Trojan.Win32.DNSChanger

Short description: Trojan for Microsoft Windows

Trojan.Win32.DNSChanger is a backdoor trojan that redirects users to various malicious websites through the means of altering the DNS settings of a victim's computer. The malware strain was first discovered by Microsoft Malware Protection Center on December 7, 2006^[1] and later detected by McAfee Labs on April 19, 2009.^[2]

Behaviour

DNS changer trojans are dropped onto infected systems by other means of malicious software, such as TDSS or Koobface.^[3] The trojan is a malicious Windows executable file that cannot spread towards other computers. Therefore, it performs several actions on behalf of the attacker within a compromised computer, such as changing the DNS settings in order to divert traffic to unsolicited, and potentially illegal and/or malicious domains.^[2]^[1]

The Win32.DNSChanger trojan is used by organized crime syndicates to maintain click fraud. The user's browsing activity is manipulated through various means of modification (such as altering the destination of a legitimate link to then be forwarded to another site), allowing the attackers to generate revenue from pay-per-click online advertising schemes. The trojan is commonly found as a small file (+/- 1.5 kilobytes) that is designed to change the NameServer registry key value to a custom IP address or domain that is encrypted in the body of the trojan itself. As a result of this change, the victim's device would contact the newly assigned DNS server to resolve names of malicious webservers.^[4]

Trend Micro described the following behaviors of Win32.DNSChanger:

Steering unknowing users to malicious websites: These sites can be phishing pages that spoof well-known sites in order to trick users into handing out sensitive information. A user who wants to visit the iTunes site, for instance, is instead unknowingly redirected to a rogue site.
Replacing ads on legitimate sites: Visiting certain sites can serve users with infected systems a different set of ads from those whose systems are not infected.
Controlling and redirecting network traffic: Users of infected systems may not be granted access to download important OS and software updates from vendors like Microsoft and from their respective security vendors.
Pushing additional malware: Infected systems are more prone to other malware infections (e.g., FAKEAV infection).^[3]

Alternative aliases

Win32:KdCrypt[Cryp] (Avast)
TR/Vundo.Gen (Avira)
MemScan:Trojan.DNSChanger (Bitdefender Labs)
Win.Trojan.DNSChanger (ClamAV)
variant of Win32/TrojanDownloader.Zlob (ESET)
Trojan.Win32.Monder (Kaspersky Labs)
Troj/DNSCha (Sophos)
Mal_Zlob (Trend Micro)
MalwareScope.Trojan.DnsChange (Vba32 AntiVirus)

Other variants

Trojan.Win32.DNSChanger.al

F-Secure, a cybersecurity company, received samples of a variant that were named PayPal-2.5.200-MSWin32-x86-2005.exe. In this case, the PayPal attribution indicated that a phishing attack was likely.^[5] The trojan was programmed to change the DNS server name of a victim's computer to an IP address in the 193.227.xxx.xxx range.^[6]

The registry key that is affected by this trojan is:

HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\NameServer

Other registry modifications made involved the creation of the below keys:

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{random}, DhcpNameServer = 85.255.xx.xxx,85.255.xxx.xxx
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{random}, NameServer = 85.255.xxx.133,85.255.xxx.xxx
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\, DhcpNameServer = 85.255.xxx.xxx,85.255.xxx.xxx
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\, NameServer = 85.255.xxx.xxx,85.255.xxx.xxx^[6]

References

External links

How DNS Changer Trojans Direct Users to Threats by TrendMicro
FBI: Operation Ghost Click (F-Secure)
‘Biggest Cybercriminal Takedown in History’ (Brian Krebs @ krebsonsecurity.com)
Analysis of a DNSChanger file at VirusTotal

0.00

(0 votes)

Original source: https://en.wikipedia.org/wiki/Trojan.Win32.DNSChanger. Read more

[autogenerated2-1] 1.0 ^1.1 "Trojan:Win32/Dnschanger". Microsoft Security Intelligence. December 7, 2006. https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=trojan:win32/dnschanger.

[autogenerated1-2] 2.0 ^2.1 "Virus Profile: DNSChanger". McAfee. April 19, 2009. https://home.mcafee.com/virusInfo/VirusProfile.aspx?key=154863.

[autogenerated4-3] 3.0 ^3.1 How DNS Changer Trojans Direct Users to Threats – Threat Encyclopedia – Trend Micro USA

[F-Secure-4] F-Secure. "Trojan:W32/DNSChanger". https://www.f-secure.com/v-descs/dnschang.shtml. Retrieved 17 December 2018.

[5] Phishing attack hits PayPal subscribers | V3

[autogenerated3-6] 6.0 ^6.1 News from the Lab Archive : January 2004 to September 2015

[1]

[2]

[3]

[4]

[5]

[6]

Anonymous

Search

Trojan.Win32.DNSChanger

Namespaces

More

Page actions

Contents

Behaviour

Alternative aliases

Other variants

See also

References

External links

Navigation

Navigation

Help

Translate

Wiki tools

Wiki tools

Anonymous

Search

Trojan.Win32.DNSChanger

Behaviour

Alternative aliases

Other variants

See also

References

External links

Navigation

Wiki tools

Page tools

Other projects

Categories