DNSChanger is a DNS hijacking Trojan. The work of an Estonian company known as Rove Digital, the malware infected computers by modifying a computer's DNS entries to point toward its own rogue name servers, which then injected its own advertising into Web pages. At its peak, DNSChanger was estimated to have infected over four million computers, bringing in at least US$14 million in profits to its operator from fraudulent advertising revenue.
Both Windows and Mac OS X variants of DNSChanger were circulated, the latter taking the form of a related Trojan known as RSPlug. The FBI raided the malicious servers on November 8, 2011, but they kept the servers up after they captured it to avoid affected users from losing Internet access until July 9, 2012.
DNSChanger was distributed as a drive-by download claiming to be a video codec needed to view content on a Web site, particularly appearing on rogue pornography sites. Once installed, the malware then modified the system's Domain Name System (DNS) configuration, pointing them to rogue name servers operated through affiliates of Rove Digital. These rogue name servers primarily substituted advertising on Web pages with advertising sold by Rove. Additionally, the rogue DNS server redirected links to certain Web sites to those of advertisers, such as for example, redirecting the IRS Web site to that of a tax preparation company. The effects of DNSChanger could also spread itself to other computers within a LAN by mimicking a DHCP server, pointing other computers toward the rogue DNS servers. In its indictment against Rove, the United States Department of Justice also reported that the rogue servers had blocked access to update servers for antivirus software.
Shutdown and interim DNS servers
On October 1, 2011, as part of Operation Ghost Click (a collaborative investigation into the operation), the United States Attorney for the Southern District of New York announced charges against six Estonian nationals and one Russian national connected to DNSChanger and Rove Digital for wire fraud, computer intrusion, and conspiracy. Arrests were made by Estonian authorities, and servers connected to the malware located in the United States were seized by the FBI.
Due to concerns by FBI agents that users still infected by DNSChanger could lose Internet access if the rogue DNS servers were shut down entirely, a temporary court order was obtained to allow the Internet Systems Consortium to operate replacement servers, which would serve DNS requests from those who had not yet removed the infection, and to collect information on those still infected in order to promptly notify them about the presence of the malware. While the court order was set to expire on March 8, 2012, an extension was granted until July 9, 2012 due to concerns that there were still many infected computers. F-Secure estimated on July 4, 2012 that at least 300,000 computers were still infected with the DNSChanger malware, 70,000 of which were located in the United States. The interim DNS servers were officially shut down by the FBI on July 9, 2012.
Impact from the shutdown was considered to be minimal, due in part to major Internet service providers providing temporary DNS services of their own and support to customers affected by DNSChanger. and informational campaigns surrounding the malware and the impending shutdown. These included online tools that could check for the presence of DNSChanger, while Google and Facebook provided notifications to visitors of their respective services who were still affected by the malware. By July 9, 2012, F-Secure estimated that the number of remaining DNSChanger infections in the U.S. had dropped from 70,000 to 42,000.
- Trojan:Win32/Dnschanger.O – Microsoft
- "Antivirus scan for fdde13872caa1a0e1b9331188ca93b8fc424fed43d86d5cf53f6965f6a77184e] at 2017-01-30 04:47:37 UTC – VirusTotal". www.virustotal.com.
- "How the most massive botnet scam ever made millions for Estonian hackers". Ars Technica. Retrieved 6 July 2012.
- "Esthost Taken Down – Biggest Cybercriminal Takedown in History – TrendLabs Security Intelligence Blog". 9 November 2011.
- "Don't Lose the Internet in July! FBI Repeats DNSChanger Warning". PC World. Retrieved 6 July 2012.
- "Seven charged in malware-driven click fraud case". Ars Technica. Retrieved 6 July 2012.
- "'DNSChanger' Malware Could Strand Thousands When Domains Go Dark on Monday". Wired. Retrieved 6 July 2012.
- "Are You Infected With DNSChanger Malware?". PC World. Retrieved 6 July 2012.
- "ISPs Report Minimal DNSChanger Impact". PC World. Retrieved 13 July 2012.
- www.dcwg.org — DNS Changer Working Group; tools and information for diagnosing DNSChanger infections