New DNSChanger Trojan variant targets routers
Secure Computing researchers have discovered a new variant of the DNSChanger Trojan in the wild that attacks routers, meaning any Web surfing computer on that network could be at risk of being redirected to a malicious Web site.
The DNSChanger Trojan changes the DNS settings to point to a host Web site address supplied by the attackers, Sven Krasser, director of data mining research at Secure Computing, said in an interview with CNET News.com on Tuesday.
"Your network is essentially reconfigured to do all the (domain) name resolutions over this malicious name server," he said.
The DNSChanger Trojan is able to access all the settings and functions on the router. It only knows about a few popular router Web interface URLs that it can use to change DNS settings at this time, but that is expected to change and more routers will be affected, according to a Secure Computing blog entry.
The Trojan is believed to be created by the creators of the family of malware called "Zlob," which masquerades as an ActiveX video codec.
A new variant of the DNSChanger Trojan attacks routers so that non-existing domain names are added by the malware. These rogue DNS servers, located in the Ukraine, resolve any domain name you provide and redirect to Web sites that look like the one in this screenshot.
(Credit: Secure Computing)
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor. 
I've been following these guys for quite a while. They have built an elaborate network of Web servers intended to distribute this virus, which I've mapped out at
http://tacit.livejournal.com/240750.html
The link got spammed to me to my gmail account today with the following message:
Liv Tyler New mpeg4!!!
Download now
BE CAREFUL, THIS LINK MIGHT AFFECT YOUR PC OR ROUTER IN A VERY UNDESIRABLE WAY.
My Internet connection has been disabled. My DNS - both primary and secondary keep changing. A downloaded McAfee 8.5i did detect it on access and whenever I try to put back the ISP given DNS addresses it does not happen. An autorun.inf file shows infected on run and the settings revert back to the DNS addresses of the trojan. I have not been able to remove it even when I ran my Windows 2003 Enterprise server in Safe mode and run McAfee. This Windows incidentally did not have updatedService Packs installed. All this in C : drive.The DNS values change to 85.120 etc.
I then installed Vista Premium on another partition and it accesses the Internet with DHCP without any IP address. I try to run an anti virus package from here but does not help or change things as they were in the C; drive which is infected. I am on the Internet and writing this email through the Vista OS. .
Which Antivirus package to use? And how? Should I run it on C: drive partition or it can run through the drive(G: drive in this case) that has Vista. It is because the C: drive does not have access to the net and browsers do not work because of the wrong DNS addresses which do not match the DNS addresses given by the ISP which provides its connection through its router which is placed on the PC.
Or, should I format C: drive and say good riddance to Win 2003? Hoping like hell that the trojan would be wiped out in C: drive. But then will the computer work again with the MBR gone in the C: drive for the Vista OS which has been installed in a separate G: drive?
- by Flotsom February 19, 2009 11:12 PM PST
- BEWARE - Don't Load the STOPzilla (listed as ZLOB) so called "anti-virus" program. After claiming to find 27 Viruses (Avira AnitVir did not see them) it crashed my system. It is just an ad program that loads at startup and asks you buy it for $10, and is very difficult to remove - took me 20 minutes and 4 restarts! Also comes with free trojan virus !
- Like this Reply to this comment
-
(9 Comments)