DNSChanger Malware Ring Dismantled

DNSChanger Malware Ring Dismantled

Today the FBI and NASA’s Office of the Inspector General (NASA-OIG) announced the arrest of six Estonian Criminals who have been involved in creating, developing, propagating a "Pay Per Click" Malware operation.
Apparently, this Malware operation was been active since at least 2007, an is estimated to have infected more than 4 million computers in over 100 countries, including and estimated 500,000 in the US alone.

It is currently estimated that the earnings from Malware generated in excess of 14 Million dollars.

Website Redirection – If you were infected by this malware program, dubbed "DNS Changer", and used a search engine to find legitimate websites, or simply typed in a valid URL, the Malware would redirect you one of the criminals websites instead, earning them a "referral click"

In other examples, traffic to common websites such as the IRS or other government websites was being redirected to a legitimate company with an affiliate program (where the referrer gets both a referral click and an additional commission if the visitor purchased something).  This also included re-directing add clicks to other websites than what your visited pages displayed, this happening even without you ever having clicked on any of the adds.

Additionally, you could be redirected to a fake website that looked like the real thing.  If you purchased something from this fake site, your credit card would be charged, however, you would never receive what you purchase.  Additionally, now that the criminals had your Credit Card number, more fraud would occur, possibly months or years later.

Blocking legitimate Anti-Virus websites – The programs was also noted for blocking access to most major Anti-Virus and Anti-Malware sites to either update existing software, or to download new software.

The Protective Order associated with this case lists the following I/P addresses ranges involved in the fake name-server business.

85.255.112.0 through 85.255.127.255
67.210.0.0 through 67.210.15.255
93.188.160.0 through 93.188.167.255
77.67.83.0 through 77.67.83.255
213.109.64.0 through 213.109.79.255
64.28.176.0 through 64.28.191.255

The FBI has provided a helpful secure document link that explains how to check your DNS settings to see whether you are using one of these "Rogue DNS Servers".

If your IP address is on the list, you are encouraged to fill out a secure form "Register as a Victim of DNS Malware".

The criminals used many different data centers, some of which were featured more prominently in the case than others:

Pilosoft, in New York City known as "The Manhattan Data Center" in the court documents.

ColoSecure, in Chicago, Illinois

ThePlanet, in Houston, Texas

Multacom Corporation, in Canyon County, California

Layered Technologies, in Plano, Texas

Network Operation Center, in Scranton, Pennsylvania

Wholesale Internet, in Kansas City, Missouri

SingleHop, in Chicago, Illinois

PremiaNet, in Las Vegas, Nevada

Interserver, in Secaucus, New Jersey

ISPrime, in Weehawken, New Jersey

Global Net Access, in Atlanta, Georgia

If you suspect that that your system is infected please contact the CCS Retail Systems Support Department

Leave a Reply