Trojan.Win32.DNSChanger

Last updated

Trojan.Win32.DNSChanger is a backdoor trojan that redirects users to various malicious websites through the means of altering the DNS settings of a victim's computer. The malware strain was first discovered by Microsoft Malware Protection Center on December 7, 2006 [1] and later detected by McAfee Labs on April 19, 2009. [2]

Contents

Behaviour

DNS changer trojans are dropped onto infected systems by other means of malicious software, such as TDSS or Koobface. [3] The trojan is a malicious Windows executable file that cannot spread towards other computers. Therefore, it performs several actions on behalf of the attacker within a compromised computer, such as changing the DNS settings in order to divert traffic to unsolicited, and potentially illegal and/or malicious domains. [2] [1]

The Win32.DNSChanger trojan is used by organized crime syndicates to maintain click fraud. The user's browsing activity is manipulated through various means of modification (such as altering the destination of a legitimate link to then be forwarded to another site), allowing the attackers to generate revenue from pay-per-click online advertising schemes. The trojan is commonly found as a small file (+/- 1.5 kilobytes) that is designed to change the NameServer registry key value to a custom IP address or domain that is encrypted in the body of the trojan itself. As a result of this change, the victim's device would contact the newly assigned DNS server to resolve names of malicious webservers. [4]

Trend Micro described the following behaviors of Win32.DNSChanger:

Alternative aliases

Other variants

F-Secure , a cybersecurity company, received samples of a variant that were named PayPal-2.5.200-MSWin32-x86-2005.exe. In this case, the PayPal attribution indicated that a phishing attack was likely. [5] The trojan was programmed to change the DNS server name of a victim's computer to an IP address in the 193.227.xxx.xxx range. [6]
The registry key that is affected by this trojan is:
  • HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\NameServer
Other registry modifications made involved the creation of the below keys:
  • HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{random}, DhcpNameServer = 85.255.xx.xxx,85.255.xxx.xxx
  • HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{random}, NameServer = 85.255.xxx.133,85.255.xxx.xxx
  • HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\, DhcpNameServer = 85.255.xxx.xxx,85.255.xxx.xxx
  • HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\, NameServer = 85.255.xxx.xxx,85.255.xxx.xxx [6]

See also

Related Research Articles

The computer file hosts is an operating system file that maps hostnames to IP addresses. It is a plain text file. Originally a file named HOSTS.TXT was manually maintained and made available via file sharing by Stanford Research Institute for the ARPANET membership, containing the hostnames and address of hosts as contributed for inclusion by member organizations. The Domain Name System, first described in 1983 and implemented in 1984, automated the publication process and provided instantaneous and dynamic hostname resolution in the rapidly growing network. In modern operating systems, the hosts file remains an alternative name resolution mechanism, configurable often as part of facilities such as the Name Service Switch as either the primary method or as a fallback method.

Botnet Collection of compromised internet-connected devices controlled by a third party

A botnet is a number of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.

Pharming is a cyberattack intended to redirect a website's traffic to another, fake site by installing a malicious program on the computer. Pharming can be conducted either by changing the hosts file on a victim's computer or by exploitation of a vulnerability in DNS server software. DNS servers are computers responsible for resolving Internet names into their real IP addresses. Compromised DNS servers are sometimes referred to as "poisoned". Pharming requires unprotected access to target a computer, such as altering a customer's home computer, rather than a corporate business server.

Browser hijacking is a form of unwanted software that modifies a web browser's settings without a user's permission, to inject unwanted advertising into the user's browser. A browser hijacker may replace the existing home page, error page, or search engine with its own. These are generally used to force hits to a particular website, increasing its advertising revenue.

OpenDNS Domain name system provided by Cisco using closed-source software

OpenDNS is an American company providing Domain Name System (DNS) resolution services—with features such as phishing protection, optional content filtering, and DNS lookup in its DNS servers—and a cloud computing security product suite, Umbrella, designed to protect enterprise customers from malware, botnets, phishing, and targeted online attacks. The OpenDNS Global Network processes an estimated 100 billion DNS queries daily from 85 million users through 25 data centers worldwide.

Storm Worm Backdoor Trojan horse found in Windows

The Storm Worm is a phishing backdoor Trojan horse that affects computers using Microsoft operating systems, discovered on January 17, 2007. The worm is also known as:

Torpig, also known as Anserin or Sinowal is a type of botnet spread through systems compromised by the Mebroot rootkit by a variety of trojan horses for the purpose of collecting sensitive personal and corporate data such as bank account and credit card information. It targets computers that use Microsoft Windows, recruiting a network of zombies for the botnet. Torpig circumvents antivirus software through the use of rootkit technology and scans the infected system for credentials, accounts and passwords as well as potentially allowing attackers full access to the computer. It is also purportedly capable of modifying data on the computer, and can perform man-in-the-browser attacks.

The Zlob Trojan, identified by some antiviruses as Trojan.Zlob, is a Trojan horse which masquerades as a required video codec in the form of ActiveX. It was first detected in late 2005, but only started gaining attention in mid-2006.

DNS hijacking, DNS poisoning, or DNS redirection is the practice of subverting the resolution of Domain Name System (DNS) queries. This can be achieved by malware that overrides a computer's TCP/IP configuration to point at a rogue DNS server under the control of an attacker, or through modifying the behaviour of a trusted DNS server so that it does not comply with internet standards.

A web threat is any threat that uses the World Wide Web to facilitate cybercrime. Web threats use multiple types of malware and fraud, all of which utilize HTTP or HTTPS protocols, but may also employ other protocols and components, such as links in email or IM, or malware attachments or on servers that access the Web. They benefit cybercriminals by stealing information for subsequent sale and help absorb infected PCs into botnets.

Koobface is a network worm that attacks Microsoft Windows, Mac OS X, and Linux platforms. This worm originally targeted users of networking websites like Facebook, Skype, Yahoo Messenger, and email websites such as GMail, Yahoo Mail, and AOL Mail. It also targets other networking websites, such as MySpace, Twitter, and it can infect other devices on the same local network. Technical support scammers also fraudulently claim to their intended victims that they have a Koobface infection on their computer by using fake popups and using built-in Windows programs.

Gumblar is a malicious JavaScript trojan horse file that redirects a user's Google searches, and then installs rogue security software. Also known as Troj/JSRedir-R this botnet first appeared in 2009.

The RSPlug Trojan horse, a form of DNSChanger, is malware targeting the Mac OS X operating system. The first incarnation of the trojan, OSX.RSPlug.A, was discovered on October 30, 2007 by Mac security researchers at Intego.

Alureon is a trojan and bootkit created to steal data by intercepting a system's network traffic and searching for banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015, triggered these crashes by breaking assumptions made by the malware author(s).

Avalanche was a criminal syndicate involved in phishing attacks, online bank fraud, and ransomware. The name also refers to the network of owned, rented, and compromised systems used to carry out that activity. Avalanche only infected computers running the Microsoft Windows operating system.

Norton ConnectSafe was a free public DNS service offered by Symantec Corporation that claimed to offer a faster and more reliable web browsing experience while blocking undesirable websites. The service was retired on November 15, 2018.

DNSChanger is a DNS hijacking Trojan. The work of an Estonian company known as Rove Digital, the malware-infected computers by modifying a computer's DNS entries to point toward its own rogue name servers, which then injected its own advertising into Web pages. At its peak, DNSChanger was estimated to have infected over four million computers, bringing in at least US$14 million in profits to its operator from fraudulent advertising revenue.

Sality is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Sality was first discovered in 2003 and has advanced over the years to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet for the purpose of relaying spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks for the purpose of processing intensive tasks. Since 2010, certain variants of Sality have also incorporated the use of rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered to be one of the most complex and formidable forms of malware to date.

Point-of-sale malware

Point-of-sale malware is usually a type of malicious software (malware) that is used by cybercriminals to target point of sale (POS) and payment terminals with the intent to obtain credit card and debit card information, a card's track 1 or track 2 data and even the CVV code, by various man-in-the-middle attacks, that is the interception of the processing at the retail checkout point of sale system. The simplest, or most evasive, approach is RAM-scraping, accessing the system's memory and exporting the copied information via a remote access trojan (RAT) as this minimizes any software or hardware tampering, potentially leaving no footprints. POS attacks may also include the use of various bits of hardware: dongles, trojan card readers, (wireless) data transmitters and receivers. Being at the gateway of transactions, POS malware enables hackers to process and steal thousands, even millions, of transaction payment data, depending upon the target, the number of devices affected, and how long the attack goes undetected. This is done before or outside of the card information being (usually) encrypted and sent to the payment processor for authorization.

Numbered Panda is a cyber espionage group believed to be linked with the Chinese military. The group typically targets organizations in East Asia. These organizations include, but are not limited to, media outlets, high-tech companies, and governments. Numbered Panda is believed to have been operating since 2009. However, the group is also credited with a 2012 data breach at the New York Times. One of the group's typical techniques is to send PDF files loaded with malware via spear phishing campaigns. The decoy documents are typically written in traditional Chinese, which is widely used in Taiwan, and the targets are largely associated with Taiwanese interests. Numbered Panda appears to be actively seeking out cybersecurity research relating to the malware they use. After an Arbor Networks report on the group, FireEye noticed a change in the group's techniques to avoid future detection.

References

  1. 1 2 "Trojan:Win32/Dnschanger". Microsoft Security Intelligence . December 7, 2006. Retrieved January 16, 2021.
  2. 1 2 "Virus Profile: DNSChanger". McAfee . April 19, 2009. Archived from the original on September 3, 2017. Retrieved January 16, 2021.
  3. 1 2 How DNS Changer Trojans Direct Users to Threats – Threat Encyclopedia – Trend Micro USA
  4. F-Secure. "Trojan:W32/DNSChanger" . Retrieved 17 December 2018.
  5. Phishing attack hits PayPal subscribers | V3
  6. 1 2 News from the Lab Archive : January 2004 to September 2015
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.