to extradite them, the FBI said. Rogue DNS servers were seized in the raids in New York and Chicago; legitimate DNS servers were installed prior to the takedown to avoid interruption of Internet service for infected users, the FBI said.
“There was extensive coordination. The FBI got on a plane and in conjunction with Estonia national police executed the arrests early yesterday, local time,” Ferguson said. “Slowly but surely, we’re having successes in taking down criminals like this across jurisdictions. It’s nice to have a win; it sends a message to these guys that just because you’re in Eastern Europe doesn’t mean you’re out of reach.”