DNSChanger Trojan Still Prevalent In 350K Computers
Over Ten Percent of Fortune 500 Still Infected by DNSChanger
Google is embarking on an effort to notify Internet users if their computers or home routers are still infected with the DNSChanger Trojan, a piece of sophisticated malware that has compromised an estimated 500,000 systems. The outreach campaign comes a little more than a month ahead of July 9, the date on which the FBI is set to take all computers corrupted with the malware offline.
The FBI ended a major online DNS threat last year, but the arrest of the criminals, and killing the servers would have left millions without internet service, so the servers were replaced. Here’s how to find out if you could lose your internet connection July 9th.
The trojan is usually a small file (about 1.5 kilobytes) that is designed to change the 'NameServer' Registry key value to a custom IP address. This IP address is usually encrypted in the body of a trojan. As a result of this change a victim's computer will contact the newly assigned DNS server to resolve names of different webservers.
Variant
Trojan.Win32.DNSChanger.al
Lately we got a few samples of this trojan that were named 'PayPal-2.5.200-MSWin32-x86-2005.exe'. This trojan was programmed to change the DNS server name of a victim's computer to 193.227.227.218 address.
The Registry key that is affected by this trojan is:
Registry Modifications
Creates these keys:
Lately we got a few samples of this trojan that were named 'PayPal-2.5.200-MSWin32-x86-2005.exe'. This trojan was programmed to change the DNS server name of a victim's computer to 193.227.227.218 address.
The Registry key that is affected by this trojan is:
- [HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces]
"NameServer"
Registry Modifications
Creates these keys:
- HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{random}
DhcpNameServer = 85.255.xx.xxx,85.255.xxx.xxx - HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{random}
NameServer = 85.255.xxx.133,85.255.xxx.xxx - HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
DhcpNameServer = 85.255.xxx.xxx,85.255.xxx.xxx - HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
NameServer = 85.255.xxx.xxx,85.255.xxx.xxx
Manual Way to Remove it:
If a manual check of the DNS nameserver system is desired, then here are the steps for Windows XP and newer:
- Click on: Start-->run-->then type “cmd” in the box, no quotes.
- Type in the command window, “ipconfig/all” again no quotes.
- Scroll down through all the other data and find “DNS servers.” This will either look like this: 192.168.2.1, if it looks like this: fec0:0:0:ffff::1%1, then your router uses IPv6 and you can’t manually check the connection. Write the addresses of the nameservers you are using down.
- Go to: https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS, and enter your DNS server addresses into the checker box and hit the “Check Your DNS” button. Your results will only take a few seconds.
If You Have DNSChanger In Your System
That all :)