It
has been observed that a malware called as DNS Changer Trojan which changes the
DNS server entries in the computer systems and ADSL /VoIP router (home gateway
devices)
is widely propagating.
The
malware initially infects the Windows or Apple computers and subsequently gain
access to routers connected to those systems to exploit weakness like default
factory configurations, easily guessable passwords etc.
Once
exploited or accessed, changes the DNS settings in the said computers and
devices and make them point to rouge foreign DNS servers.
In
a typical attack scenario, the unwitting users are enticed to download malware
(similar to Trojan:BAT/Dnschanger.B ) which subsequently,
tampers the Windows network settings (entry of DNS in the host file, adding a proxy in
the browser settings) in the host computer and scans for the connected DSL
devices and tries to login directly to the Admin interface to change
the DNS settings in the routers.
By
achieving this, cyber criminals can control what sites the user connects on the
internet. The following actions could be performed on infected system:
- Redirecting the intended queries to malicious servers and hence further downloading of malware , potentially unwanted programs or conducting phishing attacks
- eavesdropping the user sessions
- Man in the Middle attack (MITM)
- Serving advertisements with the attackers choice
- Prevent downloading operating system and Antivirus updates.
Confirming malware Infection
Check
the local or ADSL / VoIP router DNS server settings against the identified
rouge DNS servers:
64.28.176.0 - 64.28.191.255
67.210.0.0 - 67.210.15.255
77.67.83.0
- 77.67.83.255
93.188.160.0 - 93.188.167.255
85.255.112.0 - 85.255.127.255
213.109.64.0
- 213.109.79.255
(Note:
Local DNS list can be found by using "ipconfig /all | findstr
"DNS" in the windows command prompt. If found any suspicious entries,
delete the entries and use ipconfig / flushdns to clear the previous
entries Access the Router interface and check the DNS entries. Refer the
owner’s manual for accessing and configuring the device.)
Check
the windows/Apple system for entries related to malicious DNS servers
Typical
registry entry will be like:
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{random}DhcpNameServer
= 93.188.161.105
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{random}DhcpNameServer
= 93.188.166.105
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{random}DhcpNameServer
= 85.255.xx.xxx,85.255.xxx.xxx
Check the host file entries, proxy
setting in the browser configuration in the local system for suspicious
entries. Delete fraudulent entries if found. The below given steps
locates the entries. On a Windows 7(Professional) box the local resolver or the host
file is located in C:\Windows\System32\drivers\etc\hosts :
Locating
the Proxy entries in the firefox (10 )browser Start the Browser, click
the options >Advanced >Network and click on the Connection Settings.
DNS
Changer "Eye Chart" Query to " http://www.dns-ok.us/ "
that verifies legitimate DNS servers in use.
Tools
Anti-virus
vendor AVIRA has released a DNS repair tool. This can be downloaded from here to clean
infected system
If
it is suspected that Router¿s credentials are changed in unathorised fashion,
Reset the router settings and change the credentials for the modem's interface
and reboot devices.
Countermeasures
Restrict
Web Management Interface of Routers to authorized users and change default
username/passwords
Report
suspicious entries in Routers to your Internet Service Provider
Keep
up to date Antivirus on the computer system
keep
up-to-date on patches and fixes on the operating system and applications
References
Disclaimer
The
information provided herein is on "as is" basis, without warranty of
any kind.
No comments:
Post a Comment