Trojan.Win32.DNSChanger is a backdoor trojan that redirects users to various malicious websites through the means of altering the DNS settings of a victim's computer. The malware strain was first discovered by Microsoft Malware Protection Center on December 7, 2006 [1] and later detected by McAfee Labs on April 19, 2009. [2]
DNS changer trojans are dropped onto infected systems by other means of malicious software, such as TDSS or Koobface. [3] The trojan is a malicious Windows executable file that cannot spread towards other computers. Therefore, it performs several actions on behalf of the attacker within a compromised computer, such as changing the DNS settings in order to divert traffic to unsolicited, and potentially illegal and/or malicious domains. [2] [1]
The Win32.DNSChanger
trojan is used by
organized crime syndicates to maintain
click fraud. The user's browsing activity is manipulated through various means of modification (such as altering the destination of a legitimate link to then be forwarded to another site), allowing the
attackers to generate
revenue from
pay-per-click
online advertising
schemes. The trojan is commonly found as a small file (+/- 1.5 kilobytes) that is designed to change the NameServer
registry key value to a custom
IP address or domain that is
encrypted in the body of the trojan itself. As a result of this change, the victim's device would contact the newly assigned DNS server to resolve names of malicious
webservers.
[4]
Trend Micro described the following behaviors of Win32.DNSChanger
:
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\NameServer
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{random}
, DhcpNameServer = 85.255.xx.xxx,85.255.xxx.xxx
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{random}
, NameServer = 85.255.xxx.133,85.255.xxx.xxx
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
, DhcpNameServer = 85.255.xxx.xxx,85.255.xxx.xxx
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
, NameServer = 85.255.xxx.xxx,85.255.xxx.xxx
[6]Trojan.Win32.DNSChanger is a backdoor trojan that redirects users to various malicious websites through the means of altering the DNS settings of a victim's computer. The malware strain was first discovered by Microsoft Malware Protection Center on December 7, 2006 [1] and later detected by McAfee Labs on April 19, 2009. [2]
DNS changer trojans are dropped onto infected systems by other means of malicious software, such as TDSS or Koobface. [3] The trojan is a malicious Windows executable file that cannot spread towards other computers. Therefore, it performs several actions on behalf of the attacker within a compromised computer, such as changing the DNS settings in order to divert traffic to unsolicited, and potentially illegal and/or malicious domains. [2] [1]
The Win32.DNSChanger
trojan is used by
organized crime syndicates to maintain
click fraud. The user's browsing activity is manipulated through various means of modification (such as altering the destination of a legitimate link to then be forwarded to another site), allowing the
attackers to generate
revenue from
pay-per-click
online advertising
schemes. The trojan is commonly found as a small file (+/- 1.5 kilobytes) that is designed to change the NameServer
registry key value to a custom
IP address or domain that is
encrypted in the body of the trojan itself. As a result of this change, the victim's device would contact the newly assigned DNS server to resolve names of malicious
webservers.
[4]
Trend Micro described the following behaviors of Win32.DNSChanger
:
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\NameServer
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{random}
, DhcpNameServer = 85.255.xx.xxx,85.255.xxx.xxx
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{random}
, NameServer = 85.255.xxx.133,85.255.xxx.xxx
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
, DhcpNameServer = 85.255.xxx.xxx,85.255.xxx.xxx
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
, NameServer = 85.255.xxx.xxx,85.255.xxx.xxx
[6]