Operation Ghost Click: An international network using the DNSChanger malware dismantled

On November 9, 2011, the FBI reported in a press release that it had arrested six Estonian people in cooperation with local authorities. These people have been charged for operating a network of more than 4 millions computers infected with malware. An indictment has been made public by the Manhattan federal court. This dismantling was dubbed “Operation Ghost click” by the FBI. By illegally manipulating the Internet advertising industry for five years, this international cyber-fraud has generated more than $14 million in illegitimate income.

The Cert-IST decided to deal with this event in an article for two main reasons:

• First, this arrest was largely reported in the news and considered by several security actors as a major event. For instance, antivirus vendor Trend Micro, which took part in the investigation before the arrest, has even qualified the event of “Biggest Cybercriminal Takedown in History”: more than 4 million infected computers distributed over 100 countries, $4 million made by illegally manipulating the Internet advertising industry, many computers infected in several companies and government agencies such as the NASA etc.
• Secondly, the four million computers in question were infected with the DNSChanger Trojan, a malware we had already dealt with in an article of the December 2008 monthly security bulletin. Today, these latest events allow us to put an end to the story, by completing our first analysis of the malware. We explain in particular below, how the infections had been monetised so that they became extremely profitable for the fraudsters.

A few reminders concerning DNSChanger

DNSChanger is a Trojan horse that can affect both Windows and Mac OS X platforms. Its infection vectors and basic operations are rather standard:

• It comes on a potential victim computer posing as a legitimate piece of software. In many infection cases for DNSChanger, it poses as a video codec: the victim believes he/she is about to install a video plug-in, but is in reality installing the Trojan on his/her computer.
• The malware code has rootkit functionalities, which allows itself to hide on an infected system and to render its detection and removal very difficult. In fact, security researchers have discovered that DNSChanger was often associated and distributed with the TDSS malware, a rootkit well-known for several years.
• The Trojan is able to receive instructions from a control server (C&C). Regarding DNSChanger, these instructions are used to modify the list of malicious DNS servers to be used on the infected computer.

The main feature of DNSChanger consists in replacing the list of DNS servers used by the infected system, with a list of servers operated by the cyber-criminal group.

Reminder: The DNS protocol allows systems to obtain the IP address of a server from its name: this process is called DNS resolution and could be compared to the process of finding a phone number in a phone book. It happens automatically for instance each time a user enters an URL in his web browser or each time he clicks on a link.

When a system is infected and the default DNS server list has been altered, the attacker then gains complete control over the Internet traffic of the victim’s computer and may at any time redirect this victim to a web site under his control. The end-user can hardly detect the modification, because only certain sites are substituted by malicious ones, and these substituted sites are often designed to look like legitimate sites (Phishing). In the case of the dismantled network, the scammers have also used their control over the DNS system to prevent victims from obtaining the latest system security updates and antivirus signatures, so that these computers could become more and more vulnerable to new attacks over time.

In short, a user whose computer was infected with the DNSChanger malware was browsing what we could call a parallel web, which was entirely controlled by the cyber-criminal gang.

The cyber-fraud scheme, monetisation of the network

Internet advertising is a multi-billion-dollar industry in which website owners sell advertising space on their sites: this advertising space often appears as frames or banners in which the ads are displayed. Because of the vast number of website operators (we will refer to them as publishers) and advertisers on the Internet, advertisers often rely on third party companies (ad brokers) to contract with and deliver their advertisements to publishers (if we consider for instance the Google AdSense offer, Google acts as an ad broker). Similarly, rather than contracting with ad brokers individually, publishers often join together and form “publisher networks” to contract with ad brokers collectively.

From 2007 until 2011, the fraudsters controlled and operated various companies that masqueraded as legitimate publisher networks. Grouped within a same corporation (Rove Digital), these companies entered into agreements with ad brokers under which they were paid each time Internet users clicked on the links for certain websites or advertisements, or each time certain advertisements were displayed on certain websites. Thus, by fraudulently increasing the Internet traffic to the advertiser’s websites or the number of times an ad was displayed, the hackers were increasing the fees they received from the ad brokers, in accordance with the agreements they contracted.

We can now better understand how the fraud works: by manipulating the DNS responses sent to the four million infected computers, the cyber-criminal group made the exploitation of this network an overly lucrative business. The DNS redirections allowed the defendants to carry out two kinds of frauds:

• Click hijacking frauds,
• Advertisement replacement frauds.

Click hijacking fraud

When the user of an infected computer clicked on one of the first search result links displayed through a search engine query (on Google for instance), the malicious DNS servers caused the computer to be re-routed to an arbitrary site chosen by the hackers. In this case, each click triggered the payment of a fee to the criminal company, which substituted itself to the legitimate publisher (Google in the present case). The indictment gives several examples of these click hijacking frauds:

• When the user of an infected computer clicked on the domain name link for the official government website of the Internal Revenue Service, the user was instead taken to the website of H&R Block, a tax preparation business.
• Another example, when a victim clicked on the domain name link for the official website of Apple iTunes (apple.itunes.com), the victim was instead taken to www.idownload-store-music.com, the website of a business unaffiliated with Apple that purported to sell Apple software. Interestingly, a few days after the arrest of the fraudsters and the release of the FBI’s press release, Apple fixed a flaw in its iTunes software (see security advisory CERT-IST/AV-2011.640), which allowed to set up a man-in-the-middle attack during iTunes’s update process. According to The Register’s news site, the flaw would have allowed the defendants, thanks to their malicious DNS servers, to redirect victims to websites of their choice, which would have at the same time increased the earnings generated by this traffic. Note that the iTunes vulnerability could have allowed the fraudsters to install a trojaned version of iTunes on the affected computers, or other types of adware/spyware such as fake antivirus, still in the goal of making more money.
• …

Advertising replacement fraud

In this type of fraud, the DNSChanger malware and the malicious DNS servers were used to replace the contents of the advertising frames on certain web sites, in order to trigger payments of fees to the cyber-criminal network. The ads that were displayed instead of the legitimate ones were related to company with which the fraudsters had contracted agreements. Here again, the indictment provides a few examples:

• When the user of an infected computer visited the Amazon.com website, an advertisement for Windows Internet Explorer 8 had been fraudulently replaced with an ad for an email marketing business.
• When the user of an infected computer visited the home page of the Wall Street Journal, an advertisement for the American Express “Plum Card” had been fraudulently replaced with an ad for “Fashion Girl LA.”.

Consequences of the fraud

The indictment that has been made public mentions that the cyber-criminal network globally earned about $14 million through the previously discussed frauds. Beyond this estimation, it is interesting to note the consequences of such a fraud for the different victims, which are not easily measurable:

• The click hijacking and advertising replacement frauds deprived a large number of legitimate website operators (publishers) and advertisers of substantial advertising revenue. For instance, legitimate search engines had probably not been paid when a user clicked on certain of their sponsored search results.
• Customers of Rove Digital, the rogue publisher network, were paying for Internet traffic from computer users who had not intended to click their ads, in other words for users who were not interested by the offers.
• The fraud represented a reputational harm for companies that paid to advertise on the Internet, but that had obviously no desire for computer users to be directed to their websites or advertisements through fraudulent means.
• Finally, there is the non-measurable impact for the end-users, whose computers were infected. In fact, they could have lost money by making transactions on fake websites (such as the website that purported to sell Apple software). Additionally, let’s remind that the DNS responses sent by the malicious servers prevented the victim systems from obtaining system security updates and latest virus signatures, leaving them opened to new attacks, Trojans or spyware.

Dismantling

The dismantling of the DNSChanger network is far from being a trivial operation. Here, turning off all the C&C servers like the authorities usually do for a normal botnet is not sufficient. Indeed in the present case, the millions of infected computers connect to servers on the malicious network to perform DNS requests, and they would loose most of their access to Internet if the servers were abruptly stopped. In order to avoid this situation, U.S. authorities have decided to replace the fraudulent DNS servers by legitimate resolvers, and asked the Internet Systems Consortium (ISC) to administer these servers for a few months, leaving time for users to disinfect their computers and to restore a normal DNS configuration.

The FBI insists on the fact that the replacement of the rogue DNS servers does not remove the malware from the infected machines and recommends, in case of doubt, to inspect the system DNS configuration. For this purpose, the American bureau provides an online tool, to help identifying if the DNS servers used by a given computer have been known to be malicious.

For more information:

• The full indictment (PDF format, 62 pages)
• The press release from the FBI
• The Southern District of New York Attorney’s press release
• Esthost Taken Down – Biggest Cybercriminal Takedown in History (Trend Micro)