FBI’s Operation Ghost Click Busts Operators of DNSChanger Malware

FBI has released details of its Operation Ghost Click which led to the arrest of six operators of an internet fraud ring that had created and distributed a malware called DNSChanger. All of the arrested men were of Estonian descent and worked primarily from Estonia and Russia.

DNSChanger changed the DNS settings of the host computer, so that when a user of the affected system tried to open a webpage, he/she would be re-routed to a website or advertisement as decided by the hackers. The victims were also directed to websites with other potential malware. They had infected about 4 million computers in 100 different countries. United States alone had almost 500,000 DNSChanger infected PCs ranging from those owned by individuals to enterprises to even those used by NASA. The hackers are believed to have gotten at least 14 million dollars from the fraud.

As Janice Fedarcyk, Assistant Director in Charge of FBI’s New York office, read out in a statement,

The harm inflicted by the defendants was not merely a matter of reaping illegitimate income. The defendants also inflicted the following:

They victimized legitimate website operators and advertisers who missed out on income through click hijacking and ad replacement fraud.

Unwitting customers of the defendants’ sham publisher networks were paying for Internet traffic from computer users who had not intended to view or click their ads.

Users involuntarily routed to Internet ads may well have harboured discontent with those businesses, even though the businesses were blameless.

And then there is the harm to the users of the hijacked computers. The DNSChanger malware was a virus more akin to an antibiotic-resistant bacterium. It had a built-in defence that blocked anti-virus software updates. And it left infected computers vulnerable to other malware.

The rogue DNS servers have been replaced by genuine ones so that the affected users do not have to face disruption of internet services. But do note that this process does not remove the actual virus from the affected system. FBI has released a PDF document with details on how to check whether your system is infected. They have also released a range of rogue IP addresses that was used by the gang.


The details on how to find your IP address and help on cleaning up your system is also detailed in the PDF document mentioned above.

Published by

Nithin Ramesh

Nithin is a blogger and a Windows security enthusiast. He is currently pursuing Bachelors in Electronics and Communication. Apart from technology his other interests include reading and rock music. His Twitter handle is @nithinr6