On November 8th 2011, the Estonian police, the FBI, and the NASA-OIG arrested seven men in Operation Ghost Click. This group of people operated under the company name Rove Digital, and distributed viruses that changes the DNS settings of victims. The Estonian court found their guilt not proven, but one member later plead guilty in the USA, and was sentenced to seven and a quarter years in prison. This malware was known under the names of DNS changer, Alureon, TDSS, TidServ and TDL4.
What does the DNS Changer Malware do?
The DNS changer malware pointed the victims DNS configuration to their own malicious DNS servers in Estonia, Chicago, and New York. This caused DNS lookup queries to be directed to malicious DNS servers, and in turn allowed the group to re-route internet traffic to malicious web servers. These web servers then served to replace the links in search results, and replace ads on popular websites. At the time, DNS wasn’t as secure as it is today, making this attack quite effective.
On March 12th 2012, the FBI announced that, under a court order, the ISC (Internet Systems Consortium) was operating a replacement DNS service for the Rove Digital network. This will allow affected networks time to identify infected hosts, and avoid sudden disruption of services to victim machines. These servers were to be shut off on July 9th 2012.
How Can I Protect Myself?
If you were affected by this DNS Changer, then your DNS configuration has changed. You can make sure your operating system has the latest security patches, and update your configured DNS servers in its operating system. However, this malware is no longer being distributed, and many popular sites are now defended against this type of attack. So the chances of this still affecting you are very small.