Threat of the month: DNSChanger
A computer's DNS settings help it map hostnames to IP addresses. A computer can be reconfigured to use these malicious DNS servers through malware or a malicious website's script code. Windows systems are most often at risk, although recently DNSChanger attacks have affected OS X and Linux, too.
How does it work?
This malicious software alters the Windows registry settings for the DNS servers the host uses, including ones set for DHCP interfaces. It hardcodes new servers under control of the attacker, and the computer will begin using them right away.
Should I be worried?
Malicious or “rogue” DNS servers can return false answers, sending the victim to an attacking website or even a fraudulent financial site. Inspect the registry by looking for subkeys named NameServer or DhcpNameServer, or examine network adapter settings to reveal these new servers.
How can I prevent it?
Updated AV and patchsets to prevent these attacks or this malware from being installed is a first step. At the network level, block access for any local hosts to any remote DNS servers to prevent their use, and examine all instances of policy violations as misconfigurations
— Jose Nazario, Arbor Networks
From the - February 2008 Issue of SCMagazine »