Trojan.Win32.DNSChanger
Trojan.Win32.DNSChanger (or Trojan:Win32/Dnschanger (Microsoft Malware Protection Center)) is the definition of multiple AV-Labs, of a (backdoor) Trojan. Due to McAfee Labs, this Malware variant was detected on April 19, 2009, though Microsoft Malware Protection Center knew about this threat since December 8, 2006.[1][2]
Behaviour
DNS changer Trojans are dropped onto systems by other malware such as TDSS or Koobface.[3] The DNS-Changer-Trojan is a malicious .exe file, but is unable to spread of its own accord. It may therefore perform several actions of an attacker's choice on an compromised computer, such as changing the Domain Name Server (DNS) settings in order to divert traffic to unsolicited, and potentially illegal and/or malicious domains.[1][2]
The Win32.DNSChanger is used by organized crime syndicates to maintain Click-Fraud. In that moment the (unaware) user's browsing activity is secretly manipulated (such as altering the user who clicks on a (for him seemingly) legitimate link to then be forwarded to another offered site), so that the attackers can generate revenues from pay-per-click online advertising schemes. Mostly this trojan is usually an extremely small file (+/- 1.5 kilobytes) that is designed to change the 'NameServer' Registry key value to a custom IP address or link. This called IP address is encrypted in the body of a trojan. As a result of this change, a victim's Device will contact the newly assigned DNS-server to resolve names of different webservers, sometimes randomly.
- TrendMicro systems described following behaviors of Win32.DNSChanger.
- Steering unknowing users to bad sites: These sites can be phishing pages that spoof well-known sites in order to trick users into handing out sensitive information. A user who wants to visit the iTunes site, for instance, is instead unknowingly redirected to a rogue site.
- Replacing ads on legitimate sites: Visiting certain sites can serve users with infected systems a different set of ads from those whose systems are not infected.
- Controlling and redirecting network traffic: Users of infected systems may not be granted access to download important OS and software updates from vendors like Microsoft and from their respective security vendors.
- Pushing additional malware: Infected systems are more prone to other malware infections (e.g., FAKEAV infection).[3]
Other Aliases
- Win32:KdCrypt[Cryp] (Avast)
- TR/Vundo.Gen (Avira)
- MemScan:Trojan.DNSChanger (Bitdefender Labs)
- Win.Trojan.DNSChanger (ClamAV)
- variant of Win32/TrojanDownloader.Zlob (ESET)
- Trojan.Win32.Monder (Kaspersky Labs)
- Troj/DNSCha (Sophos)
- Mal_Zlob (Trend Micro)
- MalwareScope.Trojan.DnsChange (Vba32 AntiVirus)
Other Variants
- Trojan.Win32.DNSChanger.al
F-Secure received samples of a variant that were named PayPal-2.5.200-MSWin32-x86-2005.exe. In this Case the PayPal attribution indicates that Phishing is likely.[4] This trojan was programmed to change the DNS server name of a victim's computer to IP address 193.227.227.218.[5]
The Registry key that is affected by this trojan is:
- HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\NameServer
Other registry modifications made involve creating these keys
- HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{random} DhcpNameServer = 85.255.xx.xxx,85.255.xxx.xxx
- HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{random} NameServer = 85.255.xxx.133,85.255.xxx.xxx
- HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ DhcpNameServer = 85.255.xxx.xxx,85.255.xxx.xxx
- HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ NameServer = 85.255.xxx.xxx,85.255.xxx.xxx[5]
See also
References
External links
- How DNS Changer Trojans Direct Users to Threats by TrendMicro
- FBI: Operation Ghost Click (F-Secure)
- ‘Biggest Cybercriminal Takedown in History’ (Brian Krebs @ krebsonsecurity.com)
- Analysis of a DNSChanger file at VirusTotal