Malware now doing the DNS switcheroo

ronjor · Nov 4, 2005

The attack, triggered when a victim runs a Trojan horse, changes the victim's domain-name servers to point to attacker-controlled servers and then deletes itself, stated an analysis of the code by security firm Websense. The malicious code is sent to potential victims under the guise that it is a security update for Paypal. Instead, the program replaces the PCs domain servers with attacker-controlled ones that redirect requests for Paypal to a phishing site that steals the user's sensitive information.
Click to expand...

Story

Rmus · Nov 5, 2005

Another article which is linked in the above article, details the modification of the DNS server registry key, by the Trojan. The key is

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces

This exploit should be easily preventable.

1) If your firewall rules specify your ISP DNS servers, then any other attempt via port 53 will be blocked.

2) If on dial-up you specify your DNS servers instead of obtaining automatically, then those entries will over-ride any change made in the Registry.

http://www.rsjones.net/img/dns_1.gif
-------------------------------------------------------

Below, I changed the NameServer to Paypal

http://www.rsjones.net/img/dns_2.gif
---------------------------------------------------------

On connecting out, the entry reverts back to my ISP

http://www.rsjones.net/img/dns_3.gif
--------------------------------------------------------

3) Any Registry Monitor will flag an unauthorized change to the Registry.

Of course, the best prevention is not to let trojan install in the first place.

regards,

-rich
________________
~~Be ALERT!!! ~~

Log in or Sign up

Malware now doing the DNS switcheroo

ronjor Global Moderator

Rmus Exploit Analyst

Log in or Sign up

Malware now doing the DNS switcheroo

ronjor Global Moderator

Rmus Exploit Analyst

Useful Searches