Securing DNS against DNSChanger trojan

I do not have the DNSChanger trojan but I would like to clear up some questions I have regarding how DNS server addresses are obtained and how to stop DNSChanger from altering the DNS servers used by a network.

I am behind a wireless router secured with WPA2 on which I have changed the default password to a longer alphanumeric password. I have turned off UPnP in the router's settings. I have turned off Remote Management in the router's settings. As I understand it that should pretty much secure the router's DNS settings from being messed with even if a computer on my network gets the DNSChanger trojan.

What I am curious about is; if all my security software failed and allowed a computer on my network to get the DNSChanger trojan but the DNS server addresses could't be changed on the router (due to password protection and such) would that stop the trojan from redirecting the computer to bogus sites or would the computer's own DNS settings override the router's settings?

Would I also need to go into my LAN's TCP/IP properties dialog and select "use the following DNS server addresses" and specify specific addresses to be used to lock down the computer as well? Right now my computers' settings are to obtain DNS server addresses automatically, which I assumed the router controlled. So I assumed if the router's DNS settings were locked up it wouldn't matter to much if the computers' settings were changed. I really don't know much about this subject at all so I may be way off.

So what controls the DNS servers used, the router or the computer? If the router itself is set to obtain DNS server addresses automatically but the router is secure from changes by the trojan is that enough for the router or would it be more secure to also allow it also to obtain only certain DNS addresses I supply?

Thanks in advance for any input.

 

My understanding is that if the router cannot be accessed, then the exploit fails.

Reference

New DNSChanger Trojan “hacks” into routers
http://www.trustedsource.org/blog/42/New-DNSChanger-Trojan-hacks-into-routers

But users in a network where there is an infected machine are at risk:

I haven't seen anything in the analyses that mention whether or not another computer on the network could override the router. Perhaps you could run a test to see...

----
rich

 

Good.

And I hope that you NEVER get it.

It's brutal.

It took me weeks to get rid of it.

 

I also hope no one gets it. Do you know how it infiltrated your machine? It might help others to be on the lookout.

There are two router exploits that have been analyzed; each uses a different attack vector to install the trojan.

The first utilizes a common social engineering trick, which can be thwarted by the user's judgment:

DNS changer Trojan for Mac (!) in the wild
http://isc.sans.org/diary.html?storyid=3595

A related exploit uses a remote code execution vulnerability, which any security which prevents unauthorized executables from installing will block:

Popular Home DSL Routers At Risk Of CSRF Attack
http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=212201777

Should any of these exploits bypass security measures, they still need to compromise the router, as the CSRF article points out:

Here is an illustration showing how your non-infected computer can be compromised on a network where another computer is infected:

DNSChanger Trojans v4.0
Thursday December 4, 2008
http://www.avertlabs.com/research/blog/index.php/2008/12/04/dnschanger-trojans-v40/

Other References

Analysis of OSX Trojan DNS Changer
http://ithreats.wordpress.com/2008/01/11/analysis-of-osx-trojan-dns-changer

Trojan.Flush.M
http://www.symantec.com/security_response/writeup.jsp?docid=2008-120318-5914-99&tabid=2

INTEGO SECURITY ALERT
http://www.intego.com/news/ism0705.asp


----
rich

 

Yes. I do.

I am on a shared house computer where other people go on it. So somebody must have downloaded something that they shouldn't have.

 

That's too bad.

Is one person the "Adminstrator" of the computer?

Did the router have other than the default password?

Does each user have an account, or does the computer run with Administrator rights?

Was Norton Internet Security 2009 the only protection on the computer? (Several analyses showed 0 coverage by AV in some of the recent exploits.)

I ask, because a friend is setting up a computer in a house which will have several users, and is thinking about policies and security. She can benefit from your experience.

thanks,

rich

 

I am trialing (MD Malware Defender Hip, in silent mode = excutable lock down nothing can be download off the net its deny.Would this help for DNS changers.

 

The computer was donated to the house. It was previously used. And nobody in the house has exclusive Administrator rights. The computer runs with Administrator rights for everyone.

I don't own the router. Somebody else in the house owns it so I don't know about the password.

I didn't have NIS 2009 on the computer at the time. AVG was on the computer at the time that it happened.

 

Thanks, H47, very helpful.

----
rich

 

Thanks, that was mainly what I was wondering. I assumed that when behind a router that the router's DNS settings took the place of each computer using its own DNS settings but I wasn't sure.

 

See my post #4 above.

It would prevent the second attack vector -- remote code execution via some browser or plugin vulnerabilty.

But not the first, if the user were tricked into authorizing the installation.


----
rich

 

Sorry to hear that you had such a hard time. Hopefully you will be able to avoid a repeat.

 

This is my *understanding.* I'm not speaking as an expert.

As I indicated, I've not seen this addressed in any of the analyses of these current exploits. If I were concerned, I would figure out a way to set up my own test.

Or post your question to another forum where some Network experts might give their opinion.

More of a concern to me, if I used my Laptop in a free WiFi setting, would be the rogue DHCP exploit I referenced in my post above. I've posed this question to the ISC Handler who wrote the Diary about this exploit, for comment on this.

Rogue DHCP servers
http://isc.sans.org/diary.html?storyid=5434

----
rich

 

Got it thanks.

 

Dave,

Can you do a test where you attempt to download an executable from the internet, then post a screenshot of the alert from MD?

thanks,

----
rich

 

You are very welcome.

*******************

I hope so too.

 

Sure can stand bye

 

Ok This is of adult content site I used for testing NOD32 4 beta in another post.This site contains trojans,AV rogue for vista this is all tested in Shadow Mode w SD.Here Same site with MD all other security off other then MD and SD.THis one screen I did is Not the end to all if I Deny or allowed this excutable it follows with many poups its a very nasty site.It requires a new Active X download that when it drops the parasites on a system.

 

Thanks -- Very impressive! I'm adding MD to my list of execution blocking products.

You mentioned,

I'm still looking for products where it's Default-Deny, where, in case of multiple users, only the owner or Administrator can allow. With MD, it looks like any user can allow.

Only two solutions that I know of offer Default-Deny: Software Restriction policies (SRP), and Anti-Executable (AE).

My friend I mentioned above is setting up SRP because it has other features/policies that AE doesn't offer for her situation, where several students will use the same computer. Here are screen shots of SRP alerts:




_______________________________________________________________________________

In a multi-user situation, this will prevent both attack methods that the DNSchanger exploits are using:

1) none of the users other than the Administrator could allow the installation of the malware codec.

2) any remote code execution exploit would fail to install.


----
rich

 

Your very welcome.

 

Wil it happen even if u protect ur router with a password?

 

Here is the quote following the one you posted from my Post #4:

In looking at the various articles and analyses, evidently many people do not change the default password, which is easy to guess/break.

 

I think I had this trojan attached to a resycled/boot virus. I could not use my computer for a week and I am suspicious that I have not fully removed it. I used malwarebytes as main detection tool, but still have to read up on this.

 

I disabled my DNS.