DNSChanger is a DNS hijackingTrojan. The work of an Estonian company known as Rove Digital, the malware infected computers by modifying a computer's DNS entries to point toward its own rogue name servers, which then injected its own advertising into Web pages. At its peak, DNSChanger was estimated to have infected over four million computers, bringing in at least US$14 million in profits to its operator from fraudulent advertising revenue. Both Windows and Mac OS X variants of DNSChanger were circulated, the latter taking the form of a related Trojan known as RSPlug. The FBI raided the malicious servers on November 8, 2011, but they kept the servers up after they captured it to avoid affected users from losing Internet access until July 9, 2012.
Operation
DNSChanger was distributed as a drive-by download claiming to be a video codec needed to view content on a Web site, particularly appearing on rogue pornography sites. Once installed, the malware then modified the system's Domain Name System configuration, pointing them to rogue name servers operated through affiliates of Rove Digital. These rogue name servers primarily substituted advertising on Web pages with advertising sold by Rove. Additionally, the rogue DNS serverredirected links to certain Web sites to those of advertisers, such as for example, redirecting the IRS Web site to that of a tax preparation company. The effects of DNSChanger could also spread itself to other computers within a LAN by mimicking a DHCP server, pointing other computers toward the rogue DNS servers. In its indictment against Rove, the United States Department of Justice also reported that the rogue servers had blocked access to update servers for antivirus software.
Shutdown and interim DNS servers
On October 1, 2011, as part of Operation Ghost Click, the United States Attorney for the Southern District of New York announced charges against six Estonian nationals and one Russian national connected to DNSChanger and Rove Digital for wire fraud, computer intrusion, and conspiracy. Arrests were made by Estonian authorities, and servers connected to the malware located in the United States were seized by the FBI. Due to concerns by FBI agents that users still infected by DNSChanger could lose Internet access if the rogue DNS servers were shut down entirely, a temporary court order was obtained to allow the Internet Systems Consortium to operate replacement servers, which would serve DNS requests from those who had not yet removed the infection, and to collect information on those still infected in order to promptly notify them about the presence of the malware. While the court order was set to expire on March 8, 2012, an extension was granted until July 9, 2012 due to concerns that there were still many infected computers. F-Secure estimated on July 4, 2012 that at least 300,000 computers were still infected with the DNSChanger malware, 70,000 of which were located in the United States. The interim DNS servers were officially shut down by the FBI on July 9, 2012. Impact from the shutdown was considered to be minimal, due in part to major Internet service providers providing temporary DNS services of their own and support to customers affected by DNSChanger. and informational campaigns surrounding the malware and the impending shutdown. These included online tools that could check for the presence of DNSChanger, while Google and Facebook provided notifications to visitors of their respective services who were still affected by the malware. By July 9, 2012, F-Secure estimated that the number of remaining DNSChanger infections in the U.S. had dropped from 70,000 to 42,000.