Huge, Multinational Dragnet Takes Down Cyber-Mafia

Sometimes the good guys really do win.

On Nov. 8, the FBI, the Estonian police, and Trend Micro brought down what may be the largest shark yet caught in the criminal waters of the Internet. In a sting code-named “Operation Ghost Click,” law enforcement officials raided offices in New York City, Chicago, and Tartu, Estonia. At the time of the arrests, the alleged criminal network controlled over four million computers without the knowledge of those computers' owners.

Dubbed Esthost, and controlled by the Estonian company Rove Digital, the illegal network used counterfeit Domain Name Server (DNS) settings to control infected computers. DNS servers are a necessary part of the Internet, translating human-friendly URLs into computer-friendly IP addresses and thereby telling browsers where they can find particular Web pages. Chances are your PC uses a DNS server belonging to the company that provides your Internet service.

But the Esthost botnet (so called because the network controlled bots, remote-controlled, malware-infected computers) told infected PCs to use another DNS, allegedly controlled by Rove Digital. That allowed to control what Web sites the victim visited.

When the individuals can control where people go on the Internet, they can make money in all sorts of ways. They can replace the advertising that helps keep legitimate sites running with ads of their own. They can change search results, sending victims to pages they want those people to visit. And through those websites, they can infect victims with additional malware.

Trend Micro suspected Rove Digital's involvement with the botnet as early as 2006. In the interest of successful arrests and prosecutions, the company chose to keep quiet in public, while informing law enforcement agencies about what was going on. They also, of course, kept their malware database up-to-date in order to protect users of their programs. For more on the alleged criminals and the arrest, take a look at this TrendLabs Malware Blog post.

One very large and dangerous malware operation is now gone. But others are still up, and new ones will inevitably arise to take Esthost's place. There's simply too much ill-gotten money to be made for that not to happen.

Your best defense is a strong security package, such as any one of the Trend Micro Titanium suites. The company that helped take down Esthost is watching out for you.

Subscribe to the Security Watch Newsletter