Comments on: New DNSChanger Trojan variant targets routers

New variant of trojan changes DNS look-up settings on routers, putting any computer on the network at risk of being sent to malicious Web sites.

[tacit]

The people behind the zlob Trojan are getting pretty sophisticated in their attacks. They've targeted a large American ISP called iPower, which has had server security issues since last December, and planted redirectors on iPower-hosted Web sites. They've seeded Google with poisoned keywords which draw Google traffic to malicious sites that try to install Zlob on visitors' computers. They've penetrated large numbers of blogs running on outdated, insecure versions of WordPress, and forums running outdated versions of phpNuke and phpBB, and used them to set up redirectors to sites that try to download Zlob.

I've been following these guys for quite a while. They have built an elaborate network of Web servers intended to distribute this virus, which I've mapped out at

http://tacit.livejournal.com/240750.html

[Lerianis]

If you have been following the trail of these guys, why in the world can't the government follow their trail and put them out of business? Preferably with a 100 year prison term or having their hands cut off so that they cannot make anymore computer viruses.

[idreamincode]

not sure if OpenDNS.com's DNS servers help with this exploit. Seems like you shouldn't keep your router as the default password.

[iThreatResearcher]

DNSChanger has two executables: EXE for Windows and DMG for Mac OS X. Does it affects Mac users as well? No, here's the explanation http://ithreats.wordpress.com/2008/06/18/new-dnschanger-hacks-router-in-mac/.

[PG18]

If you wish to test infect yourself with this virus go to this link : http://emes.com.br/index.php

The link got spammed to me to my gmail account today with the following message:

Liv Tyler New mpeg4!!!
Download now

BE CAREFUL, THIS LINK MIGHT AFFECT YOUR PC OR ROUTER IN A VERY UNDESIRABLE WAY.

[c|net Reader]

Why doesn't this blog entry mention the infection vector? Why no mention of steps to protect systems from the problem?

[armoredfish]

I need your help/advice. My Dell Server has been infected with a DNS Change type of trojan.

My Internet connection has been disabled. My DNS - both primary and secondary keep changing. A downloaded McAfee 8.5i did detect it on access and whenever I try to put back the ISP given DNS addresses it does not happen. An autorun.inf file shows infected on run and the settings revert back to the DNS addresses of the trojan. I have not been able to remove it even when I ran my Windows 2003 Enterprise server in Safe mode and run McAfee. This Windows incidentally did not have updatedService Packs installed. All this in C : drive.The DNS values change to 85.120 etc.

I then installed Vista Premium on another partition and it accesses the Internet with DHCP without any IP address. I try to run an anti virus package from here but does not help or change things as they were in the C; drive which is infected. I am on the Internet and writing this email through the Vista OS. .

Which Antivirus package to use? And how? Should I run it on C: drive partition or it can run through the drive(G: drive in this case) that has Vista. It is because the C: drive does not have access to the net and browsers do not work because of the wrong DNS addresses which do not match the DNS addresses given by the ISP which provides its connection through its router which is placed on the PC.

Or, should I format C: drive and say good riddance to Win 2003? Hoping like hell that the trojan would be wiped out in C: drive. But then will the computer work again with the MBR gone in the C: drive for the Vista OS which has been installed in a separate G: drive?

[ekin_mache]

i cannot remove it for about 7 days

[Flotsom]

BEWARE - Don't Load the STOPzilla (listed as ZLOB) so called "anti-virus" program. After claiming to find 27 Viruses (Avira AnitVir did not see them) it crashed my system. It is just an ad program that loads at startup and asks you buy it for $10, and is very difficult to remove - took me 20 minutes and 4 restarts! Also comes with free trojan virus !