Sophos Cloud Optix
The FBI is cock-a-hoop today, having just announced the bust of six Estonians for malware-related cybercrimes.
The case goes back to 2007, with the investigation itself apparently having taken two years.
The FBI claims that the gang infected 4,000,000 computers in 100 different countries – with 500,000 infections in the USA alone.
The crooks are also said to have raked in at least US$14,000,000 of fraudulently-obtained income as a result.
The investigation and bust was dubbed Operation Ghost Click because the cybercrooks used DNS Changer malware to take victims to sites they didn’t expect. By changing the DNS settings of infected computers, the crooks could redirect clicks intended for site A to site B instead, or fraudulently convert adverts for service C into ads for service D.
Another thorn in the side of Ghost Click victims, as the FBI points out, is that once cybercrooks control your PC’s DNS lookups, they can sneakily direct you away from security websites, anti-virus updates and more. This increases your overall exposure to danger and lets them fleece you for longer.
DNS is short for the Domain Name System. It provides the “lookup tables” which tell your computer where to find what on the internet.
For example, DNS will advise you that the website known by the human-friendly name of nakedsecurity.sophos.com can be found by computer-friendly number at 72.233.104.123, or 76.74.255.117, or, as it happens, at a range of other numbered servers online.
DNS will also tell you how to send mail to people with sophos.com email addresses, will tell you where Sophos sends its email from, and much more besides.
Most computer users rely on a DNS server provided by their employer or their ISP. The location of this server is typically configured automatically every time you reboot your PC.
(You can tell what DNS server or servers you’re using by using the ipconfig /all command on Windows, or the Networking icon from System Preferences on OS X. You may see two or more DNS servers listed. That’s for resilience, in case one of them fails.)
The correctness of your internet browsing experience is entirely dependent on the correctness of the DNS server you use. A dishonest DNS server can take you to fraudulent substitutes of any sites it likes.
And a dishonest DNS server can be hard to spot – most dodgy servers tell the truth most of the time, telling you strategic lies when a money-making opportunity arises. Crooks can replace legitimate adverts with shonky ones for a fee, or deliver pay-per-install malware instead of a trustworthy file download.
The FBI is advising that the dodgy DNS servers seen in this investigation fall into the following IP ranges:
64. 28.176.0 to 64. 28.191.255 67.210. 0.0 to 67.210. 15.255 77. 67. 83.0 to 77. 67. 83.255 85.255.112.0 to 85.255.127.255 93.188.160.0 to 93.188.167.255 213.109. 64.0 to 213.109. 79.255
The Feds also have a guidance document which tells you how to check your DNS settings if you are using Windows or OS X. (Yes, DNS Changer malware exists for the Mac, too.)
Unfortunately:
* if your DNS server is inside one of these ranges, you aren’t necessarily infected;
* if your DNS server is outside these ranges, you aren’t necessarily clean;
* resetting your DNS server if it’s wrong won’t fix the malware problem which changed it in the first place; and
* the DNS Changer malware family referred to in the FBI’s article is just one of many thousands of malware families, each consisting of many thousands of samples.
If you’re worried, check that your anti-virus is up-to-date, and verify your DNS server settings match what you’d expect for your PC. Your IT helpdesk or your ISP should be able to tell you what to look for.
Users should use original anti viruses and stop using pirated cheap ones.
[Readacted], a security software company is conducting a survey to identify security threats being faced by organizations. Please click on the link and complete the 2minute survey. Participants are automatically enrolled in a Lucky Draw were iPod shuffles are to be won. http://www.surveymonkey.com/[readacted]
Hahahahahaha.
I couldn't resist approving this comment (after removing the offending company name and URI, of course), which appeared within minutes of the article being published.
It highlights in an amusing way – if also a mildly depressing one – the vacuous villainy of your average cyberscammer.
(Naked Security readers are invited to suggest in their own comments which word or phrase in the article triggered the scambot – or scamtroll, if it was a human who did it – which posted the comment above…)
DNS stands for Domain Name System. Your correction is incorrect!
It is. I have corrected it. Thanks.
I’ve wondered for a while if it would make sense to have some sort of DNS filtering that would require the “first hop” to go to somewhere with the same certificate as your gateway IP….
Of course, if you make this optional, the malware can just circumvent it — and I know that I, for one, DON’T have my DNS server with the same group that hosts my gateway.
At least some sort of a warning if the DNS isn’t in your netblock or at least in your geolocation would be useful (if even more complex to set up).
Just when we thought it was safe to browse the internet – What will they think of next….!
You always learn something new on naked security……..
I had to google “cock-a-hoop” – hadn’t heard that one before !