Cyber Crime That Hit 4 Million Computers Busted

Jay Decenella, IT audit expert
November 10, 2011 /

The Federal Bureau of Investigation has arrested six Estonian nationals who were charged with running a sophisticated cyber ring that infected four million computers worldwide with a virus that enabled the cyber thieves to redirect Web browsers to their ads.

According to Fed, the malware called DNS Changer has rendered users of infected machines blind about the compromise perpetrated by Vladimir Tsastsin, Timur Gerassimenko, Dmitri Jegorov, Valeri Aleksejev, Konstantin Poltev, and Anton Ivanvov.

These cyber criminals allegedly used DNSChanger to redirect unsuspecting users to rogue servers that they controlled, allowing them to manipulate users’ web activity. When users of infected computers clicked on the link for the official website of Amazon, for example, they were instead taken to a website for a business unaffiliated with the company.

The fraud did not only generate illicit profits for the cyber thieves, they deprived legitimate website operators and advertisers of substantial revenue, the FBI said.

“DNS Changer most often comes disguised as a video ‘codec’ supposedly needed to view adult movies,” according to security researcher Brian Krebs.

DNSChanger infects systems at the boot sector level, hooking into the host computer at a very low level and making it often very hard to remove, Krebs added.

“A dishonest DNS server can be hard to spot – most dodgy servers tell the truth most of the time, telling you strategic lies when a money-making opportunity arises. Crooks can replace legitimate adverts with shonky ones for a fee, or deliver pay-per-install malware instead of a trustworthy file download,” said Paul Ducklin, Sophos’s Head of Technology, Asia Pacific.

Beginning in 2007, the cyber ring used DNSChanger to infect approximately 4 million computers in more than 100 countries. There were about 500,000 infections in the U.S., including computers belonging to individuals, businesses, and government agencies such as NASA.

Krebs said the malware family didn’t just infect Microsoft Windows systems, but also Mac systems.

“Other variants of the malware even hijacked DNS settings on wireless home routers,” he said.

Details of the two-year FBI investigation called Operation Ghost Click were announced in New York as the federal indictment was unsealed.

Janice Fedarcyk, assistant director in charge of our New York office, said the Internet fraud “describes an intricate international conspiracy conceived and carried out by sophisticated criminals.”

“The harm inflicted by the defendants was not merely a matter of reaping illegitimate income,” she added.

The thieves allegedly generated at least $14 million in illicit fees from the Internet fraud. In some cases, the malware had prevented users’ anti-virus software and operating systems from updating, thereby exposing infected machines to even more malicious software, the FBI noted.

“They were organized and operating as a traditional business but profiting illegally as the result of the malware,” said one of FBI’s cyber agents who worked the case.

“There was a level of complexity here that we haven’t seen before.”

DNS—Domain Name System—is a critical Internet service that converts user-friendly domain names, such as eBay.com, into numerical addresses that allow computers to talk to each other. Without DNS and the DNS servers operated by Internet service providers, computer users would not be able to browse websites or send e-mail.

The six cyber criminals were taken into custody yesterday in Estonia by local authorities, and the U.S. will seek to extradite them.

In addition, U.S. authorities seized computers and rogue DNS servers at various locations. As part of a federal court order, the rogue DNS servers have been replaced with legitimate servers in the hopes that users who were infected will not have their Internet access disrupted.

The FBI noted that the replacement servers will not remove the DNSChanger malware—or other viruses it may have facilitated—from infected computers.

Users who believe their computers may be infected are urged to contact a computer professional.

 

Share your opinion