Authorities believe that beginning in 2007 the cyber ring used a class of malware called DNS-Changer to infect approximately 4 million computers in more than 100 countries worldwide. In the United States alone there were about 500,000 infections, including computers belonging to individuals, businesses, and even government agencies such as NASA. The cyber criminals were able to manipulate Internet advertising to generate what authorities estimate to be $14 million in illicit fees. What’s worse is that in some cases the malware had the additional effect of preventing users’ anti-virus software and operating systems from updating, thereby exposing infected machines to even more malicious software.
On November 8, 2011 the FBI, the NASA-OIG and Estonian police arrested six Estonian nationals in what was dubbed “Operation Ghost Click”. The six cyber criminals operated under the company name “Rove Digital”, and through a malware program, distributed DNS changing viruses, variously known as TDSS, Alureon, TidServ and TDL4 viruses. The highly sophisticated Internet crime ring infected millions of computers worldwide with a virus; enabling the thieves to manipulate the multi-billion-dollar Internet’s advertising industry. Most people whose machines that were infected were unaware that their computers had been compromised with malicious software, which essentially renders their machines vulnerable to a host of other viruses.
The Problem Faced by Authorities
When the FBI went in to take down the cyber criminals late last year, agents realized that if they simply turned off the servers being used to control the malicious software in computers, all of the victims would lose their Internet service. Realizing this dilemma the FBI set up a simple safety net by hiring a private company to install two clean Internet servers to take over for the malicious servers. This way when they shut the infected servers down people would not suddenly lose their Internet. The temporary Internet system they set up, however, will be shut down at 12:01 a.m. EDT (0401 GMT) Monday, July 9.
FBI officials acknowledged that although this may be the first time they had to perform such a task, chances are that it may not be the last, since authorities are taking on more of these types of investigations.
How the DNS Changer Worked:
The botnet operated by Rove Digital altered user DNS settings in computers, pointing victims to malicious DNS in data centers in Estonia, New York, and Chicago. The malicious DNS servers would give fake, malicious answers, altering user searches, and promoting fake and dangerous products. Because every web search starts with DNS, the malware showed users an altered version of the Internet.
DNS—Domain Name System—is a critical Internet service that converts user-friendly domain names,( such as www.websitename.com) into numerical addresses that allow computers to talk to and communicate with each other. Without DNS and the DNS servers operated by Internet service providers, computer users would not be able to browse websites or send and receive any e-mail.
How Do I know if My Computer is Infected?
To check your computer, simply visit the FBI’s DNS Changer Working Group, which is a free service that can detect the malware and explain how to fix infected machines if necessary.