Very recently, there was a huge uproar about DNS Change Botnet, which functioned in the same manner as explained in my previous blog-post about DNS-MITM attack, but instead of targeting only the CPE, it targeted the DNS entries within the infected PC too. The payload in this case was once again Ad Click Fraud.
Click fraud is a type of Internet crime that occurs in pay per click online advertising when a person, automated script or computer program imitates a legitimate user of a web browser clicking on an ad, for the purpose of generating a charge per click without having actual interest in the target of the ad’s link. Click fraud is the subject of some controversy and increasing litigation due to the advertising networks being a key beneficiary of the fraud.
FBI had initiated Operation Ghost Click and took over the DNS infrastructure of the Botnet and replaced it with legitimate servers. This was done to ensure that users and businesses affected by the bot get ample time to clean up their systems before the complete infrastructure is taken down. But this act by FBI was legally bound with a specific time-frame, which was set to expire on 8Th March 2012. FBI has now sought an extension to keep this surrogate infrastructure alive for next few more months. For more information on detection you may download the article published by FBI.
Had they not sought an extension then, the infrastructure would have been pulled down, which in turn would have affected thousands of infected PCs worldwide.
Whether CPE’s DNS is changed or that of the PC, the end-user is affected. We just cannot rely on Court orders to ensure the smooth functioning of Internet and its users.
There have been instances, wherein an entire ISP was affected by DNS Cache Poisoning attacks, These type attacks target the vulnerable DNS servers and the cache of these servers are poisoned with malicious records pointing to malicious web-servers.
Three different methods but the end-result is the same.
In order to target these attack scenarios, we have added the logic to check for DNS poisoning and correct the same too within our MWAV toolkit. The toolkit can be downloaded from here.