On November 9, 2011, as part of “Operation Ghost Click” (a collaborative investigation into the operation), the United States Attorney for the Southern District of New York announced charges against six Estonian nationals and one Russian national connected to DNSChanger and Rove Digital for wire fraud, computer intrusion, and conspiracy. Arrests were made by Estonian authorities, and servers connected to the malware located in the United States were seized by the FBI.
This brings to a close the long and unfortunate history of DNSChanger, malware that modified DNS settings on computers and was estimated to have infected over 4 million computers. DNSChanger first appeared in 2007, and was distributed by a software download for a purported video codec. Once this malware was installed, the infected computer’s DNS settings were modified to servers that were controlled by Rove Digital. These servers did several things, including substituting legitimate advertising on web pages to advertising that they controlled and sold. It’s believed that in doing this, the operators brought in over $14M of fraudulent ad revenue.
If the DNSChanger malware wasn’t bad enough, a variant of it that modifies a network router’s DNS settings is much worse. This malware which runs on Microsoft Windows targets a set of popular routers, incuding those made by Linksys, Buffalo, and DD-WRT. When run, it looks to see if it can find a router that it’s aware of, and then attempts to login to it using default credentials. This unfortunately works more often than not, as many people do not change their router’s default password which is widely known. If it’s successful, then the malware modifies the router’s DNS settings, and then any computer in the network is at risk to be directed at fraudulent websites.
Despite the fact that DNSChanger has ben known about for a while, it is believed to still be infecting a large number of computers. People who believe that they may still be at risk are urged to contact the DNS Changer Working Group (DCWG) for remediation.