FBI, Security Vendors Partner to Take Down Hacker Consortium

By Ericka Chickowski  |  Print this article Print

Security vendors and federal law enforcement collaborated for five years to rid the world of a cyber-threat that let a criminal consortium collect millions from false advertisements.

The FBI got an assist from IT security researchers in an operation to shut down one of the world's longest-running and most-costly botnets that ended last week. In addition to ridding the world of one of its more odious malware infestations, "Operation Ghost Click" also nabbed a brazen criminal consortium of "clickjacking" hackers.

The operation resulted in the arrest of six Estonian nationals. The hacker group infected about 4 million computers in 100 countries, collecting about $14 million, the FBI said.

The Eshost botnet was shut down, according to researchers with Trend Micro, which helped lead the public-private alliance. It was one of the last remaining large-scale botnets in the wild as cyber-criminals have begun using more targeted, smaller operations to fly under law-enforcement radar.

The FBI and cyber-security vendors collaborated for five years on the mission to take down the botnet, says Paul Ferguson, advanced threats researcher for Trend Micro.

"I feel like an enormous burden was lifted because we've been working on this for over five years," Ferguson says. "The guys in my research group discovered what these rogue actors were doing back in 2006."

The crooks in question were part of an organization known as the Rove group, allegedly responsible for creating the DNSChanger malware, which replaced legitimate advertisements with fake ones on infected PCs, effectively routing payments for user clicks to the bad guys instead of the advertisers.

"Basically they were doing ad replacement on legitimate Web properties. For instance if you went to CNN and there was originally supposed to be an embedded ad there for Toyota or something, they would replace it with their own ads. Because basically PCs were infected with this DNSChanger malware that changed the DNS settings to their infrastructure, and so if the domain was one of the ones listed in the 14,000 and 15,000 domains that they provided rogue resolution for, they would point to their own infrastructure for like ads." 

As Manhattan U.S. Attorney Preet Bharara put it, the defendents gave new meaning to the term 'false advertising.'

"As alleged, they were international cyber-bandits who hijacked millions of computers at will and re-routed them to Internet Websites and advertisements of their own choosing—collecting millions in undeserved commissions for all the hijacked computer clicks and Internet ads they fraudulently engineered," Bharara said. "The international cyber-threat is perhaps the most significant challenge faced by law enforcement and national security agencies today, and this case is just perhaps the tip of the Internet iceberg. It is also an example of the success that can be achieved when international law enforcement works together to root out Internet crime. We are committed to continuing our vigilance and efforts—it is essential to our national security, our economic security and our citizens’ personal security."

In addition to running the infrastructure that powered this operation that eventually netted the crooks $14 million, DNSChanger also helped revolutionize the malware world, says Andrew Brandt, malware analysis expert and director of Threat Research at forensics and network security analytics firm, Solera Networks.

"In many ways, DNSChanger helped pioneer some of what are now common malware techniques: It comprised a tiny payload of malware that propagated using social-engineering techniques, rather than vulnerabilities. It employed server-side randomization, where the payload executable was generated on-the-fly when it was requested for download. It was the first to use DNS hijacking as a way to generate a revenue stream. It was among the first modern, single-purpose malware families, lacking any sophisticated downloader or backdoor capability, which kept the file sizes small and unobtrusive," he says.

"And it was one of the first cross-platform malware families, as the authors eventually released a variant that functioned identically under the Mac OS as it did in Windows, even pointing to the same DNS server ranges as the Windows versions did."

According to Ferguson, this operation could be among the last of its kind, as cyber-criminals are changing tactics and reducing their scope.

"There are probably only a couple more botnets where it is this monolithic type of criminal operation," he says. "Because what we've been seeing trending the last couple of years is criminals have diversified their assets and compartmentalized to blend in with the noise and not be such a big target."