DNSChanger was a DNS hijacking Trojan active from 2007 to 2012. The work of an Estonian company known as Rove Digital, the malware infected computers by modifying a computer's DNS entries to point toward its own rogue name servers, which then injected its own advertising into Web pages. At its peak, DNSChanger was estimated to have infected over 4 million computers, bringing in at least US$14 million in profits to its operator from fraudulent advertising revenue.
Both Windows and Mac OS X variants of DNSChanger were circulated, the latter taking the form of a related Trojan known as RSPlug
The FBI raided the malicious servers on November 8, 2011. but they kept the servers up after they captured it to avoid affected users from losing internet access until July 9, 2012.
DNSChanger was distributed as a drive-by download claiming to be a video codec needed to view content on a Web site, particularly appearing on rogue pornography sites. Once installed, the malware then modified the system's Domain Name System (DNS) configuration, pointing them to rogue name servers operated through affiliates of Rove Digital. These rogue name servers primarily substituted advertising on Web pages with advertising sold by Rove. Additionally, the rogue DNS server redirected links to certain Web sites to those of advertisers, such as for example, redirecting the IRS Web site to that of a tax preparation company. The effects of DNSChanger could also spread itself to other computers within a LAN by mimicking a DHCP server, pointing other computers toward the rogue DNS servers. In its indictment against Rove, the United States Department of Justice also reported that the rogue servers had blocked access to update servers for antivirus software.