Image via Wikipedia

On November 8, a long-living botnet of more than 4,000,000 bots was taken down by the FBI and Estonian police in cooperation with Trend Micro, a leading Internet content security and threat management solutions company and a number of other industry partners.

In this operation, dubbed “Operation Ghost Click” by the FBI, two data centres in New York City and Chicago were raided and a command & control (C&C) infrastructure consisting of more than 100 servers was taken offline. At the same time the Estonian police arrested several members in Tartu, Estonia.

According to an FBI press release, Rove Digital founder Vladimir Tsastsin along with five other Estonian nationals have been arrested and charged with running a sophisticated Internet fraud ring that infected millions of computers worldwide with a virus and enabled the thieves to manipulate the multi-billion-dollar Internet advertising industry. Users of infected machines were unaware that their computers had been compromised—or that the malicious software rendered their machines vulnerable to a host of other viruses.

The botnet consisted of infected computers whose Domain Name Server (DNS) settings were changed to point to foreign IP addresses. DNS servers resolve human readable domain names like  www.charllaas.com or www.wikipedia.org to IP addresses that are assigned to computer servers on the Internet. Most Internet users automatically use the DNS servers of their Internet Service Provider.

DNS-changing Trojans silently modify computer settings to use foreign DNS servers. These DNS servers are set up by malicious third parties and translate certain domains to malicious IP addresses. As a result, victims are redirected to possibly malicious websites without detection.

A variety of methods of monetizing the DNS Changer botnet is being used by criminals, including replacing advertisements on websites that are loaded by victims, hijacking of search results and pushing additional malware.

Trend Micro knew what party was most likely behind the DNS Changer botnet since 2006. They decided to hold certain data and knowledge from publication in order to allow the law enforcement agencies to take proper legal action against the cybercriminals behind it.

With the main perpetrators arrested and the botnet taken down, Trend Micro today share in a newsletter to their costumers some of the detailed intelligence they gathered in the last 5 years.

Rove Digital

The cybercrime group that was controlling every step from infection with Trojans to monetizing the infected bots was an Estonian company known as Rove Digital. Rove Digital is the mother company of many other companies like Esthost, Estdomains, Cernel, UkrTelegroup and many less well known shell companies.

Rove Digital is a seemingly legitimate IT company based in Tartu with an office where people work every morning. In reality, the Tartu office is steering millions of compromised hosts all over the world and making millions in ill-gained profits from the bots every year.

Esthost, a reseller of webhosting services, was in the news in the fall of 2008 when it went offline at the time its provider Atrivo in San Francisco was forced to go offline by actions of private parties.

Around the same time a domain registrar company of Rove Digital, called Estdomains, lost its accreditation from ICANN because the owner, Vladimir Tsastsin, was convicted of credit card fraud in his home country, Estonia.

These actions were the result of public pressure that arose from the suspicion that Esthost was mainly serving criminal customers. Rove Digital was forced to stop the hosting services offered by Esthost, but it continued with its criminal activities. In fact those behind Rove Digital learned their lesson, and they spread the C&C infrastructure all over the world and moved a great deal of the servers previously hosted at Atrivo to the Pilosoft datacenter in New York City where they already had some servers running.

In 2008, it was widely known that Esthost had many criminal customers. Not publicly known was that Esthost and Rove Digital were heavily involved in committing cybercrime.

Trend Micro knew that Rove Digital was not only hosting Trojans, but was controlling C&C servers and the rogue DNS servers, as well as the infrastructure that monetized fraudulent clicks made by the DNS Changer botnet. Besides DNS Changers, Esthost and Rove Digital were also spreading FAKEAV and Trojan clickers, and it was involved in selling questionable pharmaceuticals and other cybercrimes we will not discuss in this blog posting.

The six cyber criminals were taken into custody yesterday in Estonia by local authorities, and the U.S. will seek to extradite them. In conjunction with the arrests, U.S. authorities seized computers and rogue DNS servers at various locations. As part of a federal court order, the rogue DNS servers have been replaced with legitimate servers in the hopes that users who were infected will not have their Internet access disrupted.

It is important to note that the replacement servers will not remove the DNSChanger malware—or other viruses it may have facilitated—from infected computers. Users who believe their computers may be infected should contact a computer professional, or register as a victim of the DNSChanger malware.