Feeds

World's stealthiest rootkit pushes DNS hijacking trojan

DNS Changer dropped by TDSS

  • alert
  • submit to reddit

5 things you didn’t know about cloud backup

One of the world's most advanced pieces of malware is being used to spread DNS Changer, a trojan at the heart of a massive click fraud scheme that has already hijacked 4 million PCs, security researchers said.

Just a few days after federal prosecutors in the US shuttered the international conspiracy, researchers from Dell SecureWorks said they discovered DNS Changer is being spread by TDSS. The rootkit, as previously reported, is among the hardest to detect and remove and is often used as a means to install keyloggers, tools for attacking websites, and other malware.

Once installed, DNS Changer is able to alter the DNS, or domain name system, settings that computers and routers use to find the IP numbers that correspond to domain names such as theregister.co.uk and google.com. By replacing legitimate DNS servers with servers under the control of the attackers, they are able to send victims to fraudulent websites instead of the destinations the victims intended to visit.

Last week, seven people from Estonia and Russia were criminally charged in a scam that for more than five years used DNS Charger to generate more than $14 million in profit. They racked up the windfall by redirecting victims to imposter websites that paid advertising fees to the attackers each time they were clicked on. The scheme preyed on users of computers running Microsoft Windows and Apple OS X operating systems. DNS Changer is also able to change DNS configuration settings in certain routers, particularly when they use default usernames and passwords.

The ability of TDSS to evade antivirus protection and other security software is well documented. The rootkit, which is also known as TDL4 and Aleureon, is among the world's most advanced, with the ability to infect 64-bit versions of Windows, infect a computer's master boot record, and communicate over the Kad peer-to-peer network. It's newest payload means that victims now have an easy way to tell if they are infected.

"The real danger of a DNS Changer infection is that it is an indicator that your system is infected with a larger malware cocktail with malware such as Rogue AV, Zeus Banking Trojan, Spam Bot, etc." an emailed report from Dell SecureWorks stated. "Controlling DNS literally gives an attacker complete access to a system."

End users who want to know if their systems are infected should check the DNS server settings of their operating system and routers. Compromised systems will show server IP addresses within the following ranges:

85.255.112.0 through 85.255.127.255

67.210.0.0 through 67.210.15.255

93.188.160.0 through 93.188.167.255

77.67.83.0 through 77.67.83.255

213.109.64.0 through 213.109.79.255

64.28.176.0 through 64.28.191.255

To check DNS settings on Windows open a command prompt and type "ipconfig /all" and then check the DNS Server field. On a Mac, choose System Preferences and then select Network. Then click on the Advanced button of the active connection. Users may also want to check the DNS servers used by their router.

FBI officials said 4 million PCs were infected by the DNS Changer used in the operation that was shut down last week. The Dell SecureWorks report said researchers aren't sure if that number is accurate. Researchers monitoring the command and control servers used in the attack are seeing about 600,000 unique IP addresses connect per day. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
One HUNDRED FAMOUS LADIES exposed NUDE online
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NZ Justice Minister scalped as hacker leaks emails
Grab your popcorn: Subterfuge and slur disrupts election run up
HP: NORKS' cyber spying efforts actually a credible cyberthreat
'Sophisticated' spies, DIY tech and a TROLL ARMY – report
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.