The malware also blocked users from updating most installed antivirus software, or receiving operating system patch updates, the indictment alleged.
Along with the arrests in Estonia -- the Russian defendant remained at large -- the U.S. Federal Bureau of Investigation (FBI) shut down over 100 domain and botnet command-and-control (C&C) servers hosted at data centers in New York City and Chicago.
That would have left infected PCs and Macs without a way to connect to the Internet: Seizing the domain servers effectively wiped their road map to the Web's addresses. Instead, a federal judge approved a plan in which clean DNS servers were deployed by the Internet Systems Consortium (ISC), the non-profit group that maintains the popular BIND DNS open-source software.
ISC will operate the replacement DNS servers for 120 days, long enough, authorities said Wednesday, for users and Internet service providers (ISPs) to identify and scrub infected computers of the DNS Changer malware.
Unlike other botnet takedowns, such as the one aimed at Coreflood earlier this year, the DOJ will not remotely clean infected systems.
The FBI has posted instructions (download PDF) that people can use to determine whether their DNS records have been scrambled by the alleged hackers.
The agency has also created a tool that checks for DNS settings that may be among those controlled by the gang.
Microsoft, which has assisted in several botnet takedowns this year but did not participate in what authorities yesterday described as "Operation Ghost Click," praised the botnet crippling.
"We commend the FBI and Department of Justice for the arrests, which we see as progress in the ongoing effort to hold cybercriminals accountable for their actions," Microsoft said in a statement late Wednesday.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com.