DNSChanger

DNSChangeris aDNS hijackingTrojan.^[1][2]The work of an Estonian company known asRove Digital,the malware infected computers by modifying a computer'sDNSentries to point toward its ownroguename servers,which then injected its own advertising into Web pages. At its peak, DNSChanger was estimated to have infected over four million computers, bringing in at leastUS$14 million in profits to its operator from fraudulent advertising revenue.^[3]

BothWindowsandMac OS Xvariants of DNSChanger were circulated, the latter taking the form of a related Trojan known asRSPlug.The FBI raided the malicious servers on November 8, 2011,^[4]but they kept the servers up after they capturing it to avoid affected users from losing Internet access until July 9, 2012.

DNSChanger was distributed as adrive-by downloadclaiming to be avideo codecneeded to view content on a Web site, particularly appearing on roguepornography sites.Once installed, the malware then modified the system'sDomain Name System(DNS) configuration, pointing them to roguename serversoperated through affiliates of Rove Digital.^[3]These rogue name servers primarily substitutedadvertisingon Web pages with advertising sold by Rove. Additionally, the rogue DNS serverredirected linksto certain Web sites to those of advertisers, such as, for example, redirecting theIRSWeb site to that of atax preparationcompany.^[5]The effects of DNSChanger could also spread itself to other computers within aLANby mimicking aDHCPserver, pointing other computers toward the rogue DNS servers.^[5]In its indictment against Rove, theUnited States Department of Justicealso reported that the rogue servers had blocked access to update servers forantivirus software.^[6]

On October 1, 2011, as part ofOperation Ghost Click(a collaborative investigation into the operation), theUnited States Attorney for the Southern District of New Yorkannounced charges against six Estonian nationals and one Russian national connected to DNSChanger and Rove Digital forwire fraud,computer intrusion,andconspiracy.^[6]Estonian authorities made arrests, and the FBI seized servers connected to the malware located in the United States.^[3]

Due to concerns by FBI agents that users still infected by DNSChanger could lose Internet access if the rogue DNS servers were shut down entirely, a temporarycourt orderwas obtained to allow theInternet Systems Consortiumto operate replacement servers, which would serve DNS requests from those who had not yet removed the infection, and to collect information on those still infected in order to promptly notify them about the presence of the malware.^[7]While the court order was set to expire on March 8, 2012, an extension was granted until July 9, 2012, due to concerns that there were still many infected computers.^[5]F-Secureestimated on July 4, 2012, that at least 300,000 computers were still infected with the DNSChanger malware, 70,000 of which were located in the United States.^[8]The interim DNS servers were officially shut down by the FBI on July 9, 2012.^[9]

Impact from the shutdown was considered to be minimal, due in part to majorInternet service providersproviding temporary DNS services of their own and support to customers affected by DNSChanger. and informational campaigns surrounding the malware and the impending shutdown. These included online tools that could check for the presence of DNSChanger, whileGoogleandFacebookprovided notifications to visitors of their respective services who were still affected by the malware.^[8]By July 9, 2012, F-Secure estimated that the number of remaining DNSChanger infections in the U.S. had dropped from 70,000 to 42,000.^[9]

• dcwg.org— DNS Changer Working Group; tools and information for diagnosing DNSChanger infections