DNSChanger is a DNS hijacking Trojan.[1][2] The work of an Estonian company known as Rove Digital, the malware infected computers by modifying a computer's DNS entries to point toward its own rogue name servers, which then injected its own advertising into Web pages. At its peak, DNSChanger was estimated to have infected over four million computers, bringing in at least US$14 million in profits to its operator from fraudulent advertising revenue.[3]
Both Windows and Mac OS X variants of DNSChanger were circulated, the latter taking the form of a related Trojan known as RSPlug. The FBI raided the malicious servers on November 8, 2011,[4] but they kept the servers up after they capturing it to avoid affected users from losing Internet access until July 9, 2012.
DNSChanger was distributed as a drive-by download claiming to be a video codec needed to view content on a Web site, particularly appearing on rogue pornography sites. Once installed, the malware then modified the system's Domain Name System (DNS) configuration, pointing them to rogue name servers operated through affiliates of Rove Digital.[3] These rogue name servers primarily substituted advertising on Web pages with advertising sold by Rove. Additionally, the rogue DNS server redirected links to certain Web sites to those of advertisers, such as, for example, redirecting the IRS Web site to that of a tax preparation company.[5] The effects of DNSChanger could also spread itself to other computers within a LAN by mimicking a DHCP server, pointing other computers toward the rogue DNS servers.[5] In its indictment against Rove, the United States Department of Justice also reported that the rogue servers had blocked access to update servers for antivirus software.[6]
On October 1, 2011, as part of Operation Ghost Click (a collaborative investigation into the operation), the United States Attorney for the Southern District of New York announced charges against six Estonian nationals and one Russian national connected to DNSChanger and Rove Digital for wire fraud, computer intrusion, and conspiracy.[6] Estonian authorities made arrests, and the FBI seized servers connected to the malware located in the United States.[3]
Due to concerns by FBI agents that users still infected by DNSChanger could lose Internet access if the rogue DNS servers were shut down entirely, a temporary court order was obtained to allow the Internet Systems Consortium to operate replacement servers, which would serve DNS requests from those who had not yet removed the infection, and to collect information on those still infected in order to promptly notify them about the presence of the malware.[7] While the court order was set to expire on March 8, 2012, an extension was granted until July 9, 2012, due to concerns that there were still many infected computers.[5] F-Secure estimated on July 4, 2012, that at least 300,000 computers were still infected with the DNSChanger malware, 70,000 of which were located in the United States.[8] The interim DNS servers were officially shut down by the FBI on July 9, 2012.[9]
Impact from the shutdown was considered to be minimal, due in part to major Internet service providers providing temporary DNS services of their own and support to customers affected by DNSChanger. and informational campaigns surrounding the malware and the impending shutdown. These included online tools that could check for the presence of DNSChanger, while Google and Facebook provided notifications to visitors of their respective services who were still affected by the malware.[8] By July 9, 2012, F-Secure estimated that the number of remaining DNSChanger infections in the U.S. had dropped from 70,000 to 42,000.[9]
