BitDefender Spots Malware Disrupting Computers’ DNS Configurations
According to investigators from BitDefender the security company, cyber-criminals through their most recent attempt at contaminating people's computers with malicious software have started manipulating the local Domain Name System (DNS) configurations of their systems.
The malicious software, detected as Worm.Ropian.E, when infects a computer, instantly captures the DNS as well as Dynamic Host Configuration Protocol (DHCP) servers. And as these systems act as vital services for regulating online connections, it becomes possible for Ropian to confirm if the attacked PC is getting diverted onto a lone destination, irrespective of the web-address typed inside the browser.
BitDefender explains that the destination to which the user is diverted appears as an error web-page giving the warning that his browser isn't any longer being supported therefore he should upgrade to new software.
Unsurprisingly, one may become convinced with such a message as also subsequently go for the "Web-browser Update" option since whenever a request is made he's led onto the same destination website.
But on choosing the update option, more malware starts infecting the system and turns it into one DHCP server providing hostile services to the overall PC-network. Further, for the worm's activities to appear still convincing, it takes down the upbrowsers[date].exe file, wherein the current data is displayed.
Also, once a system becomes contaminated, Ropian begins introducing its allies into the attack disguised as the notorious TDSS rootkit.
Now, there are some secondary mechanisms too through which the worm disseminates like "jumping" through network-shares, abusing certain ancient, critical security flaws like the .LNK(MS10046) or the MS07-029 within the RPC Interface of Windows OS for pulling down and running even more malicious programs onto the contaminated computers.
Hence BitDefender's investigators suggest that incase an end-user finds his computer behaving in the manner explained above, he mustn't at all take the "browser Update" option, rather get the network admin towards checking the malicious DHCP server's source so that the affected PC can be quarantined.
Additionally, he must download as also run the cleansing tool for TDL4/TDSS rootkit followed with deploying security software for scanning, spotting and eliminating other malicious programs, which may've got installed on his system.
» SPAMfighter News - 03-10-2011