FBI Operation Ghost Click takes out DNS Changer malware network operators

The FBI is cock-a-hoop today, having just announced the bust of six Estonians for malware-related cybercrimes.

The case goes back to 2007, with the investigation itself apparently having taken two years.

The FBI claims that the gang infected 4,000,000 computers in 100 different countries – with 500,000 infections in the USA alone.

The crooks are also said to have raked in at least US$14,000,000 of fraudulently-obtained income as a result.

The investigation and bust was dubbed Operation Ghost Click because the cybercrooks used DNS Changer malware to take victims to sites they didn’t expect. By changing the DNS settings of infected computers, the crooks could redirect clicks intended for site A to site B instead, or fraudulently convert adverts for service C into ads for service D.

Another thorn in the side of Ghost Click victims, as the FBI points out, is that once cybercrooks control your PC’s DNS lookups, they can sneakily direct you away from security websites, anti-virus updates and more. This increases your overall exposure to danger and lets them fleece you for longer.

DNS is short for the Domain Name System. It provides the “lookup tables” which tell your computer where to find what on the internet.

For example, DNS will advise you that the website known by the human-friendly name of nakedsecurity.sophos.com can be found by computer-friendly number at, or, or, as it happens, at a range of other numbered servers online.

DNS will also tell you how to send mail to people with sophos.com email addresses, will tell you where Sophos sends its email from, and much more besides.

Most computer users rely on a DNS server provided by their employer or their ISP. The location of this server is typically configured automatically every time you reboot your PC.

(You can tell what DNS server or servers you’re using by using the ipconfig /all command on Windows, or the Networking icon from System Preferences on OS X. You may see two or more DNS servers listed. That’s for resilience, in case one of them fails.)

The correctness of your internet browsing experience is entirely dependent on the correctness of the DNS server you use. A dishonest DNS server can take you to fraudulent substitutes of any sites it likes.

And a dishonest DNS server can be hard to spot – most dodgy servers tell the truth most of the time, telling you strategic lies when a money-making opportunity arises. Crooks can replace legitimate adverts with shonky ones for a fee, or deliver pay-per-install malware instead of a trustworthy file download.

The FBI is advising that the dodgy DNS servers seen in this investigation fall into the following IP ranges:

   64. 28.176.0   to   64. 28.191.255
   67.210.  0.0   to   67.210. 15.255
   77. 67. 83.0   to   77. 67. 83.255   to   to
  213.109. 64.0   to  213.109. 79.255

The Feds also have a guidance document which tells you how to check your DNS settings if you are using Windows or OS X. (Yes, DNS Changer malware exists for the Mac, too.)


* if your DNS server is inside one of these ranges, you aren’t necessarily infected;

* if your DNS server is outside these ranges, you aren’t necessarily clean;

* resetting your DNS server if it’s wrong won’t fix the malware problem which changed it in the first place; and

* the DNS Changer malware family referred to in the FBI’s article is just one of many thousands of malware families, each consisting of many thousands of samples.

If you’re worried, check that your anti-virus is up-to-date, and verify your DNS server settings match what you’d expect for your PC. Your IT helpdesk or your ISP should be able to tell you what to look for.