''Trojan.Win32.DNSChanger'' is a

backdoor A back door is a door in the rear of a building. Back door may also refer to: Arts and media * Back Door (jazz trio), a British group * Porta dos Fundos (literally “Back Door” in Portuguese) Brazilian comedy YouTube channel. * Works so titl ...

trojan Trojan or Trojans may refer to: * Of or from the ancient city of Troy * Trojan language, the language of the historical Trojans Arts and entertainment Music * ''Les Troyens'' ('The Trojans'), an opera by Berlioz, premiered part 1863, part 189 ...

that redirects users to various malicious websites through the means of altering the DNS settings of a victim's computer. The malware strain was first discovered by

Microsoft Malware Protection Center Microsoft Security Essentials (MSE) is an antivirus software (AV) product that provides protection against different types of malicious software, such as computer viruses, spyware, rootkits, and Trojan horses. Prior to version 4.5, MSE ran on , ...

on December 7, 2006 and later detected by McAfee Labs on April 19, 2009.

Behaviour

DNS changer trojans are dropped onto infected systems by other means of malicious software, such as TDSS or

Koobface Koobface is a network worm that attacks Microsoft Windows, Mac OS X, and Linux platforms. This worm originally targeted users of networking websites like Facebook, Skype, Yahoo Messenger, and email websites such as GMail, Yahoo Mail, and AO ...

.How DNS Changer Trojans Direct Users to Threats – Threat Encyclopedia – Trend Micro USA
/ref> The trojan is a malicious Windows executable file that cannot spread towards other computers. Therefore, it performs several actions on behalf of the

attacker In some team sports, an attacker is a specific type of player, usually involved in aggressive play. Heavy attackers are, usually, placed up front: their goal is to score the most possible points for the team. In association football, attackers a ...

within a compromised computer, such as changing the DNS settings in order to divert traffic to unsolicited, and potentially illegal and/or malicious domains. The Win32.DNSChanger trojan is used by

organized crime syndicate Organized crime (or organised crime) is a category of transnational, national, or local groupings of highly centralized enterprises run by criminals to engage in illegal activity, most commonly for profit. While organized crime is generally th ...

s to maintain

click fraud Click, Klick and Klik may refer to: Airlines * Click Airways, a UAE airline * Clickair, a Spanish airline * MexicanaClick, a Mexican airline Art, entertainment, and media Fictional characters * Klick (fictional species), an alien race in t ...

. The user's browsing activity is manipulated through various means of modification (such as altering the destination of a legitimate link to then be forwarded to another site), allowing the

s to generate

revenue In accounting, revenue is the total amount of income generated by the sale of goods and services related to the primary operations of the business. Commercial revenue may also be referred to as sales or as turnover. Some companies receive reven ...

from

pay-per-click Pay-per-click (PPC) is an internet advertising model used to drive traffic to websites, in which an advertiser pays a publisher (typically a search engine, website owner, or a network of websites) when the ad is clicked. Pay-per-click is usually ...

online advertising Online advertising, also known as online marketing, Internet advertising, digital advertising or web advertising, is a form of marketing and advertising which uses the Internet to promote products and services to audiences and platform users. ...

schemes. The trojan is commonly found as a small file (+/- 1.5 kilobytes) that is designed to change the NameServer registry key value to a custom

IP address An Internet Protocol address (IP address) is a numerical label such as that is connected to a computer network that uses the Internet Protocol for communication.. Updated by . An IP address serves two main functions: network interface ident ...

or domain that is

encrypted In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can deci ...

in the body of the trojan itself. As a result of this change, the victim's device would contact the newly assigned DNS server to resolve names of malicious webservers.

Trend Micro is an American-Japanese multinational cyber security software company with global headquarters in Tokyo, Japan and Irving, Texas, United State.Other regional headquarters and R&D centers are located around East Asia, Southeast Asia, Europe, and ...

described the following behaviors of Win32.DNSChanger: *Steering unknowing users to malicious websites: These sites can be phishing pages that spoof well-known sites in order to trick users into handing out sensitive information. A user who wants to visit the iTunes site, for instance, is instead unknowingly redirected to a rogue site. *Replacing ads on legitimate sites: Visiting certain sites can serve users with infected systems a different set of ads from those whose systems are not infected. *Controlling and redirecting network traffic: Users of infected systems may not be granted access to download important OS and software updates from vendors like Microsoft and from their respective security vendors. *Pushing additional malware: Infected systems are more prone to other malware infections (e.g., FAKEAV infection).

Alternative aliases

* ''Win32:KdCrypt ryp' ( Avast) * ''TR/Vundo.Gen'' (

Avira Avira Operations GmbH is a German multinational computer security software company mainly known for their Avira Free Security antivirus software. Avira was founded in 2006, but the antivirus application has been under active development since ...

) * ''MemScan:Trojan.DNSChanger'' ( Bitdefender Labs) * ''Win.Trojan.DNSChanger'' (

ClamAV Clam AntiVirus (ClamAV) is a free software, cross-platform antimalware toolkit able to detect many types of malware, including viruses. It was developed for Unix and has third party versions available for AIX, BSD, HP-UX, Linux, macOS, OpenVM ...

) * variant of '' Win32/TrojanDownloader.Zlob'' ( ESET) * ''Trojan.Win32.Monder'' (

Kaspersky Labs Kaspersky Lab (; Russian: Лаборатория Касперского, tr. ''Laboratoriya Kasperskogo'') is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in t ...

) * ''Troj/DNSCha'' ( Sophos) * ''Mal_Zlob'' (

) * ''MalwareScope.Trojan.DnsChange'' ( Vba32 AntiVirus)

Other variants

*Trojan.Win32.DNSChanger.al :''

F-Secure F-Secure Corporation is a global cyber security and privacy company, which has its headquarters in Helsinki, Finland. The company has offices in Denmark, Finland, France, Germany, India, Italy, Japan, Malaysia, Netherlands, Norway, Poland, Sweden, ...

'', a cybersecurity company, received samples of a variant that were named ''PayPal-2.5.200-MSWin32-x86-2005.exe''. In this case, the

PayPal PayPal Holdings, Inc. is an American multinational financial technology company operating an online payments system in the majority of countries that support online money transfers, and serves as an electronic alternative to traditional paper ...

attribution indicated that a phishing attack was likely.Phishing attack hits PayPal subscribers , V3
/ref> The trojan was programmed to change the DNS server name of a victim's computer to an IP address in the 193.227.xxx.xxx range.
/ref> :The registry key that is affected by this trojan is: :*HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\NameServer :Other registry modifications made involved the creation of the below keys: :*HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\, DhcpNameServer = 85.255.xx.xxx,85.255.xxx.xxx :*HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\, NameServer = 85.255.xxx.133,85.255.xxx.xxx :*HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\, DhcpNameServer = 85.255.xxx.xxx,85.255.xxx.xxx :*HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\, NameServer = 85.255.xxx.xxx,85.255.xxx.xxx

References

{{reflist

External links

''How DNS Changer Trojans Direct Users to Threats''
by ''TrendMicro''

(''

'')
‘Biggest Cybercriminal Takedown in History’
(''

Brian Krebs Brian Krebs (born 1972) is an American journalist and investigative reporter. He is best known for his coverage of profit-seeking cybercriminals.Perlroth, Nicole.Reporting From the Web's Underbelly. ''The New York Times''. Retrieved February 28, ...

'' @ ''krebsonsecurity.com'')
Analysis of a DNSChanger file
at VirusTotal Adware Consumer fraud Cybercrime Domain Name System Hacking in the 2000s Internet fraud Internet Protocol based network software Online advertising Organized crime activity Spamming Windows trojans

Behaviour

Alternative aliases

Other variants

See also

References

External links