Trojan.Win32.DNSChanger

Trojan.Win32.DNSChanger is a backdoor trojan that redirects users to various malicious websites through the means of altering the DNS settings of a victim's computer. The malware strain was first discovered by Microsoft Malware Protection Center on December 7, 2006^[1] and later detected by McAfee Labs on April 19, 2009.^[2]

Behaviour

DNS changer trojans are dropped onto infected systems by other means of malicious software, such as TDSS or Koobface.^[3] The trojan is a malicious Windows executable file that cannot spread towards other computers. Therefore, it performs several actions on behalf of the attacker within a compromised computer, such as changing the DNS settings in order to divert traffic to unsolicited, and potentially illegal and/or malicious domains.^[2]^[1]

The Win32.DNSChanger trojan is used by organized crime syndicates to maintain click fraud. The user's browsing activity is manipulated through various means of modification (such as altering the destination of a legitimate link to then be forwarded to another site), allowing the attackers to generate revenue from pay-per-click online advertising schemes. The trojan is commonly found as a small file (+/- 1.5 kilobytes) that is designed to change the NameServer registry key value to a custom IP address or domain that is encrypted in the body of the trojan itself. As a result of this change, the victim's device would contact the newly assigned DNS server to resolve names of malicious webservers.^[4]

Trend Micro described the following behaviors of Win32.DNSChanger:

Steering unknowing users to malicious websites: These sites can be phishing pages that spoof well-known sites in order to trick users into handing out sensitive information. A user who wants to visit the iTunes site, for instance, is instead unknowingly redirected to a rogue site.
Replacing ads on legitimate sites: Visiting certain sites can serve users with infected systems a different set of ads from those whose systems are not infected.
Controlling and redirecting network traffic: Users of infected systems may not be granted access to download important OS and software updates from vendors like Microsoft and from their respective security vendors.
Pushing additional malware: Infected systems are more prone to other malware infections (e.g., FAKEAV infection).^[3]

Alternative aliases

Win32:KdCrypt[Cryp] (Avast)
TR/Vundo.Gen (Avira)
MemScan:Trojan.DNSChanger (Bitdefender Labs)
Win.Trojan.DNSChanger (ClamAV)
variant of Win32/TrojanDownloader.Zlob (ESET)
Trojan.Win32.Monder (Kaspersky Labs)
Troj/DNSCha (Sophos)
Mal_Zlob (Trend Micro)
MalwareScope.Trojan.DnsChange (Vba32 AntiVirus)

Other variants

Trojan.Win32.DNSChanger.al

F-Secure, a cybersecurity company, received samples of a variant that were named PayPal-2.5.200-MSWin32-x86-2005.exe. In this case, the PayPal attribution indicated that a phishing attack was likely.^[5] The trojan was programmed to change the DNS server name of a victim's computer to an IP address in the 193.227.xxx.xxx range.^[6]

The registry key that is affected by this trojan is:

HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\NameServer

Other registry modifications made involved the creation of the below keys:

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{random}, DhcpNameServer = 85.255.xx.xxx,85.255.xxx.xxx
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{random}, NameServer = 85.255.xxx.133,85.255.xxx.xxx
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\, DhcpNameServer = 85.255.xxx.xxx,85.255.xxx.xxx
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\, NameServer = 85.255.xxx.xxx,85.255.xxx.xxx^[6]

References

^ ^a ^b "Trojan:Win32/Dnschanger". Microsoft Security Intelligence. December 7, 2006. Retrieved January 16, 2021.
^ ^a ^b "Virus Profile: DNSChanger". McAfee. April 19, 2009. Archived from the original on September 3, 2017. Retrieved January 16, 2021.
^ ^a ^b How DNS Changer Trojans Direct Users to Threats – Threat Encyclopedia – Trend Micro USA
^ F-Secure. "Trojan:W32/DNSChanger". Retrieved 17 December 2018.
^ Phishing attack hits PayPal subscribers | V3
^ ^a ^b News from the Lab Archive : January 2004 to September 2015

External links

How DNS Changer Trojans Direct Users to Threats by TrendMicro
FBI: Operation Ghost Click (F-Secure)
‘Biggest Cybercriminal Takedown in History’ (Brian Krebs @ krebsonsecurity.com)
Analysis of a DNSChanger file at VirusTotal

[autogenerated2-1] "Trojan:Win32/Dnschanger". Microsoft Security Intelligence. December 7, 2006. Retrieved January 16, 2021.

[autogenerated1-2] "Virus Profile: DNSChanger". McAfee. April 19, 2009. Archived from the original on September 3, 2017. Retrieved January 16, 2021.

[autogenerated4-3] How DNS Changer Trojans Direct Users to Threats – Threat Encyclopedia – Trend Micro USA

[F-Secure-4] F-Secure. "Trojan:W32/DNSChanger". Retrieved 17 December 2018.

[5] Phishing attack hits PayPal subscribers | V3

[autogenerated3-6] News from the Lab Archive : January 2004 to September 2015

[1]

[2]

[3]

[4]

[5]

[6]

Behaviour

Alternative aliases

Other variants

See also

References

External links