Malware

DNSChanger Malware

Are your PC’s still infected with the trojan, which effected many of the Fortune 500 companies?

Are you still not sure if you are affected or not?

What is this DNSChanger Malware???

This article is all about this, never say I wont get effected , or my PC \Mac looks good, no issues! You will be surprised . As I said in the beginning the even Fortune 500 companies, FBI were in trouble with this nasty code.

This article is written in a 200 –300 level, please look in the bold headers and if you know the topic please skip to the next section.

 DNS (Domain Name System)

DNS is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities. Most importantly, it translates domain names meaningful to humans into the numerical identifiers associated with networking equipment for the purpose of locating and addressing these devices worldwide

For example, the domain name www.erdalozkaya.com translates to the addresses 173.231.15.143 (IPv4) and 2620:0:2d0:200::10 (IPv6). (http://en.wikipedia.org/wiki/Domain_Name_System)

DNSChanger Malware

Hackers, Cybercriminals wrote this malware to use “social engineering technique” to make users download a program with a malicious code. They offer cracked software, free e-book or codec and  wrap the offered stuff with the trojan.  As soon as the trojan get loaded to the PC or Mac , it will change the systems DNS settings to the attackers IP. All this will happen while the user is happy to get “free stuff”..The communication between the victims PC and Hacker will be over HTTP POST message!

What is Wrapper ?

Wrapper bind a trojan executable with an incorrect looking .EXE application such as games , office apps etc…

What Does DNSChanger Do to My Computer?
DNSChanger malware causes a computer to use rogue DNS servers in one of two ways.

1) As described above it changes the computer’s DNS server settings to replace the ISP’s good DNS servers with rogue DNS servers operated by the criminal.

2) It attempts to access devices on the victim’s small office/home office (SOHO) network that run a dynamic host configuration protocol (DHCP) server (eg. a router or home gateway). The malware attempts to access these devices using common default usernames and passwords and, if successful, changes the DNS servers these devices use from the ISP’s good DNS servers to rogue DNS servers operated by the criminals. This is a change that may impact all computers on the SOHO network, even if those computers are not infected with the malware.

Am I Infected?

image

Image source : FBI

Check this basic steps :

1) Open “Command Prompt”

– Via typing cmd in to your search counsel

SNAGHTML5b189f4

or

 Start – All Programs – Accessories – Command Prompt

This will prompt :

image

Type “ ipconfig –all  “

and check your DNS entries

SNAGHTML5be725f

or

You can also look for your DNS servers without using the command prompt. Simply click

Start – Control Panel – Network and Internet – View network status and tasks

SNAGHTML5c2eeee

From here click:

Network Connection ( or Wireless Network Connection)

SNAGHTML5c52385

Click details

SNAGHTML5cb1a51

For other systems then Windows 7

Windows XP:

Click on Start and select My Network Places. Then select Network Connections.

Apple computer:

Click on the Apple in the top left corner and choose System Preferences. Then, from the Apple System Preferences window, choose Network.

NOW WHAT ?

As soon as you find your DNS IP Address, compare it with your ISP DNS address. Id you don’t know what your ISP DNS is, compare it with the below list of ROGUE DNS SERVERS

image

*** The rogue DNS servers include, but are not limited to these addresses:

ROGUE DNS SERVERS

A rogue DNS server translates domain names of desirable websites (search engines, banks, brokers, etc.) into IP addresses of sites with unintended content, even malicious websites. Most users depend on DNS servers automatically assigned by their ISPsZombie computers use DNS-changing trojans to invisibly switch the automatic DNS server assignment by the ISP to manual DNS server assignment from rogue DNS servers. When users try to visit websites, they are instead sent to a bogus website. This attack is termed pharming. If the site they are redirected to is a malicious website, masquerading as a legitimate website, in order to fraudulently obtain sensitive information, it is termed phishing.

Source : Wikipedia

image

 

Important

If you are unable to check any of this settings call an IT PRO

Check your MODEM or ROUTER, too.

The DNSChanger malware is capable of changing the DNS server settings within routers that have the default username and password provided by the manufacturer. If you did not change the default password at the time the  router was installed, you must check the router settings.

Your Home , Small Business office Router username password can be found

www.defaultpassword.com

HOW TO DETECT TROJANS ?

The image below is from EC Council’s popular “Certified Ethical Hacker v7.1 “ class.

image

What else can be done?

As Trojan’s opens “unused ports” in victims computers to connect back to Trojan handlers its a good idea to check the connections established between your machine and the network .

For this you can use  “netstat –an” or use a Trojan Detecter software…

To use the Netstat command simply open Command Prompt and type netstat –an

image

Ant try to see if any of the common ports used by Trojan’s are open in your system.

What are the common ports used by Trojans?

image

How to remove DNShanger form your system ?

Trojan.DNSChanger is a trojan that makes Internet Explorer open slowly and redirects valid links to malicious or advertisement links. To remove Trojan.DNSChanger, please follow the directions below.

  • Update your anti virus definitions
  • Scan your system for infections
  • Make sure the below DLLs are not anymore existing in your system after the scan                                  Files involved in this infection:
    C:\Windows\System32\msliksurdns.dll
    C:\Windows\System32\msliksurcredo.dll
    C:\Windows\System32\Drivers\msliksurserv.sys

Some Free and Good Anti Virus System’s that you can use:

Microsoft Security Essentials

http://windows.microsoft.com/en-US/windows/products/security-essentials

Comodo Free

http://www.comodo.com

DNSChanger in the news :

Sydney Morning Herald

http://www.smh.com.au/it-pro/security-it/global-companies-still-harbour-trojan-20120210-1salx.html

FBI

http://www.fbi.gov/news/stories/2011/november/malware_110911

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

NIST Cybersecurity Framework

A Recipe for Cybersecurity Success

A Recipe for Cybersecurity Success The NIST Cybersecurity Framework (CSF) is a set of standards and guidelines for managing and protecting... read more

Don’t let Hackers steal your password 2

It’s not a secret anymore, Hackers know our passwords.  551,509,767 real-world passwords previously exposed in data breaches. Are you one... read more

Security in the Enterprise

Security in the Enterprise Course Review: Security in the Enterprise Another very popular course is Security in the Enterprise, instructed by Simon May... read more

Hacker Halted Atlanta (2015)

Hacker Halted Atlanta I am proud to announce that i have been invited to speak this year at Hacker Halted again. Being... read more

Virus Bulletin : Lazarus Group a mahjong game played with different sets 0f tiles

Lazarus Group a mahjong game played with different sets of tiles Please go ahead and click the link below to read... read more

A hacking anatomy and what we can learn out of it! (2012)

A hacking anatomy and what we can learn out of it! There is nearly no single week , we don’t read... read more
What is Social Engineering

What is Social Engineering ? ( free guide to SE 101 )

What is Social Engineering Social Engineering is, involving clever manipulation of the natural human tendencies of trust to obtain information to... read more

Are you under cyberattack ? 8 Free Steps to check

Are you under cyberattack ? 8 Steps to check Dear Blog readers, In the last few months I started to receive... read more
Free Cybersecurity Training

Free Cybersecurity Training

Free Cybersecurity Training If you are student or someone with a limited budget, finding the extra money for training can be... read more
Global Transformation Summit Erdal Ozkaya

Global Workforce Transformation Web Summit Free opportunity 2020

Global Workforce Transformation (GCF) Web Summit I am happy to announce that I will be delivering a session at the GCF... read more