In the wake of the successful bust of an alleged click-fraud operation that netted cyber criminals more than $14 million, security experts are bringing to light more information that could help organizations and end-users alike protect themselves from similar threats. Experts are also asking whether ISPs could and should have done more to protect Internet users from the attacks that had been going on for four years.
Dell SecureWorks, for example, has released a report explaining how perpetrators allegedly managed to infect upward of 4 million PCs worldwide with the DNSChanger Trojan that enabled them to rack up illicit profits for so long. The FBI, meanwhile, has provided detailed information as to how organizations and users can assess if their systems are infected. Finally, the Spamhaus Project has observed that ISPs could have acted early on to protect Internet users from the Rove Digital cyber crime gang activities.
First, a refresher: The Department of Justice indicted seven individuals -- six from Estonia and one from Russia -- for allegedly setting up a phony Internet advertising agency. The group entered into agreements with online ad providers that would pay the group whenever its ads were clicked on by users. The group allegedly used malware called DNSChanger, which altered the domain name servers on infected machines, essentially redirecting requests for website addresses to the agency's advertisements, thereby generating illicit revenue.
According to Dell SecureWorks, the group managed to infect millions of machines over a four-year period using the TDSS rootkit, which, according to Kaspersky Lab, has been used it in various forms for the last three or four years in various ways, from drive-by downloads to targeted attacks. Secureworks reported seeing in recent weeks between 600,000 and 1 million unique IP addresses infected with the DNSChanger Trojan, which was downloaded and installed using TDSS, also known as Tidserv, TDSServ, and Alureon.