Thursday, June 14, 2012

Operation Ghost Click: Are You Ready For July 9th?

On July 9th, the ISC (Internet Systems Consortium) plans to shut down some DNS servers. How will that affect you? Well, pull up a chair and uncle berry will tell you a story.

Last October, after 2 years of investigation, the FBI in conjunction with a myriad of domestic and international partners, broke up a cyber crime ring based out of Estonia that was using rogue DNS servers to hijack user’s computers and ring up 10’s of millions of dollars in fraudulent ad and click revenues.

DNS, or Domain Name System, is the service that converts URL’s (eg: into those impossible to remember IP addresses. Your ISP provides you with access to a valid DNS server and your computer caches the server’s address. When you open your browser and enter a URL, the DNS server looks up the name and returns the proper numeric address. Think of it as an alpha-numeric translator.

These Estonian cyber thieves were infecting user’s computers with DNSChanger malware, which changes the address of your DNS server to one of their own, a rogue DNS server. The rogue server then either directs you to the wrong site, or to the correct site, but the ads you see have been replaced by ones of their choosing.

You know when you’re on the wrong site, but how do you know what ads you should be seeing when you’re on the right site?

Very devious.

But they didn’t stop there; once they had infected your computer, the malware would try to break into your router using the default settings, and if successful, it would change the DNS settings there, also. Why? Because if you have a router, your real DNS settings are cached there, and your computer caches only the address of the router. You could wipe your computer clean and still wind up being misdirected. And just as an added kick in the pants, some of the sites you are misdirected to download other malware, things that prevent OS patching and antivirus updating. Oh, those crazy Estonians...

So, how does infecting your computer make someone else money, you ask? Well, the world of internet commerce is a very complicated place. There are millions of publishers, every web site owner is a publisher, and there are just as many advertisers. How do the two get together? Through middlemen, of course; publisher networks and ad brokers. The Estonians set themselves up as a publisher network under the name of Rove Digital, one of many shell companies they created, and proceeded to cash in. It’s pretty easy to make money off of ad views and clicks if you have a bot net of millions of end user computers clicking and viewing the ads and websites you specify. Kind of like shooting fish in a barrel.

They operated with impunity from 2007 until 2011, when they were finally tripped up by an international task force. It was only a matter of time before they got caught; their malware wasn’t discriminatory and had penetrated computers in some very sensitive places, so the FBI, NASA, the National Cyber-Forensics and Training Alliance, the National High Tech Crime Unit of the Dutch National Police Agency, the Estonian Police and Border Guards and a plethora of universities, technical institutes and private sector companies all banded together and tracked them down. The FBI dubbed the effort “Operation Ghost Click”, a very appropriate name, and the operation highlights the incredible effort and international cooperation needed to combat cyber crime in our brave new world.

Breaking up the crime ring and bringing those bad boys to justice wasn’t the end of the story, though. The task force quickly realized that if they shut down all of the rogue DNS servers the Estonians were operating, they’d effectively be turning off the internet for the millions that were infected. The Internet Systems Consortium was tasked with replacing the rogue DNS servers with valid ones, and keeping them running during the cleanup process, and the DNS Changer Working Group (DCWG) , an independent group of subject matter experts, was formed to aide end users with the cleanup.

On July 9th, 2012, the formerly rogue servers are scheduled to be shut down for good, they can’t keep them running forever, it costs a lot of cash, and anyone still infected with the DNSChanger malware will suddenly find themselves off the air. There are steps you can take to make sure you won’t be one of them, and the first step is the easiest.

The DCWG has set up an incredibly informative web site, and you need to make use of it. There’s a link to find out if your PC is infected, that’s your starting point, but it’s not all you need to do. You need to check your router also, and even if it hasn’t been compromised, you need to change its username and password from the default. Never leave default credentials in place on any device.

How do you check your router? The DCWG website has a link for that, also. The OpenDNS Store has instructions for every router conceivable. You don’t need to sign up for an account with them, you can just browse for the info you need.

Both Facebook and Google are teaming up with DCWG also, and will be alerting you if they notice a rogue DNS server address on your system, so don’t blow off any warnings you see on either site that informs you that your computer might be infected. This is no hoax, people.

If you are infected, the best fix possible is to reformat your hard drive and reload your operating system. This malware is a bear to get rid of, so if you have your system disks and a good backup, the wipe and reload method is your best bet.

If you don’t, DCWG has a link to help, of course. The DCWG Fix page has a list of free tools and self help guides, but it’s not an easy repair, and the site actually recommends that if your system is old, now might be the time to junk it and upgrade. That says a mouthful about the pervasiveness of this malware.

Don’t panic though, after all, it won’t be the end of the world if you lose internet connectivity on July 9th, but it will be a lot harder to set straight once you're off the air, so be proactive, and while you’re in a proactive mood, take a moment to read our post on creating system recovery disks and backing up, especially if you’re thinking about scrapping your system in favor of a new one. It will serve you well.

That's the end of my story, at least for now. There'll be more to tell as we get closer to the cutoff date, so stay tuned. In the meantime, I've given you lots to think about, and lots to do, so get busy. I'll leave you with one last thought, just because I can't help myself...

Beware of Estonians bearing gifts.

That is all.