On November 8, a long-living botnet of more than 4,000,000 bots was
taken down by the FBI and Estonian police in cooperation with Trend
Micro and a number of other industry partners.
In this operation, dubbed “Operation Ghost Click” by the FBI, two
data centers in New York City and Chicago were raided and a command
& control (C&C) infrastructure consisting of more than 100
servers was taken offline. At the same time the Estonian police arrested
several members in Tartu, Estonia. Here is the link to the press release of the FBI.
The botnet consisted of infected computers whose Domain Name Server
(DNS) settings were changed to point to foreign IP addresses. DNS
servers resolve human readable domain names to IP addresses that are
assigned to computer servers on the Internet. Most Internet users
automatically use the DNS servers of their Internet Service Provider.
DNS-changing Trojans silently modify computer settings to use foreign
DNS servers. These DNS servers are set up by malicious third parties
and translate certain domains to malicious IP addresses. As a result,
victims are redirected to possibly malicious websites without detection.
A variety of methods of monetizing the DNS Changer botnet is being
used by criminals, including replacing advertisements on websites that
are loaded by victims, hijacking of search results and pushing
additional malware.
List of IP addresses Controlled by Roced Digital
We at Trend Micro knew what party was most likely behind the DNS
Changer botnet since 2006. We decided to hold certain data and knowledge
we had from publication in order to allow the law enforcement agencies
to take proper legal action against the cybercriminals behind it.
Now that the main perpetrators have been arrested and the botnet has
been taken down, we can share some of the detailed intelligence we
gathered in the last 5 years.
Rove Digital
The cybercrime group that was controlling every step from infection
with Trojans to monetizing the infected bots was an Estonian company
known as Rove Digital. Rove Digital is the mother
company of many other companies like Esthost, Estdomains, Cernel,
UkrTelegroup and many less well known shell companies.
Rove Digital is a seemingly legitimate IT company based in
Tartu with an office where people work every morning. In reality, the
Tartu office is steering millions of compromised hosts all over the
world and making millions in ill-gained profits from the bots every
year.
Esthost, a reseller of webhosting services, was in the news
in the fall of 2008 when it went offline at the time its provider Atrivo
in San Francisco was forced to go offline by actions of private
parties. Around the same time a domain registrar company of Rove
Digital, called Estdomains, lost its accreditation from ICANN because
the owner, Vladimir Tsastsin, was convicted of credit card fraud in his
home country, Estonia.
Vladimir Tsastsin, the CEO of Rove Digital
These actions were the result of public pressure that arose from the
suspicion that Esthost was mainly serving criminal customers. Rove Digital was forced to stop the hosting services offered by Esthost, but it continued with its criminal activities. In fact those behind Rove Digital
learned their lesson, and they spread the C&C infrastructure all
over the world and moved a great deal of the servers previously hosted
at Atrivo to the Pilosoft datacenter in New York City where they already
had some servers running.
In 2008, it was widely known that Esthost had many criminal customers. Not publicly known was that Esthost and Rove Digital were heavily involved in committing cybercrime.
Trend Micro knew that Rove Digital was not only hosting
Trojans, but was controlling C&C servers and the rogue DNS servers,
as well as the infrastructure that monetized fraudulent clicks made by
the DNS Changer botnet. Besides DNS Changers, Esthost and Rove Digital
were also spreading FAKEAV and Trojan clickers, and it was involved in
selling questionable pharmaceuticals and other cybercrimes we will not
discuss in this blog posting.
The evidence we collected in the past years leaves no doubt of Esthost and Rove Digital’s direct involvement in cybercrime and fraud. Our suspicion started with simple but strong indications.
Cybercrime Activity Indicators
First, in 2006 we noticed that several C&C servers of the DNS Changer network were on subdomains of Esthost.com.
(For example the foreign rogue DNS servers whose IP addresses were
hardcoded in DNS Changer Trojans were hosted on dns1.esthost.com –
dns52.esthost.com (52 domain names)).
A backend server that could update all rogue DNS servers at once was on dns-repos.esthost.com. A backend server for fake codec Trojans was on codecsys.esthost.com. Unless the esthost.com domain was hacked, only Esthost can add these very suggestive sub domains to their domain name. When the esthost.com domain went down, the C&C servers of Rove Digital
started to use private domain names ending on .intra. We were able to
download the complete zone file of .intra from one of the servers of Rove Digital in the US.
In 2009 we obtained a copy of the hard drives of two C&C servers
that replaced advertisements on websites when loaded by DNS Changer
victims. On the hard drives we found public SSH keys of several Rove Digital employees. These keys allowed the Rove Digital
employees to log in on the C&C servers without password, but with
their private key. From log files on the servers we were able to
conclude that the C&C servers were controlled from Rove Digital’s office in Tartu.
Rove Digital had also been running a FAKEAV / rogue DNS affiliate program called Nelicash. We were able to download a schema of the infrastructure for the FAKEAV part. From a Nelicash C&C server we discovered data on victims who bought fake AV software.
Transaction details related to purchases by Rove Digital victims
Among the purchases of victims, there were several test orders placed by employees of Rove Digital from IP addresses controlled by Rove Digital in Estonia and the US. This shows that Rove Digital was directly involved in the sales of the FAKEAV.
From the same Nelicash C&C server we were also able to
download a detailed planning of the deployment of new rogue DNS servers
in 2010 and 2011. Every day, Rove Digital spread a new malware
sample that changed systems’ DNS settings to a unique pair of foreign
servers. We checked DNS Changer Trojans for a couple of days and we
learned that these Trojans changed DNS settings of victims exactly
according to their plan.
Deployment of new DNS servers in 2010 and 2011
We collected much more evidence but we are unable to include them all here. All of our findings indicate that Rove Digital is committing cybercrimes on a large scale indeed and is directly responsible for the large DNS Changer botnet.
With that, we are very happy to report that a close collaboration between the FBI, Estonian police, Trend Micro and other industry partners resulted in a successful takedown of a dangerous botnet. Such a collaboration also led to the arrest of the bad actors responsible for the botnet, despite the fact that the takedown of Rove Digital was complicated and took a lot of effort.
Trend Micro successfully identified the C&C infrastructure of Rove Digital and backend infrastructure at an early stage and continued to monitor the C&C until November 8, 2011. Other industry partners did a tremendous job by making sure that the takedown of the botnet happened in a controlled way, with minimal inconvenience for the infected customers.
The following links relate to this entry:
- Making a Million, Part One—Criminal Gangs, the Rogue Traffic Broker, and Stolen Clicks
- Making a Million, Part Two—The Scale of the Threat
- A Cybercrime Hub
Update : Check out our recently released infographic comparing this and other recent takedowns to get an impression of just how big the impact of this development is. The large version may be found here.
With additional text by Paul Ferguson
0 comments:
Post a Comment