FBI Takes Out $14M DNS Malware Operation

← Back to Stories (view on slashdot.org)

FBI Takes Out $14M DNS Malware Operation

Posted by samzenpus on Wednesday November 9, 2011 @10:38AM from the take-em-down dept.

coondoggie writes "U.S. law enforcement today said it had smashed what it called a massive, sophisticated Internet fraud scheme that injected malware in more than four million computers in over 100 countries while generating $14 million in illegitimate income. Of the computers infected with malware, at least 500,000 were in the United States, including computers belonging to U.S. government agencies, such as NASA."

57 comments

Min score:

Reason:

Sort:

Last Post by Anonymous Coward · 2011-11-09 10:39 · Score: 3, Funny

Posted from one of the bots.
Nice job Feds. Credit when credit is due. by bazmail · 2011-11-09 10:43 · Score: 4, Insightful

Sometimes you just gotta hand it to 'em
1. Re:Nice job Feds. Credit when credit is due. by houstonbofh · 2011-11-09 10:49 · Score: 4, Funny
  
  Sometimes you just gotta hand it to 'em
  Other times, they just take it... :)
2. Re:Nice job Feds. Credit when credit is due. by AHuxley · 2011-11-09 12:04 · Score: 2
  
  $378.4bn into "dollar accounts" you get a $110m "forfeiture" i.e. 2% of your bank's $12.3bn profit.
  http://www.guardian.co.uk/world/2011/apr/03/us-bank-mexico-drug-gangs
  So strange how different parts of the US gov can find the cash and time to hunt cyber millions but fail to get a court to understand drug billions....
  
  --
  Domestic spying is now "Benign Information Gathering"
3. Re:Nice job Feds. Credit when credit is due. by d0cu · 2011-11-09 22:03 · Score: 1
  
  It only took them 2 years http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/a_cybercrime_hub.pdf
4. Re:Nice job Feds. Credit when credit is due. by Anonymous Coward · 2011-11-13 16:57 · Score: 0
  
  "at least 500,000 were in the United States, including computers belonging to U.S. government agencies, such as NASA."
  An ounce of prevention is worth a pound of cure.
  And allowing this many infections to develop at once in the first place is perhaps a travesty in itself. These things should be taken care of quickly instead of waiting for infected machines to accumulate to huge numbers before doing anything about it.
Operating systems stats? by agm · 2011-11-09 10:45 · Score: 2

It would be interesting to see the breakdown of the operating systems the infected computers were running.
1. Re:Operating systems stats? by Anonymous Coward · 2011-11-09 10:49 · Score: 0, Insightful
  
  windows: 100%
  other: 0%
2. Re:Operating systems stats? by turbidostato · 2011-11-09 10:50 · Score: 0
  
  I don't think I'd be surprised at the results.
3. Re:Operating systems stats? by Jeng · 2011-11-09 10:55 · Score: 1
  
  Why do you say it would be interesting?
  The answer is such a given that your question is actually rhetorical.
  
  --
  Don't know something? Look it up. Still don't know? Then ask.
4. Re:Operating systems stats? by Baloroth · 2011-11-09 10:57 · Score: 4, Informative
  
  The FBI info PDF on the malware ( DNSChanger) lists instructions for checking OSX to see if you're infected. It also mentions the malware changes router settings if they are still at defaults. I'm guessing it infects Windows and Mac, with Linux/FreeBSD/Hurd being unaffected as per usual.
  
  --
  "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
5. Re:Operating systems stats? by Baloroth · 2011-11-09 11:00 · Score: 2
  
  Link looks bad, I know. (pretty sure it's clean) That is an advisory for the malware in question (DNSChanger) affecting mac OSX.... so no, it isn't rhetorical. The time of Windows being the only possible infected system is past. Probably thanks to Apple's meteoric rise in popularity.
  
  --
  "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
6. Re:Operating systems stats? by gsgriffin · 2011-11-09 11:10 · Score: 2
  
  This doesn't have to be an OS thing. Look into MiM and MitB and you'll see that it is now browser based.
  
  --
  jsut athnoer menagiensls ltitle psrhae for you to dcoede. Why do we wtsae our tmie dnoig tihs?
7. Re:Operating systems stats? by nepka · 2011-11-09 14:20 · Score: 2
  
  Sorry, but if you read TFA it says it affected OSX too.
8. Re:Operating systems stats? by Anonymous Coward · 2011-11-09 14:47 · Score: 0
  
  Hurd. Heh. You say that like it's real.
9. Re:Operating systems stats? by GNious · 2011-11-09 20:02 · Score: 1
  
  Nothing like this on the App Store ....
10. Re:Operating systems stats? by buglista · 2011-11-10 02:38 · Score: 1
  
  they tried a Linux version but Network Manager kept on rewriting /etc/resolv.conf.
11. Re:Operating systems stats? by Anonymous Coward · 2011-11-10 03:33 · Score: 0
  
  Linux fanboy?
  Or Apple?
  The answer to your question should be pretty obvious, even without a flashy chart classifying infection by OS.
  OH, and BTW...
  Watch out - they're beginning to target Macs now, as well...
  And Linux? Well, most of us know the first rootkit was developed for Unix. And with the sloppily-maintained codebases for most Linux distros, these clowns could have a heyday digging up vulnerabilities. And exploiting them. Windows rootkits really haven't been around all that long. I can still remember when GMER surfaced - and was the *only* anti-rootkit util for Win32.
  Times change....
  The guy with the biggest share will ALWAYS get targeted more. A bigger target is easier to hit (or defraud, I should say, in this case).
12. Re:Operating systems stats? by Wolfrider · 2011-11-10 06:08 · Score: 1
  
  --All of my browsing goes through a Linux-based Squid proxy with its own DNS settings, so I'm not really worried. Check it out, it's free:
  http://communities.vmware.com/message/1828477#1828477
  
  --
  .
  == WolfriderV6 == I'm willing to admit that *I just might* be wrong... Are you??
13. Re:Operating systems stats? by Anonymous Coward · 2011-11-11 08:50 · Score: 0
  
  The few Mac issues in the wild all come from Linux.
4 million? MASSIVE?!? by ackthpt · 2011-11-09 10:57 · Score: 3, Interesting

That's like claiming the interception of one bale of weed at the Mexican Border is a Major Interdiction.
Still, glad they're doing something. Every little bit helps.

--

A feeling of having made the same mistake before: Deja Foobar
FBI stops DNS poisoning scheme by Compaqt · 2011-11-09 11:01 · Score: 4, Funny

The FBI managed to stop MAFIAA from passing PROTECT-IP?

--
I'm not a lawyer, but I play one on the Internet. Blog
easier to kick infested machines off? by Anonymous Coward · 2011-11-09 11:10 · Score: 0

Remember the UDP days? If you'd spam usenet, you'd be cut off. It was not determined by content, just by volume.
We need something similar for virus infections. If your machine gets pwned, and any external signs of that can be detected, you are immediately cut off the internet. No distinction: you can be a housewife, a bank, a government agency, whatever. Doesn't matter: you put an infected machine on the internet, and your connection is disabled until you have clearly demonstrated that you have fixed the problem. After your third strike, you ALSO have to demonstrate that you have taken reasonable action to stop having this problem in the future.
Because goddamn it, it just *isn't that bloody hard*. Seriously. Computers are a core part of modern life. It's possible to run a safe Windows machine, although it takes more knowledge than it does for iOS or Linux say. If you don't have that knowledge, either (A) pay someone else to manage it for you, (B) learn, (C) pick a more secure OS that's easier to avoid malware, or (D) stop using the public internet.
We don't let drivers that crash their vehicles all the time drive on public roads. Time to institute this for the internet. We've had personal computing for 40-odd years now. It's really long past time to learn how the hell to secure your box. There is NO security, no anti-virus program, *nothing*, that can make up for ignorant people. So the only solution is at a social level: we must institute penalties for ignorance. Only that way will the average dude get off his ass and learn not to run HotGirlsNaked.exe. Otherwise, there is nothing in it for him, and there IS NO technical solution to human stupidity. The reason that average dude can sorta-kinda drive without plowing into things left and right is because there is a severe penalty for him if he causes damage to the public or public resources with his car. The internet is a public resource. To avoid the tragedy of the commons, there MUST be a penalty for abusing it.
1. Re:easier to kick infested machines off? by bill_mcgonigle · 2011-11-09 11:33 · Score: 1
  
  you put an infected machine on the internet, and your connection is disabled until you have clearly demonstrated that you have fixed the problem.
  I used to advocate a messaging system whereby _anybody_ could send a (PGP) signed 'disable' message to an IP address to get the machine turned off at the router. Whether this message got propagated or acted upon would depend on the level of trust in the signer - not unlike BGP. In today's NAT world it might need to be a bit more complex than I'd thought about in the 90s.
  But I fear the time has passed for Internet governance to do this without the government barging in, and then it would be too tempting to shut down he political opposition, 'terrists' or the like.
  It's possible to run a safe Windows machine, although it takes more knowledge than it does for iOS or Linux say.
  I doubt it. There was a story yesterday that 60% of malware found in the wild has no AV-software coverage.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
2. Re:easier to kick infested machines off? by rdebath · 2011-11-09 21:21 · Score: 2
  
  I doubt it. There was a story yesterday that 60% of malware found in the wild has no AV-software coverage.
  Why should that be a surprise? AV software is installed on every vulnerable PC sold and even without updates it mostly protects against all the old threats. Even after that there is a pretty good chance it's infernal nagging for a credit card will get an updated AV installed, with or without a CC. The "mindshare" has been built, everybody believes that Windows must have anti-virus.
  But, as has been said repeatedly the AV industry is reactive (though they are starting to try to solve the HARD problem of being intelligently proactive) so all an attacker has to do is make sure that the initial infection vector is obscure. If the initial infection disables the AV it can then download anything; including corpses of old viruses to blame and new updates to run with. The result is that the initial infecting agent will probably no longer exist on the machine, either the botnet will have been upgraded to the most recent version, which isn't yet on the the AV list, or the initial infector will be hidden away to try and stop it getting on the lists at all.
  When I consider it, if I was in "the business", I'd be trying pretty hard to keep information out of the hands of the AV "white hats" and it wouldn't really be difficult, I'd just have to keep changing things to keep one step ahead.
3. Re:easier to kick infested machines off? by GameboyRMH · 2011-11-10 06:43 · Score: 1
  
  Some ISPs do this, they'll redirect all webpages to a warning page if mass spammings are detected from your connection.
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
hmm, need to read the FA by Seedy2 · 2011-11-09 11:17 · Score: 1

Oh wait, so it's not about Skype?

--
Nothing to say here... move along
Socializing the externalities by bill_mcgonigle · 2011-11-09 11:26 · Score: 1

It would be interesting to see the breakdown of the operating systems the infected computers were running.
Ah, we're all about socializing the externalities for the corporations these days. How much of this bill do you think Microsoft will pick up? How about 'none' so they have no real incentive to secure their products?
Heck, it justifies a larger FBI, so they'll probably give them a metal for being so cooperative.

--
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
1. Re:Socializing the externalities by Anonymous Coward · 2011-11-09 12:00 · Score: 1
  
  they'll probably give them a metal for being so cooperative.
  I'd like to give Microsoft a small amount of lead, not very much, but I'd like to do it as fast as possible. About 680 MPH fast. ;)
2. Re:Socializing the externalities by Anonymous Coward · 2011-11-09 12:11 · Score: 0
  
  None because it's not their fault that hackers broke into their OS and did illegal shit. Are you suggesting that we sue every single Linux contributor when there's an exploit out in the wild? Fuck off.
3. Re:Socializing the externalities by scarboni888 · 2011-11-09 13:04 · Score: 1
  
  Difference here being the Linux contributors aren't making you pay for their software, right?
  So it's not really a fair comparison IMO
4. Re:Socializing the externalities by Raenex · 2011-11-09 13:45 · Score: 1
  
  Then sue companies like Red Hat. I'm sure the folks here would be OK with that, right?
Re:4 million? MASSIVE?!? by Anonymous Coward · 2011-11-09 11:44 · Score: 0

Minor difference:
American citizens want weed.
Malware.. Not so much.
Of course, there are some remaining problems... by Arrogant-Bastard · 2011-11-09 12:14 · Score: 3, Interesting

...because there are now 4 million pre-compromised systems in the field. It's a certainty that they are now all attractive targets for anyone clever enough to detect them and acquire control of them. I think chances are quite good that as you're reading this, more than one person/group is attempting that very thing. They'll probably succeed. And when they do, they'll use yet another C&C mechanism to organize them, harness them, and get on to whatever mischief they choose.

Seen in that context, this announcement is just a PR exercise. It has no real significance.
1. Re:Of course, there are some remaining problems... by plover · 2011-11-10 05:15 · Score: 1
  
  Reading Krebs' article on the topic, the FBI has partnered with ISC to help plan a substitute DNS to stand in for the people whose computers are infected, to notify the ISPs, and to devise a plan to help get their computers cleaned up. The bigger problem is it's a boot sector infection that they don't yet appear to have a way of safely removing.
  Personally, I'd rather disenfranchise them. ISC could stand up a substitute DNS server to resolve every address to a redirector site that sends them to a page on fbi.gov explaining that they've been hacked, and they need to bring their computer to a reputable dealer to have the infection removed.
  Or maybe they only do this on Tuesdays and Fridays, or for the first 10 names resolved. Just enough annoyance to get their lazy bones off the couch and take care of the problem.
  
  --
  John
Your PC was worth $3.50 to the botnet by billstewart · 2011-11-09 12:27 · Score: 1

Congratulations! The Botnet operators thought $3.50 (for them) was worth more than (probability you noticed a problem) * (all the effort and money it would take you to fix it.) Of course, if you're a typical botnet zombie host, the effort and cost were $0, plus a bit extra because your PC is running slower, but hey, you had lots of bogomips to spare.

--

Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Re:4 million? MASSIVE?!? by Anonymous Coward · 2011-11-09 13:48 · Score: 0

Lets point those 4 million at your ipaddress and let you tell us how massive a DOS that would be.
How to check DNS server settings on OS X by DrProton · 2011-11-09 13:59 · Score: 3, Informative

This is good on Lion and Snow Leopard AFAIK: networksetup -getdnsservers Ethernet Wi-Fi
This command has extensive help: networksetup -help
I use networksetup every day. I have numerous makefile targets that change my network settings based on my location. I'm a a road warrior changing networks frequently and using a VPN and ssh to connect to the corporate network.

--
"Mit der Dummheit kaempfen Goetter selbst vergebens." - Schiller
1. Re:How to check DNS server settings on OS X by Anonymous Coward · 2011-11-09 20:19 · Score: 0
  
  If you prefer a non command line method for the same thing:
  System Preferences -> Network -> select network on the left -> click Advanced at bottom right -> Click on DNS tab to see current dns Ip addresses.
  Also in Network you can use the location drop down at the top of the window to make a new group of network settings (called a location) or pick from one of your predefined locations... makefiles + networksetup may be overkill for many users needs.
2. Re:How to check DNS server settings on OS X by Wolfrider · 2011-11-10 06:13 · Score: 1
  
  Mod parent up!
  
  --
  .
  == WolfriderV6 == I'm willing to admit that *I just might* be wrong... Are you??
malware infects 'computers` by microphage · 2011-11-09 15:12 · Score: 1

"U.S. law enforcement today said it had smashed what it called a massive, sophisticated Internet fraud scheme that injected malware in more than four million computers in over 100 countries while generating $14 million in illegitimate income. Of the computers infected with malware, at least 500,000 were in the United States, including computers belonging to U.S. government agencies, such as NASA".

Did any of these malware infested 'computers` run Microsoft Windows?
Windows+Router attack, not OSX by Anonymous Coward · 2011-11-09 16:18 · Score: 0

I read the link but it didn't mention OSX.
Let me guess, a Windows turfer? Because you misled people into thinking it was OSX, and added 'Linux' compliment on to get votes.
1. Re:Windows+Router attack, not OSX by elp · 2011-11-09 20:11 · Score: 2
  
  I read the link but it didn't mention OSX.
  Let me guess, a Windows turfer? Because you misled people into thinking it was OSX, and added 'Linux' compliment on to get votes.
  Instructions for apple are on page 4 half way down. Did you fail reading in high school?
That's worth $3.49 more than your geek card:) by EETech1 · 2011-11-09 18:05 · Score: 1

Don't you have to be running Linux to have BogoMIPS?
Wouldn't these machines likely be running a different operating system?
Cheers
1. Re:That's worth $3.49 more than your geek card:) by ewanm89 · 2011-11-10 02:01 · Score: 1
  
  Well, as BogoMIPS is a benchmark of processor cycles then yes and no, one still has those cycles on any OS. They just would only get measured in that specific unit if on linux.
2. Re:That's worth $3.49 more than your geek card:) by EETech1 · 2011-11-10 09:20 · Score: 1
  
  Well wouldn't ya know it...
  djwong.org/programs/bogomips/
  Someone did a Windows port!
  I stand corrected, my joke was not funny, or technically correct.
  Cheers!
3. Re:That's worth $3.49 more than your geek card:) by billstewart · 2011-11-12 19:15 · Score: 1
  
  BogoMIPS is a measure of hardware performance. True, it's a benchmark mainly used by Linux, as opposed to WinBench or FPS-with-some-game, but that doesn't matter; we're not talking about the botnets exploiting a bug in the benchmarking program to get it to do work for them :-) But they're the current benchmark; I've also used machines during the years when we benchmarked in SPECints, in Dhrystones and Whetstones, and in MIPS, and before that (since "1 MIPS" was canonically the speed of a VAX 11/780, and I'd used a couple generations of PDP-11s, IBM mainframes, HP minicomputers, IBM System 34, and an IBM 403 whose speed was probably best measured in punch cards processed per hour), though these days I'm generally more interested in benchmarks like megabits/gigabits per second or packets per second, and in real Mbps vs. vendor-claimed Mbps.
  
  --
  
  Bill Stewart
  New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Estonians? by Anonymous Coward · 2011-11-09 18:48 · Score: 0

Article mentions that the criminals were estonians, but when I read the local news, yes I am from Estonia, I realized that all of them were actually russians. They just happen to have citizenship of Estonia.
1. Re:Estonians? by gl4ss · 2011-11-10 00:49 · Score: 1
  
  Article mentions that the criminals were estonians, but when I read the local news, yes I am from Estonia, I realized that all of them were actually russians. They just happen to have citizenship of Estonia.
  well, they are estonians. that they just happen to have estonian nationality on their papers makes it so. and one russian.
  or if you take another stance you might as well go around running and shouting that linus is swedish.
  
  --
  world was created 5 seconds before this post as it is.
The computers seized were running by NSN+A392-99-964-5927 · 2011-11-09 20:52 · Score: 1

FBI code named Magic Lantern (botnet) eeek!

--
All cows eat grass!
Oh, yeah? by Mathinker · 2011-11-09 22:12 · Score: 1

http://en.wikipedia.org/wiki/BonziBUDDY
If it's packaged nicely....
DARE 2.0 by ThatsNotPudding · 2011-11-10 00:40 · Score: 1

DNS Abuse Resistance Education and MacRuff, the Router Crime Dog.
1. Re:DARE 2.0 by Anonymous Coward · 2011-11-10 02:43 · Score: 0
  
  DNS Abuse Resistance Education and MacRuff, the Router Crime Dog.
  
  Help take a byte outa crime!
Good for them! by hesaigo999ca · 2011-11-10 02:31 · Score: 1

Finally doing some good in the world, keep it up, feels good to the rest of us.
Typical government by tehcyder · 2011-11-10 03:28 · Score: 1

Interfering in the free market.

--
To have a right to do a thing is not at all the same as to be right in doing it