Warning: Creating default object from empty value in /home/ict-forward/www-apps/wp-svn/wp-includes/ms-load.php on line 138
DNSChanger attackers made profit of $14 million « The FORWARD project blog

DNSChanger attackers made profit of $14 million

DNSChanger is a trojan that will change the infected system’s Domain Name Server (DNS) settings, in order to divert traffic to unsolicited, and potentially illegal sites. It is usually a small file that changes the ‘NameServer’ Registry key value to a custom IP address. This IP address is usually encrypted in the body of a trojan. As a result of this change a victim’s computer will contact the newly assigned DNS server to resolve names of different webservers.


Six people, who made that attack and earned more than $14 million dollars ,were arrested in Estonia and Russia by the FBI.Accoriding to FBI When users of infected computers clicked on the link for the official Web site of iTunes, for example, they were instead taken to a Web site for a business unaffiliated with Apple Inc. that purported to sell Apple software


What the attackers also did ,was to replace legimate ads on sites with ads that gave illegal payments to them e.g they replaced an American Express ad on the Wall Street Journal home page with an ad for “Fashion Girl LA,” and an Internet Explorer 8 ad on Amazon.com with one for an e-mail marketing firm.Specifically,computers where affected by DSNChanger when they were visting certain web-sites or from downloading particular software,and also preventing inĀ  the same time antivirus and operating systems from updating.


This hole operation has been shut down by an FBI two-year investigation so called “Operation Ghost Click”.And so what they did afterwards was to replace rogue DNS servers used in the operation with legitimate servers hoping that infected computers will still be able to access the Internet and aslo making owners of infected computers to clean the malware off their machines.


It is also provided a service that can inform you if your computer is infected or not just by visiting the FBI page.




Leave a Reply