DNSChanger is a DNS hijacking

Trojan Trojan or Trojans may refer to: * Of or from the ancient city of Troy * Trojan language, the language of the historical Trojans Arts and entertainment Music * ''Les Troyens'' ('The Trojans'), an opera by Berlioz, premiered part 1863, part 189 ...

. The work of an Estonian company known as

Rove Digital Rove Digital was an Estonian IT company which gained fame as a producer of copious amounts of spam, and as a major distributor of trojans. Rove Digital is named #2 of "Top 10 Worst Spammers". In a ''PC & Tech Authority'' article, Rove Digital's ...

, the malware-infected computers by modifying a computer's DNS entries to point toward its own

rogue A rogue is a person or entity that flouts accepted norms of behavior. Rogue or rogues may also refer to: Companies * Rogue Ales, a microbrewery in Newport, Oregon * Rogue Arts, a film production company * Rogue Entertainment, a software co ...

name server A name server refers to the server component of the Domain Name System (DNS), one of the two principal namespaces of the Internet. The most important function of DNS servers is the translation (resolution) of human-memorable domain names (example ...

s, which then injected its own advertising into Web pages. At its peak, DNSChanger was estimated to have infected over four million computers, bringing in at least US$14 million in profits to its operator from fraudulent advertising revenue. Both

Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for se ...

and

Mac OS X macOS (; previously OS X and originally Mac OS X) is a Unix operating system developed and marketed by Apple Inc. since 2001. It is the primary operating system for Apple's Mac computers. Within the market of desktop and lap ...

variants of DNSChanger were circulated, the latter taking the form of a related Trojan known as RSPlug. The FBI raided the malicious servers on November 8, 2011, but they kept the servers up after they capturing it to avoid affected users from losing Internet access until July 9, 2012.

Operation

DNSChanger was distributed as a

drive-by download Drive-by download is of two types, each concerning the unintended download of computer software from the Internet: # Authorized drive-by downloads are downloads which a person has authorized but without understanding the consequences (e.g. d ...

claiming to be a

video codec A video codec is software or hardware that compresses and decompresses digital video. In the context of video compression, '' codec'' is a portmanteau of ''encoder'' and ''decoder'', while a device that only compresses is typically called an ...

needed to view content on a Web site, particularly appearing on rogue pornography sites. Once installed, the malware then modified the system's

Domain Name System The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned t ...

(DNS) configuration, pointing them to rogue

s operated through affiliates of Rove Digital. These rogue name servers primarily substituted

advertising Advertising is the practice and techniques employed to bring attention to a product or service. Advertising aims to put a product or service in the spotlight in hopes of drawing it attention from consumers. It is typically used to promote a ...

on Web pages with advertising sold by Rove. Additionally, the rogue DNS server redirected links to certain Web sites to those of advertisers, such as, for example, redirecting the

IRS The Internal Revenue Service (IRS) is the revenue service for the United States federal government, which is responsible for collecting U.S. federal taxes and administering the Internal Revenue Code, the main body of the federal statutory tax ...

Web site to that of a tax preparation company. The effects of DNSChanger could also spread itself to other computers within a

LAN Lan or LAN may also refer to: Science and technology * Local asymptotic normality, a fundamental property of regular models in statistics * Longitude of the ascending node, one of the orbital elements used to specify the orbit of an object in spa ...

by mimicking a

DHCP The Dynamic Host Configuration Protocol (DHCP) is a network management protocol used on Internet Protocol (IP) networks for automatically assigning IP addresses and other communication parameters to devices connected to the network using a cli ...

server, pointing other computers toward the rogue DNS servers. In its indictment against Rove, the

United States Department of Justice The United States Department of Justice (DOJ), also known as the Justice Department, is a federal executive department of the United States government tasked with the enforcement of federal law and administration of justice in the United Stat ...

also reported that the rogue servers had blocked access to update servers for

antivirus software Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses, hence the name. ...

Shutdown and interim DNS servers

On October 1, 2011, as part of ''Operation Ghost Click'' (a collaborative investigation into the operation), the

United States Attorney for the Southern District of New York The United States Attorney for the Southern District of New York is the chief federal law enforcement officer in eight New York counties: New York (Manhattan), Bronx, Westchester, Putnam, Rockland, Orange, Dutchess and Sullivan. Establish ...

announced charges against six Estonian nationals and one Russian national connected to DNSChanger and Rove Digital for

wire fraud Mail fraud and wire fraud are terms used in the United States to describe the use of a physical or electronic mail system to defraud another, and are federal crimes there. Jurisdiction is claimed by the federal government if the illegal activity ...

, computer intrusion, and

conspiracy A conspiracy, also known as a plot, is a secret plan or agreement between persons (called conspirers or conspirators) for an unlawful or harmful purpose, such as murder or treason, especially with political motivation, while keeping their agr ...

. Estonian authorities made arrests, and the FBI seized servers connected to the malware located in the United States. Due to concerns by FBI agents that users still infected by DNSChanger could lose Internet access if the rogue DNS servers were shut down entirely, a temporary

court order A court order is an official proclamation by a judge (or panel of judges) that defines the legal relationships between the parties to a hearing, a trial, an appeal or other court proceedings. Such ruling requires or authorizes the carrying out ...

was obtained to allow the

Internet Systems Consortium Internet Systems Consortium, Inc., also known as ISC, is a Delaware-registered, 501(c)(3) non-profit corporation that supports the infrastructure of the universal, self-organizing Internet by developing and maintaining core production-quality sof ...

to operate replacement servers, which would serve DNS requests from those who had not yet removed the infection, and to collect information on those still infected in order to promptly notify them about the presence of the malware. While the court order was set to expire on March 8, 2012, an extension was granted until July 9, 2012 due to concerns that there were still many infected computers. F-Secure estimated on July 4, 2012 that at least 300,000 computers were still infected with the DNSChanger malware, 70,000 of which were located in the United States. The interim DNS servers were officially shut down by the FBI on July 9, 2012. Impact from the shutdown was considered to be minimal, due in part to major

Internet service providers An Internet service provider (ISP) is an organization that provides services for accessing, using, or participating in the Internet. ISPs can be organized in various forms, such as commercial, community-owned, non-profit, or otherwise privat ...

providing temporary DNS services of their own and support to customers affected by DNSChanger. and informational campaigns surrounding the malware and the impending shutdown. These included online tools that could check for the presence of DNSChanger, while

Google Google LLC () is an American Multinational corporation, multinational technology company focusing on Search Engine, search engine technology, online advertising, cloud computing, software, computer software, quantum computing, e-commerce, ar ...

and

Facebook Facebook is an online social media and social networking service owned by American company Meta Platforms. Founded in 2004 by Mark Zuckerberg with fellow Harvard College students and roommates Eduardo Saverin, Andrew McCollum, Dust ...

provided notifications to visitors of their respective services who were still affected by the malware. By July 9, 2012, F-Secure estimated that the number of remaining DNSChanger infections in the U.S. had dropped from 70,000 to 42,000.

References

External links

www.dcwg.org
nbsp;— DNS Changer Working Group; tools and information for diagnosing DNSChanger infections {{Hacking in the 2010s Adware Trojan horses Domain Name System Internet fraud Internet ethics Hacking (computer security) Internet security Internet privacy