On November 8, 2011, the FBI, the NASA-OIG and Estonian police arrested several cyber criminals in “Operation Ghost Click”. The criminals operated under the company name “Rove Digital”, and distributed DNS changing viruses, variously known as TDSS, Alureon, TidServ and TDL4 viruses.
The botnet operated by Rove Digital altered user DNS settings, pointing victims to malicious DNS in data centers in Estonia, New York, and Chicago. The malicious DNS servers would give fake, malicious answers, altering user searches, and promoting fake and dangerous products. Because every web search starts with DNS, the malware showed users an altered version of the Internet.
From the FBI:
To assist victims affected by the DNSChanger malicious software, in March 2012 the FBI obtained a court order authorizing the Internet Systems Consortium (ISC) to deploy and maintain temporary clean DNS servers. This solution was temporary, providing additional time for victims to clean affected computers and restore their normal DNS settings. The clean DNS servers will be turned off on July 9, 2012, and computers still impacted by DNSChanger may lose Internet connectivity at that time.
On July 9, existing ISP level protections will cease and your PC, if infected, will again be at risk. The easiest way to check your computer to see if it is infected is to use the link at the DCWG site. This site will check the DNS settings on your computer; it does not download software, scan your PC or change anything on your computer.
The simplest way to validate this information and the DCWG is to go to one of the FBI articles about this activity that references the DNS Changer Working group:
- FBI Operation Ghost Click
- Manhattan U.S. Attorney Charges Seven Individuals for Engineering Sophisticated Internet Fraud Scheme That Infected Millions of Computers Worldwide and Manipulated Internet Advertising Business
- FBI’s ” Check to See if Your Computer is Using Rogue DNS”