Estonian and Russian hackers hijacked over 4 million computers and raked in $14 million dollars over a period of four years from 2007.
They used the DNSChanger botnet trojan to divert web traffic to advertisers who paid for traffic delivery.
The DNS requests were redirected by the trojan to the botnet server, taking control of all the outbound Internet traffic from the infected system.
The botnet and DNS servers were controlled by Rove Digital, an Estonian company, with its hosting subsidiary Esthost.
The trojan is an installer disguised as a codec required for watching website video content and was spread widely through pornographic websites. Victim's computers were infected on visiting these websites or by downloading the video viewing software.
In a collaborative effort between FBI and the Estonian police, Police arrested Tsastsin and five others of Rove Digital. FBI got the command and control server disabled, including rogue DNS servers in New York and Chicago.
F-Secure provides further information on the Trojan:W32/DNSChanger:
http://www.f-secure.com/v-descs/dnschang.shtml
The trojan is a small file (about 1.5 KB), designed to change the 'NameServer' registry keyvalue to a custom IP addess. The IP address is usually encrypted in the body of the trojan. This change will redirect traffic to the new DNS server.
The trojan had names such as 'PayPal-2.5.200-MSWin32-x86-2005.exe'.
-Joseph Ponnoly
No comments:
Post a Comment