Incident Response, Malware, TDR

Threat of the month: DNSChanger

What is it?
A computer's DNS settings help it map hostnames to IP addresses. Acomputer can be reconfigured to use these malicious DNS servers throughmalware or a malicious website's script code. Windows systems are mostoften at risk, although recently DNSChanger attacks have affected OS Xand Linux, too.

How does it work?
This malicious software alters the Windows registry settings for the DNS servers the host uses, including ones set for DHCP interfaces. It hardcodes new servers under control of the attacker, and the computer will begin using them right away.

Should I be worried?

Malicious or “rogue” DNS servers can return false answers, sending the victim to an attacking website or even a fraudulent financial site. Inspect the registry by looking for subkeys named NameServer or DhcpNameServer, or examine network adapter settings to reveal these new servers.

How can I prevent it?
Updated AV and patchsets to prevent these attacks or this malware from being installed is a first step. At the network level, block access for any local hosts to any remote DNS servers to prevent their use, and examine all instances of policy violations as misconfigurations
or infections.

— Jose Nazario, Arbor Networks

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.