DNSChanger trojan — the scam

I don’t know many malware able to give so many headaches as DNSChanger trojan.

Briefly, beginning with 2007 year a cyber crime group based in Estonia, a former Soviet republic, starts to spread a malware called DNSChanger sniffing some financial gains. The spreading process started by tricking the unaware users to download and run a video codec(fake of course) or a special web browser(NetBrowserPro) that helps to watch online porn movies. When a computer is infected, the malware tries to change the DNS settings of the compromised system and of the home or small office routers if the default username and password used to configure it are not changed. There were created malware variants for both Windows and Mac OS X platforms, here is the first report in 2007 year about the malware infecting Macs.

DNS(Domain Name System) is used to translate the domain names(websites names) into IP addresses used by computers to connect each other.DNS Internet service is maintained by DNS servers which stores data about domains and their corresponding IP addresses so the first thing when a computer tries to reach a website is to request its IP address from the DNS servers. Each computer or router stores several DNS servers IPs for quick access, it’s obvious that replacing the legitimate DNS servers IPs with malicious IP addresses managed by cybercriminals will lead to a total alteration of the web browsing.

In our case the DNS servers used by DNSChanger, redirected users to malicious websites, served them modified search engines results favoring websites containing rogue software offers in nefarious adverstising campaigns, blocked  security companies websites  making impossible the antivirus updates and so on.

DNSChanger trojan was quickly improved, the new variants beneffiting of rootkit features, able to extend the infection chain until to the MBR(Master Boot Record, the first running code when computer boots)) in order to hide their presence on the system and to make very difficult the disinfection.

In november 2011, the FBI, after two years !?! of investigation, arrested and charged the head of this criminal operation, six Estonian guys in the so-called Operation Ghost Click. Because at that date there were millions of infected computers worldwide, estimated at 500,000 in the United States including half of Fortune 500 companies and some of the major US government agencies, the FBI “quick fix” was to put on the DNS IP addresses used before by the criminals, legitimate DNS servers, this way the navigating experience of the infected users was normalized. It is important to mention that this “quick fix” DNS servers replacement was ordered by a federal court as a temporary solution, to give enough time to the victims to disinfect their computers and to restore the original DNS settings.

Though the federal court decided to keep up the temporary DNS servers until March 8th, a US District Court(New York) extended on March 5th the deadline to July 9th, so 120 days more. The reason? Obviously, the victims, part of Fortune 500 companies and part of US government agencies shamefully failed to disinfect their computers.

OK, this is the story, where is the scam? Any major event in this world(remember Japan Earthquake or Royal Wedding scams?) feed the scammers and the DNSChanger deadline is not an exception. One of my collaborators told me about an email he received apparently sent by Comcast ISP :

Dear Comcast user,

Our logs show an unusual traffic generated by devices at your IP address. The DNS requests generated by your IP address are a sign of computer infection with Alureon(aka DNSChanger) malware and we urge you to take immediate action to disinfect your computer(s) from your network, otherwise we are forced to shut down the Internet service for you.

We recommend to use the official tool provided in the attachment to remove the computer infection and restore the legitimate DNS settings.

Comcast Support Team

The weird coincidence is that my collaborator is indeed a Comcast customer but he is aware of the DNSChanger infections and checked previously his network(he has a wireless router, a desktop computer and a laptop as home network) for malicious DNS settings and found none.

My collaborator goes further with the investigation because the email looks suspicious to him and downloaded the attachment, moment when his antivirus raise a big red alert detecting a variant of the Zlob trojan, another name of DNSChanger malware. Ironically, if someone with a presumably clean computer is tricked by a such scam email, may be led to infect his computer by himself. Of course, checking the email headers reveal the real sender which in our case obviously was not Comcast internet provider. The email contained however the Comcast logo in the upper left corner, trying to deceive the users.

How it looks a legitimate Comcast email related to DNSChanger infection? Here it is:

comcast email_dnschanger infection

comcast email_dnschanger infection

 

Be aware of these scam emails which start circulating and always check carefully the real email sender before opening it. if you open an email which contain a link, hovering the mouse over it will reveal in the browser bottom bar the real address. Use only the legitimate websites to check your DNS settings. What you have to do if you are infected with DNSChanger malware? If you are unsure, the best option is to ask an expert but don’t hurry to pay anyone. If you are well documented, you can perform the malware disinfection yourself.

Very important, remember that correcting your DNS settings does not remove the infection so further malware infection removal is needed.

The Offending Netblocks(DNS servers):

85.255.112.0 through 85.255.127.255
67.210.0.0 through 67.210.15.255
93.188.160.0 through 93.188.167.255
77.67.83.0 through 77.67.83.255
213.109.64.0 through 213.109.79.255
64.28.176.0 through 64.28.191.255

DNSChanger related useful links:

–FBI article related to Operation Ghost Click and DNSChanger malware:

 http://www.fbi.gov/news/stories/2011/november/malware_110911

 http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf

–DNSChanger Working Group:

http://dcwg.org/cleanup.html

–Kaspersky DNSChanger removal tool(TDSSKiller):

 http://support.kaspersky.com/faq/?qid=208283363

–Avira DNS Repair-Tool:

 http://www.avira.com/en/support-for-home-knowledgebase-detail/kbid/1199

–Trojan:W32/DNSChanger details:

 http://www.f-secure.com/v-descs/dnschang.shtml

 http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=DNSchanger&showall=true&CBF=true&sortby=relevance&sortdir=desc&size=10&page=5

–Very detailed article about DNSChanger malware:

 http://www.publicsafety.gc.ca/prg/em/ccirc/2011/in11-002-eng.aspx

–Check your DNS settings online:

http://www.dns-ok.us/

http://www.dns-ok.ca/

http://www.dns-ok.de/

–DNSChanger on Mac( Published: 2007-11-01):

http://isc.sans.edu/diary.html?storyid=3595

–DNSChanger removal tool for Mac:

http://www.dnschanger.com/ 

– How the malware spreading started:

http://news.cnet.com/8301-10784_3-6171460-7.html?part=rss&tag=2547-1_3-0-20&subj=news 

Keep safe !

 

 

 

Posted in Thoughts.

4 Responses

Leave a Reply