ISPs could have stopped massive click-fraud operation

In the wake of the massive DNSChanger click-fraud scam, security experts call on ISPs to do more

In the wake of the successful bust of an alleged click-fraud operation that netted cyber criminals more than $14 million, security experts are bringing to light more information that could help organizations and end-users alike protect themselves from similar threats. Experts are also asking whether ISPs could and should have done more to protect Internet users from the attacks that had been going on for four years.

Dell SecureWorks, for example, has released a report explaining how perpetrators allegedly managed to infect upward of 4 million PCs worldwide with the DNSChanger Trojan that enabled them to rack up illicit profits for so long. The FBI, meanwhile, has provided detailed information as to how organizations and users can assess if their systems are infected. Finally, the Spamhaus Project has observed that ISPs could have acted early on to protect Internet users from the Rove Digital cyber crime gang activities.

First, a refresher: The Department of Justice indicted seven individuals -- six from Estonia and one from Russia -- for allegedly setting up a phony Internet advertising agency. The group entered into agreements with online ad providers that would pay the group whenever its ads were clicked on by users. The group allegedly used malware called DNSChanger, which altered the domain name servers on infected machines, essentially redirecting requests for website addresses to the agency's advertisements, thereby generating illicit revenue.

According to Dell SecureWorks, the group managed to infect millions of machines over a four-year period using the TDSS rootkit, which, according to Kaspersky Lab, has been used it in various forms for the last three or four years in various ways, from drive-by downloads to targeted attacks. Secureworks reported seeing in recent weeks between 600,000 and 1 million unique IP addresses infected with the DNSChanger Trojan, which was downloaded and installed using TDSS, also known as Tidserv, TDSServ, and Alureon.

TDSS itself is tough to remove, Kaspersky has noted, and so is DNSChanger. The FBI is providing detailed information (PDF) to help users and organizations determine if their systems are infected. The process entails checking the DNS server settings on your computers, as well as though on your wireless access points of routers.

If your computer is configured to use one or more of the following rogue DNS servers, it may be infected with DNSChanger:

  • 85.255.112.0 through 85.255.127.255
  • 67.210.0.0 through 67.210.15.255
  • 93.188.160.0 through 93.188.167.255
  • 77.67.83.0 through 77.67.83.255
  • 213.109.64.0 through 213.109.79.255
  • 64.28.176.0 through 64.28.191.255

As law-enforcement agencies, IT admins, end-users, and victims of the alleged click-fraud operation work to clean up the mess, the folks at the Spamhaus Project are arguing that the world's ISPs could have done something to help identify and protect the affected users on their networks. "How would ISPs do this? By monitoring simple traffic patterns on their network, or if not that, by just blocking network traffic from their users to the known cyber criminal controlled areas of the Internet," wrote Spamhaus's Quentin Jenkins.

When DNS requests flow through an ISP's network before being routed onto the Internet, ISPs have an array of options as to what they can do with the traffic, Jenkins wrote. That includes logging, blocking, or rerouting of basic Internet protocols like DNS. ISPs could have used DROP-list (Don't Route Or Peer List), an index of cyber-criminal-controlled areas of the Internet, as a reference for blocking rogue DNS access or to log attempts and alert users to potential malware problems. Security pros at Spamhaus, Trend Micro, and elsewhere had started adding IP address ranges controlled by Rove Digital to DROP-list some years ago, according to Jenkins.

InfoWorld Security Adviser blogger Roger A. Grimes agreed with Jenkins's assessment. "For more than a decade, we've all known how to detect malicious patterns at the ISP level, but most ISPs (especially the foreign ones) literally don't care. Most of the others are worried about the legal liability of accidentally cutting off someone innocent (which is a very real risk)," he said.

That trend is finally changing, however. "Some ISPS are -- finally-- reacting and doing things. Comcast will detect bots on your computer, intercept your Internet browser traffic, and insert a warning into your browser," he said.

This story, "ISPs could have stopped massive click-fraud operation," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies