Q&A: The DNSChanger Trojan

Christoph Alme is the Principal Engineer and Team Lead of anti-malware research at Secure Computing Corporation. He is the inventor of several patent-pending key technologies in the field of proactive malware detection. In this interview he discusses a new variant of the DNSChanger Trojan.

What are the characteristics of the recently discovered new variant of the DNSChanger Trojan?
The new DNSChanger trojan now conducts brute-force attacks against the administration web interface of popular routers. The malware performs a “dictionary attack” based on a list of hardcoded credentials, consisting of the web interface URLs to popular routers – such as from vendors D-Link, Linksys and others -, and their default user names and passwords. This poses a great security risk for those users that do not change their router’s factory default settings. The Trojan tries one combination per approximately 100 milliseconds, which makes 600 combinations per minute.

Once DNSChanger has successfully brute-force cracked the credentials, it has access to all the settings and functions provided by the router. It will change its DNS server settings in order to send all DNS queries to the attackers’ DNS servers located in the Ukraine. From there, they can then flexibly redirect all your Internet traffic in whatever way they want.

What makes this Trojan stand out from the vast number of other malware discovered daily?
It’s the first major malware family seen in-the-wild that also attacks networking hardware. “Major” malware family, because it is quite prevalent and we believe DNSChanger to be related to the Zlob malware family – one of the most prevalent families out there today. Zlob is well-known for their infamous “missing codec” trick: they advertise adult content to visitors, but in order to view the videos, you’re told you’d need to install a missing video codec first. The executable that you get to install is everything else than a video codec.

In contrast to previous variants, this latest DNSChanger does not only affect the infected PC itself, but also tries to alter DNS settings on the router. Once this is successful, all traffic going through this router can be redirected by the attackers. That is, other PCs that have not been infected by the malware directly, but go through the same (compromised) router, will also become affected. In turn, cleaning the infected PC is not enough to get rid of the pest – victims will need to reset the DNS settings in their router, too.

How can an individual discover the DNSChanger Trojan on his system?
First, an up-to-date Anti-Virus engine needs to be in place. Our Secure Anti-Malware engine, for example, blocks this threat proactively as “Trojan.Dropper.Dldr.DNSChanger.Gen” already at the network perimeter. Next, users must not deploy routers, broadband modems or other networking equipment that comes with an administrative web interface, without changing the default password first.

A typical sign of infection with DNSChanger is that the DNS and DHCP servers are pointing to the IP address range 85.255.*.* . Another sign for infection is that non-existing domain names are being resolved by the malicious DNS servers. Potentially infected users can try to browse to a fictitious domain that doesn’t exist.

With the constant evolution of this kind of threat, what kind of technology challenges does the industry face?
Attackers have an affinity to the weakest link. As Microsoft products become more secure in general, attackers are now additionally targeting other alternative software and file formats commonly used on desktop computers. For example, we’re seeing more attacks exploiting vulnerabilities in Flash videos or PDF documents today.

DNSChanger had also been the first major malware family being ported to the MacOS X platform just half a year ago, thereby underlining how this is becoming an “attractive” platform for malware authors, too. And now they have added routers to their targets, which is yet another frightening move.

Don't miss