As the name implies DNS Changer (Trojan.Flush.M) is a malware application that replaces the correct IP addresses used for the primary and secondary DNS servers with those designated by the attacker. Once that happens, any name resolution that’s required will be directed toward the attacker’s DNS servers. Depending on the circumstances, the attacker’s DNS servers could respond with correct or incorrect DNS records.

Why you may ask? It’s all about deception. If the attackers have their DNS servers respond correctly for a majority of name resolution requests, most users aren’t going to suspect anything. Besides what the attackers really want are name resolution requests for legitimate Web sites that they have created malicious copies of.

If such a request is received, the attacker’s DNS server will then send the name record for the malicious Web site instead of the correct name record. Once the user’s Web browser downloads the fake Web site, it’s relatively easy to use one of several exploits to get personal information about the user or download additional malware.

This trojan has some notoriety in that DNS Changer targets Mac OS X as well as Windows operating systems. Some experts even say that DNS Changer influenced Apple to publically advise (but quickly retract) Mac users that antivirus software might be a good idea.

What’s also interesting about DNS Changer is the fairly intense scrutiny that it’s received throughout its existence. By watching closely, security analysts are learning right along with the malware coders what works and what doesn’t when it comes to malware propagation.

Even with three different versions of DNS Changer, the results are always the same: Compromised computers are configured to use the attacker’s DNS servers. Like the analysts, it’s a good idea for all of us to understand how the trojan works, simply because increased awareness reduces our risk.

Version 1

Security analysts first noticed version 1 in January 2008. Version 1 tries to take advantage of users who are attempting to download movies from a Web site. It’s the typical scam where the Web site points out that a special file or codec needs to be installed on the user’s computer in order for the movie to play. In reality, the codec is the dropper that starts the installation of the trojan and after asking the user for admin rights will install DNS Changer on the computer.

Version 1 perplexed security analysts because it was almost totally benign. It changes the DNS settings on the computer under attack and reports back to specified command and control servers, and that’s it. Still version 1 made trojan history in that it targeted Apple as well as Microsoft operating systems.

Version 2

Version 2 surfaced around July 2008 using similar drive-by dropper techniques to get installed. After being installed on a computer, version 2 attempts to determine the management username and password of any gateway routers on the network. If DNS Changer successfully determines the admin credentials, it then has access to the gateway router’s Web-based configuration.

The next step is to change the gateway router’s DNS server settings to that of the attacker’s DNS servers. After which all the computers that receive DHCP leases from the gateway router will get erroneous DNS server IP addresses, and as with version 1 any name resolution requests will be sent to the attacker’s DNS server.

This tactic has merit if you think about it. Even if the trojan is removed from the computer name, resolution remains compromised, because the gateway router continues to advertise the attacker’s DNS servers. Still, this version is losing its appeal. People are starting to understand the need to change default settings on their network-management devices, which removes version 2’s attack vector.

Version 3

Version 3 was just discovered this month, and the malware coders seem to have gotten it right this time. The trojan sets up ndisprot.sys (NDIS protocol driver) as a registered service, which in turn creates a working DHCP server on the compromised computer. The rogue DHCP server then tries to intercept DHCPDISCOVER packets from the remaining computers on the network, ultimately supplying the querying computer with DHCP responses containing IP addresses of the attacker’s DNS servers.

The trick here is for the rogue DHCP server to respond faster than the authorized DHCP server. If the DHCP client accepts the DHCP query response from the rogue DHCP server, it’s all over. The rogue DHCP server supplies an internal network IP address with a very long lease time as well as IP addresses for the attacker’s primary and secondary DNS server.

Version 3 has all sorts of implications. For example, what if a computer compromised with version 3 of DNS Changer connected to an open Wi-Fi hot spot? Any new arrivals may get erroneous DNS information from the rogue DHCP server. This variant also has a much better chance of succeeding, because it doesn’t have to try and guess default management credentials.

Thing to watch out for

SANS Internet Storm Center notes that “it’s probably wise to at least monitor traffic to to .255, if not block it.” For now this appears to be the IP address range that’s being used by the malicious DNS servers. On individual computers, the user can easily determine the IP addresses of the primary and secondary DNS servers by using the ipconfig (Windows), ifconfig (Linux), or system preferences (Mac).

As for rogue DHCP servers on the network, there are applications such as DHCP Find that locate and report all pertinent information about any clandestine DHCP servers that are on the same network.

It appears that most antivirus applications have signatures for all three versions of DNS Changer, and that’s a good thing. So, make sure your AV application is up to date. Even so, please be cautious as DNS redirection can occur even if your computer is clean.

Final thoughts

All variations of DNS Changer are in the wild, but version 3 is the one to watch out for. If possible, I’d suggest setting up the computer’s working network interface to use static IP addresses for the DNS servers. OpenDNS is highly recommended for this, and their Web site explains exactly what to do. OpenDNS also eliminates several other potential problems such as Kaminsky’s bug.

If static DNS server IP addresses aren’t an option, typical of larger networks, the monitoring of traffic destined for the to .255 subnet becomes important. Using some sort of rogue DHCP server monitor is also equally important.

Need help keeping systems connected and running at high efficiency? Delivered Monday and Wednesday, TechRepublic’s Network Administrator newsletter has the tips and tricks you need to better configure, support, and optimize your network. Automatically sign up today!