Web Development

DNS Changer trojan: Latest variant is certainly unique

The developers of the DNS Changer trojan have been busy, three generations just in the past year. The newly released version is the one we need to worry about. Learn how to find and combat it.

As the name implies DNS Changer (Trojan.Flush.M) is a malware application that replaces the correct IP addresses used for the primary and secondary DNS servers with those designated by the attacker. Once that happens, any name resolution that's required will be directed toward the attacker's DNS servers. Depending on the circumstances, the attacker's DNS servers could respond with correct or incorrect DNS records.

Why you may ask? It's all about deception. If the attackers have their DNS servers respond correctly for a majority of name resolution requests, most users aren't going to suspect anything. Besides what the attackers really want are name resolution requests for legitimate Web sites that they have created malicious copies of.

If such a request is received, the attacker's DNS server will then send the name record for the malicious Web site instead of the correct name record. Once the user's Web browser downloads the fake Web site, it's relatively easy to use one of several exploits to get personal information about the user or download additional malware.

This trojan has some notoriety in that DNS Changer targets Mac OS X as well as Windows operating systems. Some experts even say that DNS Changer influenced Apple to publically advise (but quickly retract) Mac users that antivirus software might be a good idea.

What's also interesting about DNS Changer is the fairly intense scrutiny that it's received throughout its existence. By watching closely, security analysts are learning right along with the malware coders what works and what doesn't when it comes to malware propagation.

Even with three different versions of DNS Changer, the results are always the same: Compromised computers are configured to use the attacker's DNS servers. Like the analysts, it's a good idea for all of us to understand how the trojan works, simply because increased awareness reduces our risk.

Version 1

Security analysts first noticed version 1 in January 2008. Version 1 tries to take advantage of users who are attempting to download movies from a Web site. It's the typical scam where the Web site points out that a special file or codec needs to be installed on the user's computer in order for the movie to play. In reality, the codec is the dropper that starts the installation of the trojan and after asking the user for admin rights will install DNS Changer on the computer.

Version 1 perplexed security analysts because it was almost totally benign. It changes the DNS settings on the computer under attack and reports back to specified command and control servers, and that's it. Still version 1 made trojan history in that it targeted Apple as well as Microsoft operating systems.

Version 2

Version 2 surfaced around July 2008 using similar drive-by dropper techniques to get installed. After being installed on a computer, version 2 attempts to determine the management username and password of any gateway routers on the network. If DNS Changer successfully determines the admin credentials, it then has access to the gateway router's Web-based configuration.

The next step is to change the gateway router's DNS server settings to that of the attacker's DNS servers. After which all the computers that receive DHCP leases from the gateway router will get erroneous DNS server IP addresses, and as with version 1 any name resolution requests will be sent to the attacker's DNS server.

This tactic has merit if you think about it. Even if the trojan is removed from the computer name, resolution remains compromised, because the gateway router continues to advertise the attacker's DNS servers. Still, this version is losing its appeal. People are starting to understand the need to change default settings on their network-management devices, which removes version 2's attack vector.

Version 3

Version 3 was just discovered this month, and the malware coders seem to have gotten it right this time. The trojan sets up ndisprot.sys (NDIS protocol driver) as a registered service, which in turn creates a working DHCP server on the compromised computer. The rogue DHCP server then tries to intercept DHCPDISCOVER packets from the remaining computers on the network, ultimately supplying the querying computer with DHCP responses containing IP addresses of the attacker's DNS servers.

The trick here is for the rogue DHCP server to respond faster than the authorized DHCP server. If the DHCP client accepts the DHCP query response from the rogue DHCP server, it's all over. The rogue DHCP server supplies an internal network IP address with a very long lease time as well as IP addresses for the attacker's primary and secondary DNS server.

Version 3 has all sorts of implications. For example, what if a computer compromised with version 3 of DNS Changer connected to an open Wi-Fi hot spot? Any new arrivals may get erroneous DNS information from the rogue DHCP server. This variant also has a much better chance of succeeding, because it doesn't have to try and guess default management credentials.

Thing to watch out for

SANS Internet Storm Center notes that "it's probably wise to at least monitor traffic to 85.255.112.0 to .255, if not block it." For now this appears to be the IP address range that's being used by the malicious DNS servers. On individual computers, the user can easily determine the IP addresses of the primary and secondary DNS servers by using the ipconfig (Windows), ifconfig (Linux), or system preferences (Mac).

As for rogue DHCP servers on the network, there are applications such as DHCP Find that locate and report all pertinent information about any clandestine DHCP servers that are on the same network.

It appears that most antivirus applications have signatures for all three versions of DNS Changer, and that's a good thing. So, make sure your AV application is up to date. Even so, please be cautious as DNS redirection can occur even if your computer is clean.

Final thoughts

All variations of DNS Changer are in the wild, but version 3 is the one to watch out for. If possible, I'd suggest setting up the computer's working network interface to use static IP addresses for the DNS servers. OpenDNS is highly recommended for this, and their Web site explains exactly what to do. OpenDNS also eliminates several other potential problems such as Kaminsky's bug.

If static DNS server IP addresses aren't an option, typical of larger networks, the monitoring of traffic destined for the 85.255.112.0 to .255 subnet becomes important. Using some sort of rogue DHCP server monitor is also equally important.

Need help keeping systems connected and running at high efficiency? Delivered Monday and Wednesday, TechRepublic's Network Administrator newsletter has the tips and tricks you need to better configure, support, and optimize your network. Automatically sign up today!

About

Information is my field...Writing is my passion...Coupling the two is my mission.

47 comments
onn.elboher
onn.elboher

My experience included: some sites blocking me (malicious activity accusations), couldn't Windows Update my computer, including Windows Defender, couldn't update Ad-aware. This morning NOD32 antivirus wouldn't start, and that's what broke me. I tried to remove the malicious IP addresses from my DHCP and DNS servers in the registry but they would consistently be restored after a couple of seconds. Windows Defender, SpyBot S&D, Ad-Aware, and NOD32, all couldn't find/fix the problem. I downloaded recent Malwarebytes from a friend's computer and put it on a flash drive. I restarted my computer in safe mode. I installed Malwarebytes in safe mode. Performed a Quick Scan. After 4 minutes it reported finished scanning and identifying the malware. Removed it. Restarted into Safe Mode. Re(quick)scanned. Nothing found. Restarted into standard mode. All is working perfectly. No weird DNS addresses updated. Windows updates work fine. NOD32 working again. Ad-aware updates. ALL GOOD!!! thank you malwarebytes! ------------------------------------------------------ This is the malwarebytes cleanup log: ------------------------------------------------------ Malwarebytes' Anti-Malware 1.33 Database version: 1654 Windows 6.0.6001 Service Pack 1 25/01/2009 16:41:46 mbam-log-2009-01-25 (16-41-46).txt Scan type: Quick Scan Objects scanned: 49293 Time elapsed: 2 minute(s), 46 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 12 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\extravideo (Trojan.DNSChanger) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.102;85.255.112.199 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9abf2060-a60e-428b-8555-f138fb987011}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.102;85.255.112.199 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b592b481-3e71-49ab-b1f7-5f7b77908212}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.102;85.255.112.199 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b592b481-3e71-49ab-b1f7-5f7b77908212}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.102;85.255.112.199 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.102;85.255.112.199 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{9abf2060-a60e-428b-8555-f138fb987011}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.102;85.255.112.199 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b592b481-3e71-49ab-b1f7-5f7b77908212}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.102;85.255.112.199 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b592b481-3e71-49ab-b1f7-5f7b77908212}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.102;85.255.112.199 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.102;85.255.112.199 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{9abf2060-a60e-428b-8555-f138fb987011}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.102;85.255.112.199 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{b592b481-3e71-49ab-b1f7-5f7b77908212}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.102;85.255.112.199 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{b592b481-3e71-49ab-b1f7-5f7b77908212}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.102;85.255.112.199 -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\Windows\System32\msqpdxwqsctmei.dll (Trojan.Agent) -> Delete on reboot. C:\Windows\System32\drivers\msqpdxnbcbcrrx.sys (Trojan.Agent) -> Quarantined and deleted successfully.

Pure_Guava
Pure_Guava

If your network has any sort of Layer 2 security enabled, rogue DHCP ACKs cannot pass to most ports. Only the port(s) continaing the valid DHCP server are allowed to pass DHCP packets. I know that this is true for Nortel gear, as well as Cisco. Search for George Ou's article on Layer 2 security on TR for more.

arthurkuhns
arthurkuhns

Thank you Michael for this information. art

Jaqui
Jaqui

and all this stuff becomes irrelevant. :p

santeewelding
santeewelding

Do you mean that if I suspect maggots on the underside of something, I should attend to each of the maggots?

JackOfAllTech
JackOfAllTech

At home, I use OpenDNS on my router (verified every day), I have a firewall on all the computers that ONLY allows pre-defined applications to access the network, and I have an AV that does real-time monitoring as well as daily full scans. Not one has ever been compromised at home and when my daughter got something on her laptop at college, it was identified and removed as soon as she connected to my home network.

rouschkateer
rouschkateer

I had this on my laptop; Malwarebytes, SS&d, AVG 8.0 - none of these plus others could get rid of it! Please be aware that this variant is tough!

Michael Kassner
Michael Kassner

DNS Changer is a sneak attack on DNS server information. What makes it so insidious is that the changes caused by the trojan typically remain even if the malware is removed. Check out the article, just to make sure your computers aren't already compromised.

JCitizen
JCitizen

I love disecting malware entries, and would love your tilt on what happened. I've noticed NOD32 generally ingnores many types of malware as long as it doesn't detect a hueristic move buy the malware. I think this is why it uses so little system resources and needs small updates. But I wonder if the bug was prevalent before you put ESET's product on your computer? I'd love your analysis on this. If the bug was present before installation and used registry entries to eventually trip up AV and AS solutions. It wouldn't have to necessarily make a move. Have you ever used CCleaner's registry cleaner? I've found resident malware on people's PCs that seemed to use similar wait-in-state trojan tactics, and once I did a registry cleanup, either Avast or NOD32 would nail the bug attempting to cover up it's tracks. Just wondering. Also, have you been using AdAware Anniversary Edition? This new version has way better scan and hueristic analysis, and has bopped some malware Norton couldn't find on my Vista x64(I know - no surprise it beat Norton) I'm running NIS 2009 on that machine as I can't find a way to ininstall Norton without damaging my security policies on the installation. The Norton cleanup tool actually fixes most of the registry, beleive it or not, it is file permissions and administrative control that gets kinked.

seanferd
seanferd

I, for one, appreciate the story and the log file.

Michael Kassner
Michael Kassner

You both help a great deal as well as many other members. I didn't even realize that article was there, thanks for pointing it out. You are one heck of a Web crawler, definitely got me beat.

JCitizen
JCitizen

what with Michaels great work! Now if I could just find more of his articles in my email alerts! I'm not very good at that! =(

Dumphrey
Dumphrey

that most likely does not have a managed switch to enable layer 2 security. Most security oriented business should be "safe" from this exploit in the host level. The scary part is: "The next step is to change the gateway router?s DNS server settings to that of the attacker?s DNS servers. After which all the computers that receive DHCP leases from the gateway router will get erroneous DNS server IP addresses, and as with version 1 any name resolution requests will be sent to the attacker?s DNS server." Another home user exploit, but at the enterprise lvl, a rogue DNS could create race conditions with your ISP dns, win, and get exploit ip's cached in the enterprise dns server. (Think google.com going to yourrooted.ru etc). Easy to do? No. Possible? Yes. "This tactic has merit if you think about it. Even if the trojan is removed from the computer name, resolution remains compromised, because the gateway router continues to advertise the attacker?s DNS servers" UPnP routers are easy for Joe Appliance user, but plain stupid in terms of security. Call me paranoid, but I just don't like commodity routers aimed at the home market. I equate it to using masking tape as a seat belt... But, you are right. Layer 2 security, not running a windows machine as admin, and keeping an eye on logs and settings go a long way to minimizing any risk. In-line snort with a custom rule couldn't hurt either.

Michael Kassner
Michael Kassner

If you are concerned about individuality or the greater good.

Michael Kassner
Michael Kassner

I didn't want to miss anything. You mentioned that you verify OpenDNS daily. Is that done manually via the router's configuration or does OpenDNS have a feature that I may not know about?

Michael Kassner
Michael Kassner

Can you share how you eventually got rid of it? I for one would appreciate learning how.

Michael Kassner
Michael Kassner

J, do you think most of the problems you are having are because TPVs aren't totally up to speed with 64 bit?

seanferd
seanferd

at OpenDNS. I check on their infrequent new articles and stuff sometimes. Actually, they are working with Netgear and 2Wire for some sort of integration with their routers. Apparently, filtering will be available on a per computer or per user basis with these routers. That will make a lot of folks happy.

JCitizen
JCitizen

your gateway has been reconfigured to begin with? I agree with you on (NOT) using common management interfaces for these devices, as they could be easily manipulated by a script crafted to the commonly used consols.

jashton
jashton

Micheal, I was suprised that no one had posted a cure for this yet. If anyone is interested I would like to tell the story. My network is protected by an IBM Proventia MX security device, so I was very suprised to have caught this bug. I was working on a system that was used as a fax server and had no anti-virus software installed. I was doing research on new backup software and downloaded what was supposed to be a demo. Pretty quickly I could tell something was going wrong with DNS. I installed Avast right away from a usb key, but it would not update and found nothing during scans. I used Hijack This to remove anything out of the ordinary and delete the bogus DNS server entries. They kept getting switched back. I noticed I could not open items in "my computer" unless I right clicked and hit explore. I browsed out to a network drive and ran a reasonably up to date copy of Malware Bytes Anti-Malware. It cleaned the trojan off and rebooted, but it did not get all of it. I downloaded an up to date copy, installed and ran it again, cleaning the rest off. I then right clicked my network card connection and hit repair. Then I put my in house DNS server ip address back into the tcpip settings. I then ran good old Dial-a-fix to refresh everything.Rebooted and Presto! Everything was updating and the internet worked properly. I am sorry that I did not get the exact version of the trojan. I may have got lucky and stumbled upon just the right sequence of repair flailing to kill the thing.

JCitizen
JCitizen

for most of the attack vector activity. A properly crafted bug such as this would not need install rights and could operate surrepticiously during the session without much indication of its dirty deeds. Hopefully a wary paranoid person such as Jaqui, could spot something suspicious, none the less. If one is in tune with ones own computer, and how it behaves normally, it seems like the nose always tells.

shodges119
shodges119

The article states that this trojan is affective against MACS, however the new MAC Operating Systems are based on a UNIX/LINUX environment at the Kernel Level. Has their been any confirmed Linux issues with this variant as well?

JackOfAllTech
JackOfAllTech

that checks my router settings and set it to run everyday.

rouschkateer
rouschkateer

Unfortunately, I tried all different scans - including a rootkit remover - I had to reload my OS (Win XP SP 3 w/ all updates)

JCitizen
JCitizen

Sorry it took so long Michael. In the case of Symantec, nothing would surprise me. As to how the Third Party Verification process works, though, I will have to beg ignorance about that. It could be I didn't uninstall NIS 2009 correctly also. I noticed the Symantec technicians always use the Norton cleanup tool to do the entire uninstall; so just uninstalling it is definitely a waste of time. I must admit I can't remember which method I used, but I've since been reading that Vista Home does indeed have something like the XP Home local administrator built into the OS. I've read that you can download scripts from Microsoft and other reputable third parties that can involk a GPO response from the local machine properties of the operating system, to give one the same power as the old XP Home administrator. I have been hesitant to do this however, because without a full fledged Business edition and the full MMC capability, I am nervous that I could be compromising the inherent security that is built into Vista. HP has a bad habit of placing the "take ownership" tweak tool on customer's computers to make quick fixes, and I feel even this compromises the new security model for Home Vista. Bear in mind, I don't have a choice because of cable DRM standards for Vista, in what flavor of Vista I can use. Only one special version of Vista x64 is allowed to incorporate open cable standards. Or should I say "Closed cable standards"! I even have to have a separate product key for the priveledge of recording programs through the special version of Media Center that is issued with this OS!! Too bad this is such a narrow issue to be interesting to TR members or I would post a discussion of it on TechRepublic. I suppose most folks go to TheGreenButton.com - however, I've been there and their format is tedious to the extreme!

Michael Kassner
Michael Kassner

It is a good idea for the less conversant users. I tend to be more philosophical in my thought process. Not liking to be reliant on one of anything, why can't everyone hosting DNS servers be that responsible?

seanferd
seanferd

But I doubt it would preclude the addition of other nameservers. Many routers seem to have more than two slots for DNS. I think the integration thing is mostly for control of filtering should one use OpenDNS. Then again, I've not seen anything specific about the configs from any party involved. I assume that this is because they aren't done creating these things yet.

Michael Kassner
Michael Kassner

As I see it, it's a good thing possibly, but I'd rather have an informed user make that decision. What if OpenDNS goes down. I always have two different DNS sources listed.

JCitizen
JCitizen

if the .bat file or whatever the bug uses to reconfigure your gateway/router device, I am positive it will make sure your pointed to the malware server. This is what I was talking about. Not having a well known GUI for the router or making sure something is not resident during your logon session to your device, can go a long way toward someone NOT owning your server/router/ect. device. I've read and witnessed too much; the paranoia is great, and verifiable. (edited for html control errors)

Michael Kassner
Michael Kassner

We have to be careful here as there are in reality three exploits vectors. If there is an ambiguity it's certainly my fault and I sincerely apologize. Layer 2 security is workable if you have network management devices configured to only allow specific specified DHCP servers.

JCitizen
JCitizen

perhaps your device needs a bad server/site blocker or at least put Site Advisor on your desktop. I don't know what the charge for business use is. I use it at home,but at my last contract I wasn't privy to what we used on our internet server. Whatever the solution was it was very good at blocking URLs that were dangerous or nobody had any business going there anyway. It can save a lot of headache, especially if the clients are still on XP Pro. I never lost any functionality that I needed to do IT research, so I was very happy with the performance. I just wished I had asked the question at our meetings on which solution we were using.

JCitizen
JCitizen

I looked at the article and couldn't determine if this new scanner would only detect Windows viruses. Of course that alone is valuable, even for Unix. I really like BitDefender's online scanner, and use it religiously to check the veracity of clients AV solutions. Sorry I'm late to respond - got busy with weapons projects and several deaths in the family - no relation between the two =( Thanks for the links!!!!

Michael Kassner
Michael Kassner

J must be busy, I haven't heard a peep from him for a while.

JCitizen
JCitizen

is - Who could be watching my session? A valuable lesson in XP is that even uninstalled spyware can watch your video and keyboard input through the I/O channels of the circuitry, and evaluate this data for nefarious purposes. Anti-keyloggers were notoriously ineffective in catching this activity in my experience. The only defense has been Snoopfree Privacy Shield, the only utility that actually watches for activity in this way. Every since I went to Vista, I've felt naked without this capability. Of course a good password vault can help negate any dangerous activity; but [b]Snoopfree[/b] and Comodo [b]Defense+[/b] have given me a very scary education on just what goes on inside the operating system and how application code interacts with it.

rkuhn040172
rkuhn040172

The point of the program isn't necessarily to infect every PC it comes across. In Jaqui's world, all it would take is one Windows box to be infected and trick his Linux box to get its DHCP information from it instead of his server or router. So, even if Linux was immune to the trojan itself, Linux isn't immune to the affects of it.

JCitizen
JCitizen

it matters not what language your gateway works in, if the bug can gain access to your GUI. This is mentioned in the article. I would think this bug could do this without administrative rights - if you like to go into your router from a restricted account, every so often, like I do. I would think it could simply wait until your logged on and manipulate the GUI very rapidly and possibly without notice if your not watching the screen carefully. I witnessed .bat exe files do much more difficult moves than this in just seconds! Fortunately those can only be affective on the XP administrator desktop. I use a relative obscure GUI on my gateway, but this still makes be nervous, a good video/keyboard firewall like Snoopfree Privacy Shield can go a long way toward mitigating this, if the bug has to read either of those sources. I would think the trogan could be HTTPS/SSL aware of this kind of traffic without having to do this, however.

Michael Kassner
Michael Kassner

First, I've not seen proof that the actual dropper accesses Linux devices like it does Windows and Macs. I suspect it does though. Second, if version 3 has infected any computer on the network, computers using Linux will be affected by the rogue DHCP server.

JCitizen
JCitizen

My gateway access point does have pretty good armor against compromise; but none-the-less I believe in set and verify. If it does; I'd buy that for more than a dollar!!!

Michael Kassner
Michael Kassner

Something like that would be pretty valuable in this situation.

JCitizen
JCitizen

Did you try Avast? I would think NOD32 could make hash out of it for sure!

Michael Kassner
Michael Kassner

I'd love to learn what scanners or steps you tried. I'm trying to compile a a real world what works and what doesn't list.

NetSecPro
NetSecPro

The same thing happened to me a few weeks ago. Couldn't get rid of it, tried several tools, eventually had to slick and rebuild.

Michael Kassner
Michael Kassner

I suspected as much, but being the eternal optimist I thought just maybe there was an answer. Don't give up and if you do find the answer please let us know.