Skip links
Dr. Erdal Ozkaya
Published in:

DNSChanger Malware

Author
Published on:

DNSChanger Malware

Are your PC’s still infected with the trojan, which effected many of the Fortune 500 companies?

Are you still not sure if you are affected or not?

What is this DNSChanger Malware???

This article is all about this, never say I wont get effected , or my PC \Mac looks good, no issues! You will be surprised . As I said in the beginning the even Fortune 500 companies, FBI were in trouble with this nasty code.

This article is written in a 200 –300 level, please look in the bold headers and if you know the topic please skip to the next section.

 DNS (Domain Name System)

DNS is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities. Most importantly, it translates domain names meaningful to humans into the numerical identifiers associated with networking equipment for the purpose of locating and addressing these devices worldwide

For example, the domain name www.erdalozkaya.com translates to the addresses 173.231.15.143 (IPv4) and 2620:0:2d0:200::10 (IPv6). (http://en.wikipedia.org/wiki/Domain_Name_System)

DNSChanger Malware

Hackers, Cybercriminals wrote this malware to use “social engineering technique” to make users download a program with a malicious code. They offer cracked software, free e-book or codec and  wrap the offered stuff with the trojan.  As soon as the trojan get loaded to the PC or Mac , it will change the systems DNS settings to the attackers IP. All this will happen while the user is happy to get “free stuff”..The communication between the victims PC and Hacker will be over HTTP POST message!

What is Wrapper ?

Wrapper bind a trojan executable with an incorrect looking .EXE application such as games , office apps etc…

What Does DNSChanger Do to My Computer?
DNSChanger malware causes a computer to use rogue DNS servers in one of two ways.

1) As described above it changes the computer’s DNS server settings to replace the ISP’s good DNS servers with rogue DNS servers operated by the criminal.

2) It attempts to access devices on the victim’s small office/home office (SOHO) network that run a dynamic host configuration protocol (DHCP) server (eg. a router or home gateway). The malware attempts to access these devices using common default usernames and passwords and, if successful, changes the DNS servers these devices use from the ISP’s good DNS servers to rogue DNS servers operated by the criminals. This is a change that may impact all computers on the SOHO network, even if those computers are not infected with the malware.

Am I Infected?

image

Image source : FBI

Check this basic steps :

1) Open “Command Prompt”

– Via typing cmd in to your search counsel

SNAGHTML5b189f4

or

 Start – All Programs – Accessories – Command Prompt

This will prompt :

image

Type “ ipconfig –all  “

and check your DNS entries

SNAGHTML5be725f

or

You can also look for your DNS servers without using the command prompt. Simply click

Start – Control Panel – Network and Internet – View network status and tasks

SNAGHTML5c2eeee

From here click:

Network Connection ( or Wireless Network Connection)

SNAGHTML5c52385

Click details

SNAGHTML5cb1a51

For other systems then Windows 7

Windows XP:

Click on Start and select My Network Places. Then select Network Connections.

Apple computer:

Click on the Apple in the top left corner and choose System Preferences. Then, from the Apple System Preferences window, choose Network.

NOW WHAT ?

As soon as you find your DNS IP Address, compare it with your ISP DNS address. Id you don’t know what your ISP DNS is, compare it with the below list of ROGUE DNS SERVERS

image

*** The rogue DNS servers include, but are not limited to these addresses:

ROGUE DNS SERVERS

A rogue DNS server translates domain names of desirable websites (search engines, banks, brokers, etc.) into IP addresses of sites with unintended content, even malicious websites. Most users depend on DNS servers automatically assigned by their ISPsZombie computers use DNS-changing trojans to invisibly switch the automatic DNS server assignment by the ISP to manual DNS server assignment from rogue DNS servers. When users try to visit websites, they are instead sent to a bogus website. This attack is termed pharming. If the site they are redirected to is a malicious website, masquerading as a legitimate website, in order to fraudulently obtain sensitive information, it is termed phishing.

Source : Wikipedia

image

 

Important

If you are unable to check any of this settings call an IT PRO

Check your MODEM or ROUTER, too.

The DNSChanger malware is capable of changing the DNS server settings within routers that have the default username and password provided by the manufacturer. If you did not change the default password at the time the  router was installed, you must check the router settings.

Your Home , Small Business office Router username password can be found

www.defaultpassword.com

HOW TO DETECT TROJANS ?

The image below is from EC Council’s popular “Certified Ethical Hacker v7.1 “ class.

image

What else can be done?

As Trojan’s opens “unused ports” in victims computers to connect back to Trojan handlers its a good idea to check the connections established between your machine and the network .

For this you can use  “netstat –an” or use a Trojan Detecter software…

To use the Netstat command simply open Command Prompt and type netstat –an

image

Ant try to see if any of the common ports used by Trojan’s are open in your system.

What are the common ports used by Trojans?

image

How to remove DNShanger form your system ?

Trojan.DNSChanger is a trojan that makes Internet Explorer open slowly and redirects valid links to malicious or advertisement links. To remove Trojan.DNSChanger, please follow the directions below.

  • Update your anti virus definitions
  • Scan your system for infections
  • Make sure the below DLLs are not anymore existing in your system after the scan                                  Files involved in this infection:
    C:\Windows\System32\msliksurdns.dll
    C:\Windows\System32\msliksurcredo.dll
    C:\Windows\System32\Drivers\msliksurserv.sys

Some Free and Good Anti Virus System’s that you can use:

Microsoft Security Essentials

http://windows.microsoft.com/en-US/windows/products/security-essentials

Comodo Free

http://www.comodo.com

DNSChanger in the news :

Sydney Morning Herald

http://www.smh.com.au/it-pro/security-it/global-companies-still-harbour-trojan-20120210-1salx.html

FBI

http://www.fbi.gov/news/stories/2011/november/malware_110911

You may also like

Explore
Drag