FBI Operation Ghost Click takes out DNS Changer malware network operators

Filed Under: Law & order, Malware, OS X, Windows

The FBI is cock-a-hoop today, having just announced the bust of six Estonians for malware-related cybercrimes.

The case goes back to 2007, with the investigation itself apparently having taken two years.

The FBI claims that the gang infected 4,000,000 computers in 100 different countries - with 500,000 infections in the USA alone.

The crooks are also said to have raked in at least US$14,000,000 of fraudulently-obtained income as a result.

The investigation and bust was dubbed Operation Ghost Click because the cybercrooks used DNS Changer malware to take victims to sites they didn't expect. By changing the DNS settings of infected computers, the crooks could redirect clicks intended for site A to site B instead, or fraudulently convert adverts for service C into ads for service D.

Another thorn in the side of Ghost Click victims, as the FBI points out, is that once cybercrooks control your PC's DNS lookups, they can sneakily direct you away from security websites, anti-virus updates and more. This increases your overall exposure to danger and lets them fleece you for longer.

DNS is short for the Domain Name System. It provides the "lookup tables" which tell your computer where to find what on the internet.

For example, DNS will advise you that the website known by the human-friendly name of nakedsecurity.sophos.com can be found by computer-friendly number at, or, or, as it happens, at a range of other numbered servers online.

DNS will also tell you how to send mail to people with sophos.com email addresses, will tell you where Sophos sends its email from, and much more besides.

Most computer users rely on a DNS server provided by their employer or their ISP. The location of this server is typically configured automatically every time you reboot your PC.

(You can tell what DNS server or servers you're using by using the ipconfig /all command on Windows, or the Networking icon from System Preferences on OS X. You may see two or more DNS servers listed. That's for resilience, in case one of them fails.)

The correctness of your internet browsing experience is entirely dependent on the correctness of the DNS server you use. A dishonest DNS server can take you to fraudulent substitutes of any sites it likes.

And a dishonest DNS server can be hard to spot - most dodgy servers tell the truth most of the time, telling you strategic lies when a money-making opportunity arises. Crooks can replace legitimate adverts with shonky ones for a fee, or deliver pay-per-install malware instead of a trustworthy file download.

The FBI is advising that the dodgy DNS servers seen in this investigation fall into the following IP ranges:

   64. 28.176.0   to   64. 28.191.255
   67.210.  0.0   to   67.210. 15.255
   77. 67. 83.0   to   77. 67. 83.255   to   to
  213.109. 64.0   to  213.109. 79.255

The Feds also have a guidance document which tells you how to check your DNS settings if you are using Windows or OS X. (Yes, DNS Changer malware exists for the Mac, too.)


* if your DNS server is inside one of these ranges, you aren't necessarily infected;

* if your DNS server is outside these ranges, you aren't necessarily clean;

* resetting your DNS server if it's wrong won't fix the malware problem which changed it in the first place; and

* the DNS Changer malware family referred to in the FBI's article is just one of many thousands of malware families, each consisting of many thousands of samples.

If you're worried, check that your anti-virus is up-to-date, and verify your DNS server settings match what you'd expect for your PC. Your IT helpdesk or your ISP should be able to tell you what to look for.

, , , , , , , , , , ,

You might like

7 Responses to FBI Operation Ghost Click takes out DNS Changer malware network operators

  1. [redacted] · 1429 days ago

    Users should use original anti viruses and stop using pirated cheap ones.
    [Readacted], a security software company is conducting a survey to identify security threats being faced by organizations. Please click on the link and complete the 2minute survey. Participants are automatically enrolled in a Lucky Draw were iPod shuffles are to be won. http://www.surveymonkey.com/%5Breadacted%5D

    • Paul Ducklin · 1429 days ago


      I couldn't resist approving this comment (after removing the offending company name and URI, of course), which appeared within minutes of the article being published.

      It highlights in an amusing way - if also a mildly depressing one - the vacuous villainy of your average cyberscammer.

      (Naked Security readers are invited to suggest in their own comments which word or phrase in the article triggered the scambot - or scamtroll, if it was a human who did it - which posted the comment above...)

  2. Dave Wade · 1429 days ago

    DNS stands for Domain Name System. Your correction is incorrect!

  3. I've wondered for a while if it would make sense to have some sort of DNS filtering that would require the "first hop" to go to somewhere with the same certificate as your gateway IP....
    Of course, if you make this optional, the malware can just circumvent it -- and I know that I, for one, DON'T have my DNS server with the same group that hosts my gateway.
    At least some sort of a warning if the DNS isn't in your netblock or at least in your geolocation would be useful (if even more complex to set up).

    • hmeister · 1429 days ago

      Just when we thought it was safe to browse the internet - What will they think of next....!

  4. Mike · 1424 days ago

    You always learn something new on naked security........

    I had to google "cock-a-hoop" - hadn't heard that one before !

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog