FBI Shuts Down DNSChanger Ring

Posted on November 10th, 2011 by

Operation Ghost Click; this sounds like something out of 24. But it’s a 2-year FBI investigation that brought down “a sophisticated Internet fraud ring that infected millions of computers worldwide with a virus and enabled the thieves to manipulate the multi-billion-dollar Internet advertising industry.”

These cyber-criminals used the malware to do what is called “click fraud.” When you click on an ad or an advertising link on a web page, you expect to go to the web site that’s advertising. Under these schemes, using malware that changed the DNS (domain name server) settings on infected computers, you would instead be taken to a different computer, where you might go to a bogus web site, and potentially purchase something you thought was from a legitimate retailer; or be taken to web sites that earn money by displaying ads, often ads for pornographic web sites.

The FBI estimates that “more than four million computers in over 100 countries — including an estimated 500,000 PCs in the United States” were infected by this malware, which is the DNSChanger family. This includes the RSPLug Trojan horse, which Intego discovered on October 31, 2007, and which spawned a number of variants and infected many Macs. (It should be noted that those behind the RSPlug Trojan horse stopped their activities before those controlling Windows malware. It’s likely that these were not the same people.)

We’ve often pointed out that the people behind today’s malware are out to make money. That’s why they attacked Macs with fake antivirus software, and that’s why they attacked Macs with the RSPlug Trojan horse, among others. This FBI takedown is important, in that it shows that the FBI was able to work closely with security researchers and law enforcement agencies around the world to pinpoint the command and control servers that were behind this scheme. Security journalist Brian Krebs gives more info on exactly how this happened.

So stay safe. Don’t download software from untrusted web sites, and protect your Mac with anti-malware software, just in case. It’s easy to get infected, and if you’re not protected, it’s hard to know if your Mac is compromised.