The FBI says that more than 2.5 million systems infected with the DNSChanger malware connected to DNS servers set up by the authorities in the week following a crackdown on a global criminal network dubbed Ghost Click.
The data, which was provided to the FBI by ISC, is the best indication yet of the scope of the Ghost Click network, which was the target of a coordinated take down on November 8 by the FBI and a long list of government and law enforcement agencies and private corporations around the world, including the Estonian Police and Boarder Guard Board, the Dutch High Tech Crime Unit, , authorities in Estonia and ISPs in the U.S. and abroad. At the time of the bust, the FBI estimated the agency estimated that the scheme affected some 4 million individuals worldwide, and 500,000 in the U.S. The data from ISC, though shy of the 4 million figure, confirms that millions of systems around the globe were caught up in the fraudulent network.
The scheme, which is believed to have netted participants $14 million in illicit profits, largely in the form of commissions for directing traffic to Websites and online advertisements who were customers of front companies set up by the criminals. The group of six Estonians and a Russian accomplice worked behind the scene, managing the global botnet and using the DNSChanger malicious software to redirect Internet searches to the Web sites of their customers, thereby fattening their commissions.
As part of the take down of the Ghost Click network, the FBI worked with ISC to set up clean DNS servers to handle requests from Ghost Click infected systems. It also asked Regional Internet Registries (RIRs) around the globe to lock the IP address ranges containing the IP addresses of the rogue DNS servers used by the Ghost click scammers. That gave ISPs a way to identify infected hosts, while keeping the owners of infected systems from being cut off from the Internet. The clean DNS servers were set up in New York and operated by ISC. In the six days following the November 8, 2011 take down, those servers were contacted by more than 2.515 million unique IP addresses, an FBI spokeswoman told Threatpost.
Despite the large number of victims of the Ghost Click scam, finding victims of the scheme may be difficult. For one thing, the DNSChanger malware can be difficult to detect on an infected system. It works behind the scenes to reconfigure an infected system’s Domain Name System settings to use malicious DNS servers to resolve Internet queries. DNSChanger is also a component downloaded in concert with other malware packages like the TDSS rootkit, according to research by Dell’s Secureworks division.
Beyond that, victims didn’t suffer direct, monetary damages from the DNS redirection. Rather, their system was used to pad profits for the scammers. However, security experts say that the tight relationship between DNSChanger and rootkits like TDSS make it likely that the compromised systems were used for other kinds of scams as well, including identity theft.
The FBI posted information that would allow individuals to determine if they were a victim of the Ghost Click. It also recently began advertising online for victims of the attack to come forward and help with the prosecution.