About Me

Craig Schmugar

Craig Schmugar

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

DNSChanger Trojans v4.0

Thursday, December 4, 2008 at 5:28pm by Craig Schmugar
Craig Schmugar

Earlier today SANS posted an excellent blog on a recent variant of a DNSChanger Trojan. There are some significant implications to this threat, but before I go into those, here’s a brief rundown of the main DNS-changing Trojan tactics used to date:

  1. Modify Windows Hosts file to map specific domain names to specific IP addresses (McAfee classifies these Trojans as QHOSTS Trojans, more of a precursor to DNSChangers
  2. Modify Windows registry settings to reference specific (rogue) DNS servers [DNSChanger.f]
  3. Create a scheduled task under Mac OS X to reference specific (rogue) DNS servers [OSX/Puper]
  4. Exploit cross-site request forgery vulnerabilities in routers to overwrite the DNS server configuration offered to local area network clients [DNSChanger.f]

We’ve now seen a new tactic, which has the potential of impacting most devices on the local network–independent of the operating system or device (Windows, Linux, Internet-capable MP3 players,  digital picture frames, refrigerators, you name it). The tactic involves serving the rogue DNS server configuration over DHCP, the protocol responsible for distributing dynamic IP addresses, as well as other information, including DNS settings.

Here’s a scenario:

  • Jill is using the free WiFi access point at her favorite coffee shop from her infected Windows laptop.
  • Steve sits down at the next able and fires up his laptop, which requests an IP address over the wireless local area network.
  • Jill’s PC injects a DHCP offer command to instruct Steve’s computer to route all DNS requests through a rogue DNS server.
  • Steve fires up his web browser and navigates to his favorite social networking site, but while the browser displays the correct URL name, the rogue DNS server has actually directed the browser to another site.

The same applies to any local area network (LAN) where multiple system connect via DHCP.

This is significant for several reasons:

  1. The DNSChanger/Puper/Zlob gang has been very successful, infecting millions of PCs during the last couple of years. This gang typically uses strong social engineering to entice victims into installing the malware.
  2. Systems that are not infected with the malware can still have the payload of communicating with the rogue DNS servers delivered to them. This is achieved without exploiting any security vulnerability.
  3. Locating a poisoned system on a sizable network is often a difficult task.
  4. Noninfected systems can alter between using approved DNS settings and rogue settings based on an infected system being on the LAN, and a random chance that the infected system will be able to “poison” the DCHP offer.

For those interested in the details, this DNSChanger variant drops the legitimate ArcNet NDIS Protocol Driver in the drivers directory:

  • %WinDir%\system32\drivers\ndisprot.sys

The Trojan uses this driver to inject DHCP Offer packets containing the rogue DNS server IPs.

Variants using this functionality are not known to be widespread at this point, though even a single infected system could potentially impact hundreds of other systems on the LAN. Though it’s awkward to check, users could examine their DNS settings to see if they have been impacted. For example, type the following from a Windows command prompt:

ipconfig /all

For insight into some of what the DNSChanger gang is after, see this post.

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (7)

  • Aa'ed Alqarta December 20, 2008 12:26PM

    I call it DNSChanger 2.0, it has changed the tactics now. Here is my writing about it and check out the protection/detection techniques checklist:

    http://extremesecurity.blogspot.com/2008/12/dns-chanager-20.html

  • owned December 13, 2008 5:01PM

    I’ve been infected with this variant, any solutions yet ?

  • jssheep December 10, 2008 4:00AM

    How do i know if McAfee has a signature for the latest DNSChanger, discoverd on the 5th of December? The symantec name is Trojan.Flush.M but can’t find it under this name at McAfee…

  • Jason December 8, 2008 4:01PM

    All the more reason to consider using trusted third party DNS networks, such as OpenDNS.

    https://www.opendns.com/smb/start

  • Use the Support Link December 7, 2008 3:36PM

    @Reporting a problem – still

    Instead of complaining maybe you should notice all of the more common blog platforms do this out of the box and leave well enough alone. You are reading a security post, on a security blog, if you cannot figure out how to edit a bookmark title, then maybe you shouldn’t be in INFOSEC at all.

  • Vishwa December 7, 2008 1:52PM

    -nice to read, good for understanding the concept, but leaves with no hope for people with insufficient knowledge.

    -i worked with a lot of people with mcafee on there comp.s and they have this problem while downloading mcafee or updating it.

    -i would suggest you to equip the mcafee Security Center and the mcafee installer with a tool which can do the required step on its own.

  • Reporting a problem - still December 5, 2008 9:19PM

    Please fix your Website. When I bookmark a blog posting, the bookmark’s name is:

    Computer Security Research – McAfee Avert Labs Blog

    where it should be the title of that particular blog posting.

    This is a long standing, and very annoying problem with your blog. Please fix it.

    Thanks