DNSChanger

Last updated

DNSChanger is a DNS hijacking Trojan. [1] [2] The work of an Estonian company known as Rove Digital, the malware infected computers by modifying a computer's DNS entries to point toward its own rogue name servers, which then injected its own advertising into Web pages. At its peak, DNSChanger was estimated to have infected over four million computers, bringing in at least US$14 million in profits to its operator from fraudulent advertising revenue. [3]

Contents

Both Windows and Mac OS X variants of DNSChanger were circulated, the latter taking the form of a related Trojan known as RSPlug. The FBI raided the malicious servers on November 8, 2011, [4] but they kept the servers up after they capturing it to avoid affected users from losing Internet access until July 9, 2012.

Operation

DNSChanger was distributed as a drive-by download claiming to be a video codec needed to view content on a Web site, particularly appearing on rogue pornography sites. Once installed, the malware then modified the system's Domain Name System (DNS) configuration, pointing them to rogue name servers operated through affiliates of Rove Digital. [3] These rogue name servers primarily substituted advertising on Web pages with advertising sold by Rove. Additionally, the rogue DNS server redirected links to certain Web sites to those of advertisers, such as, for example, redirecting the IRS Web site to that of a tax preparation company. [5] The effects of DNSChanger could also spread itself to other computers within a LAN by mimicking a DHCP server, pointing other computers toward the rogue DNS servers. [5] In its indictment against Rove, the United States Department of Justice also reported that the rogue servers had blocked access to update servers for antivirus software. [6]

Shutdown and interim DNS servers

On October 1, 2011, as part of Operation Ghost Click (a collaborative investigation into the operation), the United States Attorney for the Southern District of New York announced charges against six Estonian nationals and one Russian national connected to DNSChanger and Rove Digital for wire fraud, computer intrusion, and conspiracy. [6] Estonian authorities made arrests, and the FBI seized servers connected to the malware located in the United States. [3]

Due to concerns by FBI agents that users still infected by DNSChanger could lose Internet access if the rogue DNS servers were shut down entirely, a temporary court order was obtained to allow the Internet Systems Consortium to operate replacement servers, which would serve DNS requests from those who had not yet removed the infection, and to collect information on those still infected in order to promptly notify them about the presence of the malware. [7] While the court order was set to expire on March 8, 2012, an extension was granted until July 9, 2012, due to concerns that there were still many infected computers. [5] F-Secure estimated on July 4, 2012, that at least 300,000 computers were still infected with the DNSChanger malware, 70,000 of which were located in the United States. [8] The interim DNS servers were officially shut down by the FBI on July 9, 2012. [9]

Impact from the shutdown was considered to be minimal, due in part to major Internet service providers providing temporary DNS services of their own and support to customers affected by DNSChanger. and informational campaigns surrounding the malware and the impending shutdown. These included online tools that could check for the presence of DNSChanger, while Google and Facebook provided notifications to visitors of their respective services who were still affected by the malware. [8] By July 9, 2012, F-Secure estimated that the number of remaining DNSChanger infections in the U.S. had dropped from 70,000 to 42,000. [9]

Related Research Articles

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

Spyware is any software with malicious behavior that aims to gather information about a person or organization and send it to another entity in a way that harms the user by violating their privacy, endangering their device's security, or other means. This behavior may be present in malware and in legitimate software. Websites may engage in spyware behaviors like web tracking. Hardware devices may also be affected.

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.

Scareware is a form of malware which uses social engineering to cause shock, anxiety, or the perception of a threat in order to manipulate users into buying unwanted software. Scareware is part of a class of malicious software that includes rogue security software, ransomware and other scam software that tricks users into believing their computer is infected with a virus, then suggests that they download and pay for fake antivirus software to remove it. Usually the virus is fictional and the software is non-functional or malware itself. According to the Anti-Phishing Working Group, the number of scareware packages in circulation rose from 2,850 to 9,287 in the second half of 2008. In the first half of 2009, the APWG identified a 585% increase in scareware programs.

Norton AntiVirus is an anti-virus or anti-malware software product founded by Peter Norton, developed and distributed by Symantec since 1990 as part of its Norton family of computer security products. It uses signatures and heuristics to identify viruses. Other features included in it are e-mail spam filtering and phishing protection.

Ransomware is a type of cryptovirological malware that permanently block access to the victim's personal data unless a ransom is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

<span class="mw-page-title-main">WinFixer</span> Rogue security software

WinFixer was a family of scareware rogue security programs developed by Winsoftware which claimed to repair computer system problems on Microsoft Windows computers if a user purchased the full version of the software. The software was mainly installed without the user's consent. McAfee claimed that "the primary function of the free version appears to be to alarm the user into paying for registration, at least partially based on false or erroneous detections." The program prompted the user to purchase a paid copy of the program.

The Vundo Trojan is either a Trojan horse or a computer worm that is known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehavior including performance degradation and denial of service with some websites including Google and Facebook. It also is used to deliver other malware to its host computers. Later versions include rootkits and ransomware.

Rogue security software is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer and aims to convince them to pay for a fake malware removal tool that actually installs malware on their computer. It is a form of scareware that manipulates users through fear, and a form of ransomware. Rogue security software has been a serious security threat in desktop computing since 2008. An early example that gained infamy was SpySheriff and its clones, such as Nava Shield.

<span class="mw-page-title-main">SpySheriff</span> Spyware

SpySheriff is malware that disguises itself as anti-spyware software. It attempts to mislead the user with false security alerts, threatening them into buying the program. Like other rogue antiviruses, after producing a list of false threats, it prompts the user to pay to remove them. The software is particularly difficult to remove, since it nests its components in System Restore folders, and also blocks some system management tools. However, SpySheriff can be removed by an experienced user, antivirus software, or by using a rescue disk.

The Zlob Trojan, identified by some antiviruses as Trojan.Zlob, is a Trojan horse which masquerades as a required video codec in the form of ActiveX. It was first detected in late 2005, but only started gaining attention in mid-2006.

Koobface is a network worm that attacks Microsoft Windows, Mac OS X, and Linux platforms. This worm originally targeted users of networking websites like Facebook, Skype, Yahoo Messenger, and email websites such as GMail, Yahoo Mail, and AOL Mail. It also targets other networking websites, such as MySpace, Twitter, and it can infect other devices on the same local network. Technical support scammers also fraudulently claim to their intended victims that they have a Koobface infection on their computer by using fake popups and using built-in Windows programs.

The RSPlug Trojan horse, a form of DNSChanger, is malware targeting the Mac OS X operating system. The first incarnation of the trojan, OSX.RSPlug.A, was discovered on October 30, 2007 by Mac security researchers at Intego.

Zeus is a Trojan horse malware package that runs on versions of Microsoft Windows. It is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. Similarly to Koobface, Zeus has also been used to trick victims of technical support scams into giving the scam artists money through pop-up messages that claim the user has a virus, when in reality they might have no viruses at all. The scammers may use programs such as Command prompt or Event viewer to make the user believe that their computer is infected.

MS Antivirus is a scareware rogue anti-virus which purports to remove virus infections found on a computer running Microsoft Windows. It attempts to scam the user into purchasing a "full version" of the software. The company and the individuals behind Bakasoftware operated under other different 'company' names, including Innovagest2000, Innovative Marketing Ukraine, Pandora Software, LocusSoftware, etc.

Alureon is a trojan and rootkit created to steal data by intercepting a system's network traffic and searching for banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015, triggered these crashes by breaking assumptions made by the malware author(s).

OSX.FlashBack, also known as the Flashback Trojan, Fakeflash, or Trojan BackDoor.Flashback, is a Trojan horse affecting personal computer systems running Mac OS X. The first variant of Flashback was discovered by antivirus company Intego in September 2011.

ZeroAccess is a Trojan horse computer malware that affects Microsoft Windows operating systems. It is used to download other malware on an infected machine from a botnet while remaining hidden using rootkit techniques.

Trojan.Win32.DNSChanger is a backdoor trojan that redirects users to various malicious websites through the means of altering the DNS settings of a victim's computer. The malware strain was first discovered by Microsoft Malware Protection Center on December 7, 2006 and later detected by McAfee Labs on April 19, 2009.

References

  1. Trojan:Win32/Dnschanger.O – Microsoft
  2. "Antivirus scan for fdde13872caa1a0e1b9331188ca93b8fc424fed43d86d5cf53f6965f6a77184e] at 2017-01-30 04:47:37 UTC – VirusTotal". www.virustotal.com.
  3. 1 2 3 "How the most massive botnet scam ever made millions for Estonian hackers". Ars Technica. 10 November 2011. Retrieved 6 July 2012.
  4. "Esthost Taken Down – Biggest Cybercriminal Takedown in History – TrendLabs Security Intelligence Blog". 9 November 2011.
  5. 1 2 3 "Don't Lose the Internet in July! FBI Repeats DNSChanger Warning". PC World. Retrieved 6 July 2012.
  6. 1 2 "Seven charged in malware-driven click fraud case". Ars Technica. 9 November 2011. Retrieved 6 July 2012.
  7. Zetter, Kim. "'DNSChanger' Malware Could Strand Thousands When Domains Go Dark on Monday". Wired. Retrieved 6 July 2012.
  8. 1 2 "Are You Infected With DNSChanger Malware?". PC World. Retrieved 6 July 2012.
  9. 1 2 "ISPs Report Minimal DNSChanger Impact". PC World. Retrieved 13 July 2012.