In November 2011, the FBI-led Operation Ghost Click raided malicious servers run by the Rove Digital cyber group. This was only after the group had leveraged the DNSChanger Trojan to infect over four million computers and generate over $14 million in illicit profits. At the time, the operation was billed as the biggest cyber criminal takedown in history.
How did the DNSChanger infect so many machines before detection? How did authorities work together to stop this attack cold in its tracks? And what lessons did the security community learn from the DNSChanger incident? Let’s find out.
What is DNSChanger?
DNSChanger is a DNS hijacking Trojan launched by the Estonian cyber gang Rove Digital. It’s believed the Trojan’s malicious activity began in 2007. The malware works by modifying a computer’s Domain Name System (DNS) settings. Malware authors can then redirect internet users to fraudulent websites.
An infected download disguised as a video codec distributed the DNSChanger malware. When visiting a rogue website (the majority were pornographic sites), users were lured to click on a link or popup in order to download the codec to watch a video. Once a victim clicked the malicious link, the DNSChanger Trojan unleashed its payload.
Upon modifying the infected computer’s DNS configuration, the malware could point them to rogue name servers operated through affiliates of Rove Digital. These rogue name servers primarily supported adve ..
Support the originator by clicking the read the rest link below.
