dnschanger
  • Print

Security Allert 1 : DNS Changer

 

Overview :

EDU-CERT has obtained information that Pcs from some Moroccan universities are infected by DNS changer malware, this Trojan changes the infected system's Domain Name Server (DNS) settings, in order to divert traffic to unsolicited, and potentially illegal sites.

 

Threat description :

The Trojan is usually a small file (about 1.5 kilobytes) that is designed to change the 'NameServer' Registry key value to a custom IP address. This IP address is usually encrypted in the body of a trojan. As a result of this change a victim's computer will contact the newly assigned DNS server to resolve names of different webservers and may be directed to unsolicited, and potentially illegal sites.

 

Diagnostics:

Refer to the steps bellow to check if a computer is infected by « DNS changer » malware:

 

1/ check your DNS configuration:

 

Type ipconfig/all on a line command prompt and Check for the lines in the displayed results that contain "DNS Servers" (several IP addresses may be specified).
Check for each interface when multiple interfaces are used (wireless LANs, wired LANs, etc.).


2/ Check the DNS server IP addresses :


Check if the DNS server IP addresses found fall within  the following IP address ranges.
    85.255.112.0 - 85.255.127.255
    67.210.0.0 - 67.210.15.255
    93.188.160.0 - 93.188.167.255
    77.67.83.0 - 77.67.83.255
    213.109.64.0 - 213.109.79.255
    64.28.176.0 - 64.28.191.255

If any of the DNS servers have an IP address that falls in one of the above IP address ranges, the PC may be infected with DNS Changer.

 

Solution

Please follow these instructions in case your PC is infected :

•    Disconnect the PC from the network.

•    Change the PCs DHCP and IP address settings so that a valid DNS servers IP address is used.

The FBI has confirmed a variety of DNS Changer that changes router DNS settings. If a PC DNS Changer infection is detected, also check if the router(s) used by the computer are also infected.

For more information, refer to the following:

http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf
    
finally notice that PCs infected with DNS changer may be infected by other types of malware as well.

If you have any further questions or information regarding this alert, please contact EDU-CERT.

 

References:

Federal Bureau of Investigation (FBI)DNSChanger Malware :
http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf

Japan Computer Emergency response team Coordination Center (JPCERT/CC) DNS changer :
http://www.jpcert.or.jp/english/at/2012/at120008.html

F-SECURE Trojan:W32/DNSChanger :
http://www.f-secure.com/v-descs/dnschang.shtml

 

Security News

Copyright © 2018 EDU-CERT : the Moroccan Academic Computer Emergency Response Team. All Rights Reserved.