Securing DNS against DNSChanger trojan

Discussion in 'malware problems & news' started by Firebytes, Dec 7, 2008.

Thread Status:
Not open for further replies.
  1. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    903
    I do not have the DNSChanger trojan but I would like to clear up some questions I have regarding how DNS server addresses are obtained and how to stop DNSChanger from altering the DNS servers used by a network.

    I am behind a wireless router secured with WPA2 on which I have changed the default password to a longer alphanumeric password. I have turned off UPnP in the router's settings. I have turned off Remote Management in the router's settings. As I understand it that should pretty much secure the router's DNS settings from being messed with even if a computer on my network gets the DNSChanger trojan.

    What I am curious about is; if all my security software failed and allowed a computer on my network to get the DNSChanger trojan but the DNS server addresses could't be changed on the router (due to password protection and such) would that stop the trojan from redirecting the computer to bogus sites or would the computer's own DNS settings override the router's settings?

    Would I also need to go into my LAN's TCP/IP properties dialog and select "use the following DNS server addresses" and specify specific addresses to be used to lock down the computer as well? Right now my computers' settings are to obtain DNS server addresses automatically, which I assumed the router controlled. So I assumed if the router's DNS settings were locked up it wouldn't matter to much if the computers' settings were changed. I really don't know much about this subject at all so I may be way off.

    So what controls the DNS servers used, the router or the computer? If the router itself is set to obtain DNS server addresses automatically but the router is secure from changes by the trojan is that enough for the router or would it be more secure to also allow it also to obtain only certain DNS addresses I supply?

    Thanks in advance for any input.
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    My understanding is that if the router cannot be accessed, then the exploit fails.

    Reference

    New DNSChanger Trojan “hacks” into routers
    http://www.trustedsource.org/blog/42/New-DNSChanger-Trojan-hacks-into-routers

    But users in a network where there is an infected machine are at risk:

    I haven't seen anything in the analyses that mention whether or not another computer on the network could override the router. Perhaps you could run a test to see...

    ----
    rich
     
    Last edited: Dec 7, 2008
  3. H47

    H47 Registered Member

    Joined:
    Nov 19, 2008
    Posts:
    66
    Good. :thumb:

    And I hope that you NEVER get it.

    It's brutal.

    It took me weeks to get rid of it.
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I also hope no one gets it. Do you know how it infiltrated your machine? It might help others to be on the lookout.

    There are two router exploits that have been analyzed; each uses a different attack vector to install the trojan.

    The first utilizes a common social engineering trick, which can be thwarted by the user's judgment:

    DNS changer Trojan for Mac (!) in the wild
    http://isc.sans.org/diary.html?storyid=3595

    A related exploit uses a remote code execution vulnerability, which any security which prevents unauthorized executables from installing will block:

    Popular Home DSL Routers At Risk Of CSRF Attack
    http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=212201777

    Should any of these exploits bypass security measures, they still need to compromise the router, as the CSRF article points out:

    Here is an illustration showing how your non-infected computer can be compromised on a network where another computer is infected:

    DNSChanger Trojans v4.0
    Thursday December 4, 2008
    http://www.avertlabs.com/research/blog/index.php/2008/12/04/dnschanger-trojans-v40/

    Other References

    Analysis of OSX Trojan DNS Changer
    http://ithreats.wordpress.com/2008/01/11/analysis-of-osx-trojan-dns-changer

    Trojan.Flush.M
    http://www.symantec.com/security_response/writeup.jsp?docid=2008-120318-5914-99&tabid=2

    INTEGO SECURITY ALERT
    http://www.intego.com/news/ism0705.asp


    ----
    rich
     
  5. H47

    H47 Registered Member

    Joined:
    Nov 19, 2008
    Posts:
    66
    Yes. I do.

    I am on a shared house computer where other people go on it. So somebody must have downloaded something that they shouldn't have.
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    That's too bad.

    Is one person the "Adminstrator" of the computer?

    Did the router have other than the default password?

    Does each user have an account, or does the computer run with Administrator rights?

    Was Norton Internet Security 2009 the only protection on the computer? (Several analyses showed 0 coverage by AV in some of the recent exploits.)

    I ask, because a friend is setting up a computer in a house which will have several users, and is thinking about policies and security. She can benefit from your experience.

    thanks,

    rich
     
  7. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    I am trialing (MD Malware Defender Hip, in silent mode = excutable lock down nothing can be download off the net its deny.Would this help for DNS changers.
     
  8. H47

    H47 Registered Member

    Joined:
    Nov 19, 2008
    Posts:
    66
    The computer was donated to the house. It was previously used. And nobody in the house has exclusive Administrator rights. The computer runs with Administrator rights for everyone.

    I don't own the router. Somebody else in the house owns it so I don't know about the password.

    I didn't have NIS 2009 on the computer at the time. AVG was on the computer at the time that it happened.
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks, H47, very helpful.

    ----
    rich
     
  10. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    903
    Thanks, that was mainly what I was wondering. I assumed that when behind a router that the router's DNS settings took the place of each computer using its own DNS settings but I wasn't sure.
     
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    See my post #4 above.

    It would prevent the second attack vector -- remote code execution via some browser or plugin vulnerabilty.

    But not the first, if the user were tricked into authorizing the installation.


    ----
    rich
     
  12. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    903
    Sorry to hear that you had such a hard time. Hopefully you will be able to avoid a repeat.
     
  13. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    This is my *understanding.* I'm not speaking as an expert.

    As I indicated, I've not seen this addressed in any of the analyses of these current exploits. If I were concerned, I would figure out a way to set up my own test.

    Or post your question to another forum where some Network experts might give their opinion.

    More of a concern to me, if I used my Laptop in a free WiFi setting, would be the rogue DHCP exploit I referenced in my post above. I've posed this question to the ISC Handler who wrote the Diary about this exploit, for comment on this.

    Rogue DHCP servers
    http://isc.sans.org/diary.html?storyid=5434

    ----
    rich
     
  14. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Got it thanks.
     
  15. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Dave,

    Can you do a test where you attempt to download an executable from the internet, then post a screenshot of the alert from MD?

    thanks,

    ----
    rich
     
  16. H47

    H47 Registered Member

    Joined:
    Nov 19, 2008
    Posts:
    66
    You are very welcome. :)

    *******************
    I hope so too.
     
  17. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Sure can stand bye
     
  18. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Ok This is of adult content site I used for testing NOD32 4 beta in another post.This site contains trojans,AV rogue for vista this is all tested in Shadow Mode w SD.Here Same site with MD all other security off other then MD and SD.THis one screen I did is Not the end to all if I Deny or allowed this excutable it follows with many poups its a very nasty site.It requires a new Active X download that when it drops the parasites on a system.
     

    Attached Files:

    Last edited: Dec 7, 2008
  19. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks -- Very impressive! I'm adding MD to my list of execution blocking products.

    You mentioned,

    I'm still looking for products where it's Default-Deny, where, in case of multiple users, only the owner or Administrator can allow. With MD, it looks like any user can allow.

    Only two solutions that I know of offer Default-Deny: Software Restriction policies (SRP), and Anti-Executable (AE).

    My friend I mentioned above is setting up SRP because it has other features/policies that AE doesn't offer for her situation, where several students will use the same computer. Here are screen shots of SRP alerts:

    [​IMG]

    [​IMG]
    _______________________________________________________________________________

    In a multi-user situation, this will prevent both attack methods that the DNSchanger exploits are using:

    1) none of the users other than the Administrator could allow the installation of the malware codec.

    2) any remote code execution exploit would fail to install.


    ----
    rich
     
    Last edited: Dec 7, 2008
  20. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Your very welcome.
     
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Wil it happen even if u protect ur router with a password?
     
  22. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Here is the quote following the one you posted from my Post #4:

    In looking at the various articles and analyses, evidently many people do not change the default password, which is easy to guess/break.
     
  23. merlin666

    merlin666 Registered Member

    Joined:
    Jan 10, 2009
    Posts:
    7
    I think I had this trojan attached to a resycled/boot virus. I could not use my computer for a week and I am suspicious that I have not fully removed it. I used malwarebytes as main detection tool, but still have to read up on this.
     
  24. TechOutsider

    TechOutsider Registered Member

    Joined:
    Sep 26, 2008
    Posts:
    549
    I disabled my DNS.
     
Loading...
Thread Status:
Not open for further replies.