Hands of a guy on laptop keyboard

‘Operation Ghost Click’: Cyberzombies in the real world

Published on 18 November 2011
Updated on 05 April 2024

‘Operation Ghost Click’: Cyberzombies in the real world

This infographic by Wired shows a hypothetical full-scale denial of service attack. How long would it take to bring the wired world to its knees? Read more here.

‘The biggest cybercriminal takedown in history’, shouts the FBI! The network of 4 million ‘bots’ – hijacked end-user computers controlled remotely by perpetrators – has been tracked down and dismantled (article). It is probably not the biggest ‘botnet’ that exists today (some information mention botnets of over 30 million computers), but certainly is the biggest discovered and tracked down to date. It took more than four years of international cooperation – US investigators and law enforcement with Estonian and Dutch colleagues and a number of partners from business and academia – to notice, analyse, collect evidence, and roll out a safe takedown that would not leave these 4 million computers without Internet at once.

Let us take a moment to comprehend the size of this ‘army’:  4 million zombies from over 100 countries! To compare: one of the mightiest armies the world has ever seen – that of Persian King Darius which debarked to Europe in Hellespont to fight Leonidas and his Spartans at the battle of Thermopylae in 480BC – had almost 2 million soldiers of over 40 nationalities. Barely half of this cyber-army!

Fortunately enough, this army of cyberzombies was not ordered to hunt for flesh and blood, but rather for money – quite a sum, though: USD$14 million profit. Each new bot – a computer hijacked via malware recklessly downloaded and installed by users themselves – was then driven by several central servers to visit online advertisements raising the number of ‘clicks’ (i.e. visits) and bringing revenue to those controlling the botnet. It all resulted in fraud; a big fraud, but still only fraud. Should we be afraid about what such an army of computer (and computational) power could do if targeted at public utilities, such as electric grids, power plants, or military facilities?

We can take heart somewhat in knowing that international cooperation can help hunt down these virtual armies. And there is an interesting and comforting bit about that: no matter how virtual and how ‘untouchable’ cyberattackers may seem to us ‘ordinary users’, they are in fact just normal human beings, often working for legally registered companies, but hidden behind cyberspace. And once they are hunted down, they sit in same court rooms and lie down in same dumpy prison cells as any other real-world crime perpetrator. After all, it is humans that do harm, not technology. The experiences when real-world consequences follow cyber misdeeds help demystify cyberspace, which in turn possibly discourages some hackers while raising trust among end-users.

In spite of improvements in international cooperation when fighting cybercrime, it is not always easy to trace the real perpetrator behind such a complex structure as a botnet; also, the lack of harmonisation of national legislations causes jurisdiction dilemmas: who should prosecute the cyberperpetrators?

Take this case as example: the head of the action is a Russian businessman working with an Estonian company through the servers in Estonia, USA, and elsewhere, ending up seizing control over millions of computers from more than half of the countries of the world! So which of the jurisdiction principals (suggested by Jovan Kurbalija in An Introduction to Internet Governance p.87) should be used: territorial – based on what happens in a state’s territory; personality – based on where the perpetrator comes from; or the effects principle – based on where the effects of the criminal act are felt? In this case it was possibly the principle of the power, where the USA asked Estonia for extraditions (though the Estonian authorities did not seem to object).

There has been a number of attempts to provide harmonisation and cooperation guidelines in form of international documents. One often referred to, including at the recent London Cyberspace Conference, is the Budapest Convention on Cybercrime of the Council of Europe from 2001 (integral text). While some think that it provides a balanced set of principles around which many countries can gather (and over 30 already have), others think that it needs improvements in order for more states to sign it (such as in Art.32b which touches on the sovereignty of states). Due to a growing concern over the security of critical infrastructure and public utilities, NATO’s cooperative cyber defence centre of excellence (CCD COE) started working on the manual of international law applicable to cyberwarfare (article), to be completed by the end of 2012. Will any of these documents really help? We know that the law always lags behind technology; yet we can’t abandon the law, but must rather enable it to make bigger steps in updates; wide international cooperation, capacity building, and knowledge and experience sharing certainly are the ways forward.

The law is not enough. As always, the humans are the weakest link – almost every cyberattack has users’ ignorance and negligence as a stepping stone. ‘Social engineering’ was a technique behind spreading the DNS changer malware that fuelled ‘Ghost Click’ attacks: the users, eager to watch only-they-know-what-kind-of movies, clicked ‘yes’ when prompted to install some additional video codec. Bang! In a matter of seconds, the virus changed their DNS settings and allowed remote control over their browsers and online acts, turning their computers into zombies. The truth is that this rootkit (also known as TDL4 and Aleureon) is among the world’s most advanced pieces of malware, able to infect not only Windows but also Apple OS, and get around  even the updated antivirus programmes (article). It does not, however, remove the responsibility of these millions of users for being careless.

At some point, in the case of a growing number of bots and more hazardous cyberattacks, the question may be raised if we, users, are also responsible for the safety of our computers (much like when driving our cars) and thus the Net? Prevent such a scenario! Behave responsibly online, and clean up after yourself – remember, computer hygiene ranks right up there with personal hygiene!

1 reply
  1. Stephanie Borg Psaila
    Stephanie Borg Psaila says:

    Great blog post.

    Re ‘It does not, however, remove the responsibility of these millions of users for being careless’: it might be easy to draw the line between ‘carelessness’ and too advanced for an anti-virus to detect. But is it really that computers get infected mostly through negligence, or are some anti-viruses just not able to cope? Is it mainly a question of computer hygiene, or are we getting to a point where malware is becoming too advanced to stop?


Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

The reCAPTCHA verification period has expired. Please reload the page.

Subscribe to Diplo's Blog