Australian websites caught up in DNS Changer case

Thousands of computers in Australia may have been affected by the largest botnet, dubbed domain name system (DNS) Changer, according to evidence from Trend Micro.

A group in Estonia was investigated by the Federal Bureau of Investigation (FBI) and found to be responsible for the malware which hijacked users' clicks. It then redirected to hacker-created sites that resembled the real domains.

Trend Micro Australia software architecture director, Jon Oliver, said the company had been tracking DNS Changer since 2006 when it started identifying strange behaviour in command and control servers doing “DNS tricks.”

“The group was changing part of the internet so the ads which appeared on some Australian websites could show illegitimate ads which were not paid for by anyone,” he said. “The person who had paid for ads on those sites lost their impressions.”

The security vendor discovered that a company called Rove Digital, which had made itself out to be a legitimate business, was behind the attacks.

“Our part was establishing this because in cyber crime it’s very difficult to establish who is committing the offence,” he said.

“We started with suspicions and then collected evidence that this advertising crime was definitely occurring. A multiple of other crimes were also occurring such as hijacking search results, phishing and fake anti virus.”

Trend Micro collected all this evidence over six years and handed it to the FBI.

Oliver said part of the reason the takedown took so long was because establishing all the elements of the crime proved difficult due to the cyber criminals operating in more than one country.

“Equipment was seized in places like Chicago yet the arrests took place in Estonia.”

According to Trend Micro, the cyber criminals got away with at least $US14 million before members were arrested on 9 November, 2011.

Oliver advised Australians who had concerns about their computer to enter their IP address on the FBI website as the Bureau would be able to tell them if they had been infected by DNS Changer.

He added that the lesson for companies was to use multi layers of defence, and educate users about cyber security.

“When users are seeing suspicious activity they should be reporting it to their IT manager who is taking extra vigilance,” he said. “The down time and cost that’s occurring for many companies is huge so they need to take security very seriously.”

Got a security tip-off? Contact Hamish Barwick at hamish_barwick at

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU

Copyright © 2011 IDG Communications, Inc.

How to supercharge Slack with ‘action’ apps
Shop Tech Products at Amazon