How DNS Changer Trojans Direct Users to Threats

Written by: Oscar Celestino Angelo Abendan ll

What is a DNS?

DNS stands for "Domain Name System." It is the Internet standard for assigning IP addresses to domain names. A DNS acts like a phone book that translates human-friendly host names to PC-friendly IP addresses.

It is typical for users to automatically use a DNS server operated by their own ISPs. Some users, however, choose to use third-party DNS servers for different reasons. ISP-operated DNS servers can be slow or unreliable, which is why third-party ones are preferred.

What is a DNS changer Trojan?

DNS changer Trojans are malware designed to modify infected systems' DNS settings without the users' knowledge nor consent. Once modified, systems use foreign DNS servers, which are usually set up by cybercriminals. Users with infected systems who try to access certain sites are instead redirected to possibly malicious sites.

How does a DNS changer Trojan work?

DNS changer Trojans are dropped onto systems by other malware such as TDSS and KOOBFACE. Once installed, DNS changer Trojans silently modify infected systems' DNS settings. Cybercriminals do this so victims would use foreign DNS servers instead of the ones provided by their ISPs. They set up DNS servers to resolve certain domains to malicious IP addresses.

Modifying systems' DNS settings allows cybercriminals to perform malicious activities like:

  • Steering unknowing users to bad sites: These sites can be phishing pages that spoof well-known sites in order to trick users into handing out sensitive information. A user who wants to visit the iTunes site, for instance, is instead unknowingly redirected to a rogue site.
  • Replacing ads on legitimate sites: Visiting certain sites can serve users with infected systems a different set of ads from those whose systems are not infected.
  • Controlling and redirecting network traffic: Users of infected systems may not be granted access to download important OS and software updates from vendors like Microsoft and from their respective security vendors.
  • Pushing additional malware: Infected systems are more prone to other malware infections (e.g., FAKEAV infection).

How do cybercriminals profit from spreading DNS changer Trojans?

Money makes the world go round, especially in the world of cybercrime. DNS changer Trojans are, of course, no exception to the profit rule.

DNS changer Trojan creators' profiteering schemes have been well-documented, particularly in Rove Digital's case. According to the official U.S. legal indictment, Rove Digital took on advertising contracts from which it made money in exchange for user ad clicks and the display of ads on certain sites.The document also revealed that its business model was not limited to advertising fraud. The group also hijacked search results.

The following techniques allow cybercriminals to profit from spreading DNS changer Trojans:

  • Hijacking search results:For DNS changer Trojan victims, using search engines may not feel any different. When they click a search result or a sponsored link, however, they are directed to rogue instead of legitimate sites.
  • Replacing ad sites: Victims who visit well-known sites like NYTimes.com or Amazon.com may see foreign ads on these pages instead of the ads that should be shown. Cybercriminals earn money from ad impressions and clicks while the site owner loses money. This particular technique worked well for Rove Digital.
  • Distributing FAKEAV malware: Users are served rogue antivirus software or FAKEAV. FAKEAV malware are known to persuade users into purchasing fake antivirus programs by making them think their systems are infected. FAKEAV malware also show scanning results to appear more convincing.

Why should users be concerned with this threat?

DNS changer Trojans may lead to a lot of problems for users, including:

  • No control over network traffic: DNS changer Trojans can lead victims to any site that cybercriminals choose. Such control makes DNS changer Trojans effective phishing or pharming tools. Users are still directed to a spoofed site even if they type in the correct URL.
  • Information theft: Cybercriminals can use DNS changer Trojans to steal victims' personal information.
  • Infection of connected systems: Some DNS changer Trojans can alter routers' DNS settings via brute-force attacks. As a result, all systems connected to the "infected" router also become infected. Some DNS changer Trojans can also be used to set up rogue Dynamic Host Configuration Protocol (DHCP) servers on certain networks, which can have the same effect.
  • Disablement of security updates: Infected systems become more prone to even more infections since DNS changer Trojans often prevent access to security vendors' update download sites.Already-infected systems also become better targets of more menacing cybercriminal activities.
  • Exposure to rootkit infections: DNS changer Trojans are unobtrusive and may have rootkit capabilities. This makes detection and removal from systems even harder. Because of their stealthy nature, DNS changer Trojans will keep modifying an infected system's DNS settings to keep pointing to malicious DNS servers.

Users of systems that have already been infected by DNS changer Trojans, particularly those distributed by Rove Digital, may experience more serious consequences. Systems that remain infected and whose DNS settings are not reset before July 9 will lose Internet access once the Rove Digital DNS servers are shut down.

DNS changer Trojans also affect Macs. OS X-specific Trojans can also change the DNS settings of infected systems and redirect users to bogus sites.

How can affected users get rid of DNS changer Trojans?

Affected users should reset the DNS settings of their systems after getting rid of DNS changer Trojans using their anti-malware solutions. To manually reset your DNS settings, follow these steps:

For Windows OS

  1. Back up all of your important files onto a portable hard drive.
  2. Scan your system with our free scanning tool, HouseCall. Remove the DNS changer Trojans from your computer.
  3. Reset your Windows 7 computer's DNS settings by clicking the Start button or the Windows icon on the lower-left part of your screen. Type cmd in the Search box and hit Enter. If you’re using Windows XP, click Run, type cmd then hit Enter.
  4. In the Command Prompt window (a black window with white text), type ipconfig/flushdns then hit Enter.
  5. A prompt saying, “Successfully flushed the DNS Resolver Cache” should appear.
  6. After fixing your computer, look at your home router and make sure this automatically uses the DNS settings provided by your ISP. You'll need your ISP's help in resetting the DNS settings of your router.
  7. Changing your system's DNS settings is just one of the functions of DNS changer Trojans. It is a good idea to check your bank statements and credit reports, especially those saved in applications and web browsers, to make sure there are no unwanted charges or transactions. Change your online account passwords as well.

For Mac OS X

  1. Back up all of your important files onto a portable hard drive.
  2. Scan your system with your anti-malware solution. Remove the DNS changer Trojans that have infected your computer.
  3. To manually reset your computer’s DNS settings, click the Apple icon at the top-left part of your screen and select System Preferences.
  4. In the System Preferences panel, select the Network icon.
  5. When the Network window opens, click Advanced.
  6. Look for DNS then go to the Settings tab. Delete all of the entries under it and your DNS settings should go back to the default.
  7. After fixing your computer, look at your home router and make sure this automatically uses the DNS settings provided by your ISP. You'll need your ISP's help in resetting the DNS settings of your router.
  8. Changing your system's DNS settings is only one of the functions of DNS changer Trojans. It is a good idea to check your bank statements and credit reports, especially those saved in applications and web browsers, to make sure there are no unwanted charges or transactions. Change your online account passwords as well.

Are Trend Micro users protected from this threat?

Yes, Trend Micro protects your system and confidential information from DNS changer Trojans and other threats via solutions like Trend Micro™ Titanium™ Maximum Security at home and Trend Micro™ Worry-Free™ Business Security—Advanced or OfficeScan for your business.


FROM THE FIELD: EXPERT INSIGHTS

"Cybercriminals use a variety of methods to monetize their DNS changer Trojan botnets, including hijacking search results, replacing the ads victims see on legitimate sites, and pushing additional malware. We successfully identified Rove Digital's command-and-control (C&C) and back-end infrastructure at an early stage and continued to monitor this until November 8, 2011. Other industry partners did a tremendous job by making sure that the botnet takedown happened in a controlled way, with minimal inconvenience on the part of infected customers."— Feike Hacquebord, senior threat researcher