DNSChanger is aDNS hijackingTrojan.[1][2] The work of an Estonian company known asRove Digital, the malware infected computers by modifying a computer'sDNS entries to point toward its ownroguename servers, which then injected its own advertising into Web pages. At its peak, DNSChanger was estimated to have infected over four million computers, bringing in at leastUS$14 million in profits to its operator from fraudulent advertising revenue.[3]
BothWindows andMac OS X variants of DNSChanger were circulated, the latter taking the form of a related Trojan known asRSPlug. The FBI raided the malicious servers on November 8, 2011,[4] but they kept the servers up until July 9, 2012 to avoid affected users from losing Internet access.
DNSChanger was distributed as adrive-by download claiming to be avideo codec needed to view content on a Web site, particularly appearing on roguepornography sites. Once installed, the malware then modified the system'sDomain Name System (DNS) configuration, pointing them to roguename servers operated through affiliates of Rove Digital.[3] These rogue name servers primarily substitutedadvertising on Web pages with advertising sold by Rove. Additionally, the rogue DNS serverredirected links to certain Web sites to those of advertisers, such as, for example, redirecting theIRS Web site to that of atax preparation company.[5] The effects of DNSChanger could also spread itself to other computers within aLAN by mimicking aDHCP server, pointing other computers toward the rogue DNS servers.[5] In its indictment against Rove, theUnited States Department of Justice also reported that the rogue servers had blocked access to update servers forantivirus software.[6]
On October 1, 2011, as part ofOperation Ghost Click (a collaborative investigation into the operation), theUnited States Attorney for the Southern District of New York announced charges against six Estonian nationals and one Russian national connected to DNSChanger and Rove Digital forwire fraud,computer intrusion, andconspiracy.[6] Estonian authorities made arrests, and the FBI seized servers connected to the malware located in the United States.[3]
Due to concerns by FBI agents that users still infected by DNSChanger could lose Internet access if the rogue DNS servers were shut down entirely, a temporarycourt order was obtained to allow theInternet Systems Consortium to operate replacement servers, which would serve DNS requests from those who had not yet removed the infection, and to collect information on those still infected in order to promptly notify them about the presence of the malware.[7] While the court order was set to expire on March 8, 2012, an extension was granted until July 9, 2012, due to concerns that there were still many infected computers.[5]F-Secure estimated on July 4, 2012, that at least 300,000 computers were still infected with the DNSChanger malware, 70,000 of which were located in the United States.[8] The interim DNS servers were officially shut down by the FBI on July 9, 2012.[9]
Impact from the shutdown was considered to be minimal, due in part to majorInternet service providers providing temporary DNS services of their own and support to customers affected by DNSChanger. and informational campaigns surrounding the malware and the impending shutdown. These included online tools that could check for the presence of DNSChanger, whileGoogle andFacebook provided notifications to visitors of their respective services who were still affected by the malware.[8] By July 9, 2012, F-Secure estimated that the number of remaining DNSChanger infections in the U.S. had dropped from 70,000 to 42,000.[9]