Botnet of 4M zombies nuked in Operation Ghost Click

By Richi Jennings (@richi ) - November 10, 2011.

Four million zombies have been orphaned from their now-dead botnet; six suspects have been arrested in Estonia. Operation Ghost Click has acted against various malware-mediated frauds and other crime. In IT Blogwatch, bloggers wonder why it took more than six years to bring the alleged perps to justice.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Symphony of Science - Onward to the Edge!..

    Brian Krebs reports:

Estonian authorities arrested six men, including...the owner of several...companies that have been closely associated with the malware community for many years. ... All six men were arrested and taken into custody this week. ... A seventh still at large.


[They] allegedly used a strain of malware generically known as DNS Changer to hijack victim computers [to redirect] Web browsers to ads. ... [It] didn’t just infect Microsoft Windows...[it] would just as happily infect Mac[s]. ... [It] even hijacked DNS settings on wireless home routers.   

   Dave Neal adds:

Infected computers could be found at places like NASA. ... [T]he malware also prevented the installation of anti-virus software. ... [U]sers, once infected, would remain that way.


The FBI estimates that the men made $14m from the scheme, which ran between 2007 and 2011.   

Trend Micro's Dr. Feike Hacquebord and Paul Ferguson are proud researchers today:

In this operation, dubbed “Operation Ghost Click”...two data centers in New York City and Chicago were raided and...more than 100 servers [were] taken offline. At the same time the Estonian police arrested [suspects] in Tartu, Estonia.


We...knew what party was most likely behind the...botnet since 2006. We decided to hold [this] from publication in order to allow the law enforcement agencies to take proper legal action. ... Rove Digital is a seemingly legitimate IT company. ... In reality...[it's allegedly] making millions in ill-gained profits. ... In 2008, it was widely [alleged] that Esthost had many criminal customers.   

Meghan Kelly talked more with Paul Ferguson:

[T]he Estonian group was [allegedly] able to affect upwards of 4 million people. ... Intercepting ad revenue became extremely lucrative...according to Ferguson...“$14 million is a low estimate,” since they simply cannot find the rest of the money.


Ferguson says beyond criminal activity, [there's] a culture issue. “A lot of [the FSU's] ‘it’s just business’ attitude extends to what most of the rest of the world calls criminal activity.”   

But Richard Adams scoffs at the hyperbole:

4 million? MASSIVE?!?


That's like claiming the interception of one bale of weed at the Mexican Border is a Major Interdiction. Still, glad they're doing something. Every little bit helps.   

   And Finally...
Symphony of Science - Onward to the Edge!

Don't miss out on IT Blogwatch:

Richi Jennings, your humble blogwatcher

Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and security. He's the creator and main author of Computerworld's IT Blogwatch -- for which he has won American Society of Business Publication Editors and Jesse H. Neal awards on behalf of Computerworld. He also writes The Long View for IDG Enterprise. A cross-functional IT geek since 1985, you can follow him as @richi on Twitter, pretend to be richij's friend on Facebook, or just use good old email: You can also read Richi's full profile and disclosure of his industry affiliations.

Copyright © 2011 IDG Communications, Inc.

Shop Tech Products at Amazon