A new variant of the DNSChanger trojan has been discovered in-the-wild. This variant conducts brute force attacks against the web interface of routers that use basic access authentication. DNSChanger is believed to be affiliated with the authors behind the large Zlob malware family. This latest trojan’s aim is to gain access to routers in order to change its DNS settings to point to a host address supplied by the attackers. The devestating effect is that any DNS query coming from within that network passing through the cracked router is under control by the attackers - even users whose machines are not directly infected by DNSChanger itself might get malicious content injected when visiting their favorite web site.
Fortunately, this current variant only uses a list of hardcoded credentials (”dictionary attack”), consisting of a bunch of known default passwords, instead of generating credentials on the fly. This reduces the probability of success but still poses a great security risk for users that do not change their router’s factory default settings. The Trojan tries one combination per approximately 100 milliseconds, which makes 600 combinations per minute.
Once DNSChanger has successfully cracked the credentials, it has access to all the settings and functions provided by the router. At the moment these new DNSChanger variants only know about a few popular router web interface URLs that the trojan uses to change the DNS settings. But this could change in the very near future and more routers are believed to be supported over time. The following screenshot shows the network traffic between an infected PC and a router being attacked by it:
A typical sign for an infection with DNSChanger is the IP address range (85.255.*.*). On Windows machines you can check your Registry settings underneath the following path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters.
Another obvious sign for infection is that non-existing domain names are being resolved by the DNS server changed or added by the malware. These rogue DNS servers, located in the Ukraine, will resolve any domain name you provide and eventually redirects the browser to web sites like the one shown below.
Please do note that this behavior is entirely controlled by the attackers’ DNS servers. These could even redirect existing domain names to servers hosting crafted content (Phishing) or servers dynamically modifying real content. Once your DNS settings are under control, the bad possibilities are nearly unlimited. And, even clean machines are affected once a previous infection on just one client behind the shared router successfully cracked the router login.
The Secure Anti-Malware Engine proactively blocks DNSChanger installers as ‘Trojan.Dropper.Dldr.DNSChanger.Gen‘.
DNSChanger Trojan “hacks” into routers
Reply With Quote