On November 8, a long-living botnet of more than 4,000,000 bots was taken down by the FBI and Estonian police in cooperation with Trend Micro and a number of other industry partners.
In this operation, dubbed “Operation Ghost Click” by the FBI, two data centers in New York City and Chicago were raided and a command & control (C&C) infrastructure consisting of more than 100 servers was taken offline. At the same time the Estonian police arrested several members in Tartu, Estonia. Here is the link to the press release of the FBI.
The botnet consisted of infected computers whose Domain Name Server (DNS) settings were changed to point to foreign IP addresses. DNS servers resolve human readable domain names to IP addresses that are assigned to computer servers on the Internet. Most Internet users automatically use the DNS servers of their Internet Service Provider.
DNS-changing Trojans silently modify computer settings to use foreign DNS servers. These DNS servers are set up by malicious third parties and translate certain domains to malicious IP addresses. As a result, victims are redirected to possibly malicious websites without detection.
A variety of methods of monetizing the DNS Changer botnet is being used by criminals, including replacing advertisements on websites that are loaded by victims, hijacking of search results and pushing additional malware.
We at Trend Micro knew what party was most likely behind the DNS Changer botnet since 2006. We decided to hold certain data and knowledge we had from publication in order to allow the law enforcement agencies to take proper legal action against the cybercriminals behind it.
Now that the main perpetrators have been arrested and the botnet has been taken down, we can share some of the detailed intelligence we gathered in the last 5 years.
The cybercrime group that was controlling every step from infection with Trojans to monetizing the infected bots was an Estonian company known as Rove Digital. Rove Digital is the mother company of many other companies like Esthost, Estdomains, Cernel, UkrTelegroup and many less well known shell companies.
Rove Digital is a seemingly legitimate IT company based in Tartu with an office where people work every morning. In reality, the Tartu office is steering millions of compromised hosts all over the world and making millions in ill-gained profits from the bots every year.
Esthost, a reseller of webhosting services, was in the news in the fall of 2008 when it went offline at the time its provider Atrivo in San Francisco was forced to go offline by actions of private parties. Around the same time a domain registrar company of Rove Digital, called Estdomains, lost its accreditation from ICANN because the owner, Vladimir Tsastsin, was convicted of credit card fraud in his home country, Estonia.
These actions were the result of public pressure that arose from the suspicion that Esthost was mainly serving criminal customers. Rove Digital was forced to stop the hosting services offered by Esthost, but it continued with its criminal activities. In fact those behind Rove Digital learned their lesson, and they spread the C&C infrastructure all over the world and moved a great deal of the servers previously hosted at Atrivo to the Pilosoft datacenter in New York City where they already had some servers running.
In 2008, it was widely known that Esthost had many criminal customers. Not publicly known was that Esthost and Rove Digital were heavily involved in committing cybercrime.
Trend Micro knew that Rove Digital was not only hosting Trojans, but was controlling C&C servers and the rogue DNS servers, as well as the infrastructure that monetized fraudulent clicks made by the DNS Changer botnet. Besides DNS Changers, Esthost and Rove Digital were also spreading FAKEAV and Trojan clickers, and it was involved in selling questionable pharmaceuticals and other cybercrimes we will not discuss in this blog posting.
The evidence we collected in the past years leaves no doubt of Esthost and Rove Digital’s direct involvement in cybercrime and fraud. Our suspicion started with simple but strong indications.
Cybercrime Activity Indicators
First, in 2006 we noticed that several C&C servers of the DNS Changer network were on subdomains of Esthost.com. (For example the foreign rogue DNS servers whose IP addresses were hardcoded in DNS Changer Trojans were hosted on dns1.esthost.com – dns52.esthost.com (52 domain names)).
A backend server that could update all rogue DNS servers at once was on dns-repos.esthost.com. A backend server for fake codec Trojans was on codecsys.esthost.com. Unless the esthost.com domain was hacked, only Esthost can add these very suggestive sub domains to their domain name. When the esthost.com domain went down, the C&C servers of Rove Digital started to use private domain names ending on .intra. We were able to download the complete zone file of .intra from one of the servers of Rove Digital in the US.
In 2009 we obtained a copy of the hard drives of two C&C servers that replaced advertisements on websites when loaded by DNS Changer victims. On the hard drives we found public SSH keys of several Rove Digital employees. These keys allowed the Rove Digital employees to log in on the C&C servers without password, but with their private key. From log files on the servers we were able to conclude that the C&C servers were controlled from Rove Digital’s office in Tartu.
Rove Digital had also been running a FAKEAV / rogue DNS affiliate program called Nelicash. We were able to download a schema of the infrastructure for the FAKEAV part. From a Nelicash C&C server we discovered data on victims who bought fake AV software.
Among the purchases of victims, there were several test orders placed by employees of Rove Digital from IP addresses controlled by Rove Digital in Estonia and the US. This shows that Rove Digital was directly involved in the sales of the FAKEAV.
From the same Nelicash C&C server we were also able to download a detailed planning of the deployment of new rogue DNS servers in 2010 and 2011. Every day, Rove Digital spread a new malware sample that changed systems’ DNS settings to a unique pair of foreign servers. We checked DNS Changer Trojans for a couple of days and we learned that these Trojans changed DNS settings of victims exactly according to their plan.
We collected much more evidence but we are unable to include them all here. All of our findings indicate that Rove Digital is committing cybercrimes on a large scale indeed and is directly responsible for the large DNS Changer botnet.
With that, we are very happy to report that a close collaboration between the FBI, Estonian police, Trend Micro and other industry partners resulted in a successful takedown of a dangerous botnet. Such a collaboration also led to the arrest of the bad actors responsible for the botnet, despite the fact that the takedown of Rove Digital was complicated and took a lot of effort.
Trend Micro successfully identified the C&C infrastructure of Rove Digital and backend infrastructure at an early stage and continued to monitor the C&C until November 8, 2011. Other industry partners did a tremendous job by making sure that the takedown of the botnet happened in a controlled way, with minimal inconvenience for the infected customers.
The following links relate to this entry:
- Making a Million, Part One—Criminal Gangs, the Rogue Traffic Broker, and Stolen Clicks
- Making a Million, Part Two—The Scale of the Threat
- A Cybercrime Hub
For more information, Rik Ferguson posted an entry on his CounterMeasures blog on ways to check if you’re a victim of the “Operation Ghost Click” criminal activity.
Update: Check out our recently released infographic comparing this and other recent takedowns to get an impression of just how big the impact of this development is. The large version may be found here.
With additional text by Paul Ferguson