Explore the latest news and trends  

Keep yourself up to date with one of the following options:

  • Explore more news around Spam/Phishing, Malware/Cyber-attacks and Antivirus
  • Receive news and special offers from SPAMfighter directly in your inbox.
  • Get free tips and tricks from our blog and improve your security when surfing the net.
Go
-->

Koobface Infecting Computers Now Modifies DNS Registry

Researchers at Trend Micro have issued an alert that TROJ_DNSCHANG.UB, a Koobface virus that infects Facebook users, could now alter the Domain Name Server (DNS) registry of affected computers. The DNS registry relates to a mechanism whereby a PC can determine the location of particular websites.

The TROJ_DNSCHANG.UB malware relies on an ordinary propagation technique in which social-networking websites' members receive a message apparently from a friend along with a video link to an unfamiliar site. However, when end-users try to run the movie, an instruction pops up asking them to update Flash Player. Moreover, no update becomes available; instead the Koobface virus gets planted on the PC.

Subsequently, the Koobface virus downloads a file (dns.exe) that is chiefly designed to change the DNS registry of the system.

This is attained through the insertion of 213.174.139.72, an Internet Protocol address of the malicious DNS server, into DhcpNameServer's and NameServer's values that exist in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\Tcpip\Parameters\Interfaces\{Device ID} registry key.

Additionally, once the DNS modification is completed, the domain name pertaining to the website is resolved via a query to the malicious DNS that produces a corrupt IP, which characteristically diverts the unwary user to a phishing site.

The researchers stated that instead of employing an alphabetical URL, the DNS employed IP addresses for locating websites. But if modifications are made to the DNS registry, then end-users could be redirected to a wrong website.

However, the corrupt IP address to which the Koobface virus connected is presently in deactivate stage, reports Trend Micro. Nevertheless, Ryan Flores (Trend Micro researcher) warns that since the malicious DNS IP hosted malicious pages and malware, it is possible that anytime it becomes active again, anything other than good will only happen.

The experts suggested that if anyone suspected himself being infected by Koobface, then he should take his computer on safe mode before executing on it a complete scan using an up-to-date AV.

Furthermore, security company Kaspersky in June 2009 reported of detecting a fresh Koobface variant, which the firm counted as the 25 millionth malware in its anti-virus records.

Related article: Koobface Worm Still Active on Facebook Through Hacked Accounts

ยป SPAMfighter News - 16-07-2009

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Exchange Anti Spam Filter
Go back to previous page
Next