In November 2011, the FBI-led Operation Ghost Click raided malicious servers run by the Rove Digital cyber group. This was only after the group had leveraged the DNSChanger Trojan to infect over four million computers and generate over $14 million in illicit profits. At the time, the operation was billed as the biggest cyber criminal takedown in history.

How did the DNSChanger infect so many machines before detection? How did authorities work together to stop this attack cold in its tracks? And what lessons did the security community learn from the DNSChanger incident? Let’s find out.

What is DNSChanger?

DNSChanger is a DNS hijacking Trojan launched by the Estonian cyber gang Rove Digital. It’s believed the Trojan’s malicious activity began in 2007. The malware works by modifying a computer’s Domain Name System (DNS) settings. Malware authors can then redirect internet users to fraudulent websites.

An infected download disguised as a video codec distributed the DNSChanger malware. When visiting a rogue website (the majority were pornographic sites), users were lured to click on a link or popup in order to download the codec to watch a video. Once a victim clicked the malicious link, the DNSChanger Trojan unleashed its payload.

Upon modifying the infected computer’s DNS configuration, the malware could point them to rogue name servers operated through affiliates of Rove Digital. These rogue name servers primarily supported advertising sold by Rove. Advertisers then paid for the traffic thinking it came through legitimate clicks.

Worldwide, DNSChanger infected over 4 million computers in more than 100 countries. There were about 500,000 infections in the U.S., including computers belonging to individuals, businesses and government agencies such as NASA.

How did the DNSChanger takedown occur?

On the day of the takedown, Estonian police arrested Rove Digital ringleader Vladimir Tsastsin and five other actors. Meanwhile, U.S. authorities disabled the command-and-control network, including rogue DNS servers in New York and Chicago.

One problem the authorities faced was that the rogue DNS servers were still providing name resolutions for millions of infected computers. To resolve this issue, the FBI commissioned the Internet Systems Consortium to replace the rogue servers with legitimate DNS servers, thus protecting the users’ internet access from interruption.

Operation Ghost Click was a complex international investigation. Its success relied on strong working relationships between law enforcement, private industry and international partners. The FBI, NASA’s Office of Inspector General, the Estonian Police, nearly a dozen private and public sector partners and many more all banded together to make the operation work. Even Facebook and Google notified users that their Mac or PC computers could be infected.

Coordinated efforts with a twist

Since cyber gangs can launch attacks from anywhere, international teamwork has become increasingly necessary to stop attackers. For instance, in January 2021 Europol announced the EMOTET takedown. The operation was the result of a collaborative effort between authorities in the Netherlands, Germany, the US, the UK, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust.

EMOTET was one of the most sophisticated and long-lasting cyber crime services ever. What began as a banking Trojan in 2014, the malware evolved into a reliable attack resource for threat actors worldwide. Via infected email attachments, EMOTET opened the door to computer systems on a global scale. Once they established unauthorized access, they sold access to other threat groups to execute further malicious activities such as data theft and ransomware.

A coordinated multinational team worked to gain control of the EMOTET infrastructure and disrupt it from the inside. The infected machines were then redirected toward a law-enforcement-controlled infrastructure. Ironically, authorities deployed a DNS sinkholing method to intercept DNS requests attempting to connect to known malicious or unwanted domains. Using this method, a controlled IP address points to a sinkhole server defined by the DNS sinkhole administrator. This was a unique and new approach to effectively disrupt the activities of malicious actors.

New global models against cyber crime

With the war in Ukraine, the global risks of cyber crime have never been higher. At the top of the agenda are threats to critical infrastructure. However, attacks on hospitals, local governments and companies cause trouble at every level, even threatening to disrupt macroeconomic stability.

For this reason, many political and business leaders are calling for new paradigms to stem the rising tide of attacks. Some strategies include:

  • More unified diplomatic efforts and agreements to combat cyber crime
  • Continued and increased collaboration to create strong public-private partnerships
  • Strengthening actions of law enforcement and accountability
  • International, multinational efforts to hold rogue nations accountable.

Hit them where it hurts

While the DNSChanger and Operation Ghost Click were historic in their scope, it took years before action was taken against the cyber actors. The result was a physical raid and arrests.

Still, other methods, like the at-a-distance disruption of EMOTET may become more common — that is, hacking the hackers. Also, sanctioning affiliated entities could stem the tide of attacks. During the takedown of Hydra, the world’s largest darknet marketplace, part of the operation included sanctioning over 100 virtual currency addresses used to conduct illicit transactions.

Protection against DNS hijacking

Some steps organizations can take to prevent DNS hijacking include:

  1. DNS flushing: Regularly clearing your DNS cache will remove all entries on your local system. This can delete any invalid or compromised DNS records that could direct you to malicious sites.
  2. nslookup: This is a program and command code that server administrators can use to find out the IP address of a specified hostname. nslookup offers protection against phishing attacks and lets users confirm website validity.
  3. DNS leaks test: When you use secure VPNs or privacy services, you may find they are poorly configured and default DNS servers are still being used. This means anyone monitoring network traffic will be able to log your activity for malicious purposes. Running a DNS leak test ensures you have a closed VPN tunnel for secure network traffic.

Looking forward

New strategies and cultural shifts will be required to face growing international cyber threats. At a minimum, this includes individual responsibility coupled with strong alliances, tactics and policies. Only a united front will keep attackers at bay.

More from Risk Management

Back to basics: Better security in the AI era

4 min read - The rise of artificial intelligence (AI), large language models (LLM) and IoT solutions has created a new security landscape. From generative AI tools that can be taught to create malicious code to the exploitation of connected devices as a way for attackers to move laterally across networks, enterprise IT teams find themselves constantly running to catch up. According to the Google Cloud Cybersecurity Forecast 2024 report, companies should anticipate a surge in attacks powered by generative AI tools and LLMs…

Mapping attacks on generative AI to business impact

5 min read - In recent months, we’ve seen government and business leaders put an increased focus on securing AI models. If generative AI is the next big platform to transform the services and functions on which society as a whole depends, ensuring that technology is trusted and secure must be businesses’ top priority. While generative AI adoption is in its nascent stages, we must establish effective strategies to secure it from the onset. The IBM Institute for Business Value found that despite 64%…

Ermac malware: The other side of the code

6 min read - When the Cerberus code was leaked in late 2020, IBM Trusteer researchers projected that a new Cerberus mutation was just a matter of time. Multiple actors used the leaked Cerberus code but without significant changes to the malware. However, the MalwareHunterTeam discovered a new variant of Cerberus — known as Ermac (also known as Hook) — in late September of 2022.To better understand the new version of Cerberus, we can attempt to shed light on the behind-the-scenes operations of the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today