The FBI is cock-a-hoop today, having just announced the bust of six Estonians for malware-related cybercrimes.
The case goes back to 2007, with the investigation itself apparently having taken two years.
The FBI claims that the gang infected 4,000,000 computers in 100 different countries – with 500,000 infections in the USA alone.
The crooks are also said to have raked in at least US$14,000,000 of fraudulently-obtained income as a result.
The operation was dubbed Ghost Click because the cybercrooks took victims to sites they didn’t expect. By changing the DNS settings of infected computers, the crooks could redirect clicks intended for site A to site B instead, or fraudulently convert adverts for service C into ads for service D.
Another thorn in the side of Ghost Click victims, as the FBI points out, is that once cybercrooks control your PC’s DNS lookups, they can sneakily direct you away from security websites, anti-virus updates and more. This increases your overall exposure to danger and lets them them fleece you for longer.
DNS is short for Domain Name Services (not for Domain Name System, whatever the FBI says on its website). DNS provides the “lookup tables” which tell your computer where to find what on the internet.
For example, DNS will advise you that the website known by name as nakedsecurity.sophos.com can be found by number at 18.104.22.168, or 22.214.171.124, or, as it happens, at a range of other specific servers online.
DNS will also tell you how to send mail to people with sophos.com email addresses, will tell you where Sophos sends its email from, and much more besides.
Most computers rely on a DNS server provided by their employer or their ISP. The location of this server is typically configured automatically every time you reboot your PC.
(You can tell what DNS server you’re using by using the ipconfig command on Windows, or by doing cat /etc/resolv.conf on Linux and the BSDs, including OS X.)
The correctness of your internet browsing experience is entirely dependent on the correctness of the DNS server you use. A dishonest DNS server can take you to fraudulent substitutes of any sites it likes.
And a dishonest DNS server can be hard to spot – most dodgy servers tell the truth most of the time, telling you strategic lies when a money-making opportunity arises. Crooks can replace legitimate adverts with shonky ones for a fee, or deliver pay-per-install malware instead of a trustworthy file download.
The FBI is advising that the dodgy DNS servers seen in this investigation fall into the following IP ranges:
64. 28.176.0 to 64. 28.191.255 67.210. 0.0 to 67.210. 15.255 77. 67. 83.0 to 77. 67. 83.255 126.96.36.199 to 188.8.131.52 184.108.40.206 to 220.127.116.11 213.109. 64.0 to 213.109. 79.255
* if your DNS server is inside one of these ranges, you aren’t necessarily infected;
* if your DNS server is outside these ranges, you aren’t necessarily clean;
* resetting your DNS server if it’s wrong won’t fix the malware problem which changed it in the first place; and
* the DNS Changer malware family referred to in the FBI’s article is just one of many thousands of malware families, each consisting of many thousands of samples.
If you’re worried, check that your anti-virus is up-to-date, and verify your DNS server settings match what you’d expect for your PC. Your IT helpdesk or your ISP should be able to tell you what to look for.
Leave a reply