The Spamhaus Project


Ghost Click/DNSChanger: Could ISPs have stopped it?

by The Spamhaus TeamNovember 15, 20114 minutes reading time

After the November 9, 2011 successful law-enforcement dismantling of a huge cybercrime network in an operation dubbed 'Ghost Click', questions were raised as to what Internet Service Providers (ISPs) could have been doing to protect their users, and the internet, from this botnet.

So, could an ISP (or corporation, school, government or other autonomous network) have done something to help identify and protect an individual end-user on its network whose computer became infected with the DNSChanger malware distributed by the Rove Digital cybercrime gang?

Spamhaus' answer to this is YES.

A heatmap of the Operation Ghost Click infected machine locations for 8 November, 2011, courtesy |

How could ISPs protect their users? By monitoring simple traffic patterns on their network or, if not that, by just blocking network traffic from their users to the known cybercriminal controlled areas of the internet.

Let's first quickly discover how this botnet functioned. Rove Digital ran a sophisticated operation in which the DNSChanger malware changed the DNS settings on the victim's computers. As a result, innocent users were unknowingly directed to websites controlled by Rove Digital rather than to the pages they requested for a number of large web merchants, banks, and other companies with whom those users did business. The Rove Digital sites could look just like the real site, or they could do HTTP redirects on to the real landing page so that the user didn't know they'd been hijacked. The malware could and did also replace advertisements delivered by companies such as Google or Microsoft with ads from the Rove Digital gang promoting suspect products and services.

DNS requests, as with all traffic from a connected user's computer, flow though their ISP's network before being routed onto the internet. At this stage ISPs have many options as to what they can do with the traffic. Obviously, snooping on customers with techniques such as 'deep packet inspection' is controversial and widely frowned upon, but protecting DNS does not require that. Hardware and software is available, and in fact run by many large ISPs, which allow the logging, blocking or re-routing of basic internet protocols such as DNS. Some ISPs currently use this technology to lock users to the ISP's own DNS servers no matter what the user--or DNSChanger malware!--may have set up. (Such 'DNS-filtering' is a technique which is also up for debate. 1,2)

How could ISPs use this ability to protect users from the DNS hijacking? When Spamhaus, Trend Micro's Feike Hacquebord, and others first reported this threat some years ago, Spamhaus placed all IP address ranges controlled by Rove Digital into its DROP list. The DROP list ('Don't Route Or Peer List') is one of the best "known cybercriminal controlled areas of the internet" references one can use for protecting ones networks and users. It is successfully used in production at large hosting facilities as well as by corporate networks. It is also free for anyone or anyplace to download from Spamhaus and use. The DROP FAQ provides more details about its usage.

The data in the DROP list can be used to either block any DNS (and perhaps other protocols) access to these rogue areas of the internet, or to log attempts to reach them and build a report the ISP can use to contact the user and inform them they seem to have a malware problem. This could also be done automatically by ISPs running a 'walled garden' system to isolate and inform infected users.

Certainly, the first line of defense against cybercrime malware should be an informed user with up-to-date anti-virus software, but as one can see from the millions infected by Rove Digital, that does not always work well. The ISPs' role can be that of a safety-net that catches users once they fall prey to the cybercriminals, and Spamhaus DROP list can be an important piece of that net.

Further reading: