MovieCommander Redirects DNS to Malicious Sites

A virus among the latest ones is spreading over the Internet while trying to infect computer systems and transmit their Domain Name Server (DNS) to malicious sites.

A well-intentioned person would not try to plant a 'DNS switching utility' on users to make their 'response time' better by diverting them to an OpenDNS. But criminals attempt to have their victims' website requests passed to sites under their control in which they have loaded malware. Securitypronews published this on April 2, 2007.

The DNS virus spreads through an enticing message, explained McAfee's Avert Labs Blog. A Trojan called 'MovieCommander' was there on the Internet. When users see this heading on their computers and read the End User License Agreement (EULA) description, many may think it to be a genuine application created to facilitate access to various video files, wrote researcher Bhaskar Krishna on the blog. Securitypronews published it on April 2, 2007.

The message on a Microsoft Windows shows the title 'MovieCommander Setup License Agreement', which requests the user to go through the terms on the license before downloading MovieCommander. The rest of the agreement describes the software saying it provides access to many video files on the licensor's sites. Further the software is not a Media Player, add-on or plug-in, nor does it implement any compressor or de-compressor or any additional video application.

Then the message writes on some restrictions.

There is least understanding of DNS management while it is the most popular networking technology for businesses. Recently Websense explained that as soon as a Trojan gets into a computer, the machine is compromised by the fraudster.

Krishna wrote that when the MovieCommander executes a Trojan it alters the DNS address to redirect it to its chosen DNS. It also drops a rootkit.

A similar earlier DNS exploit was one which displayed advertisements instead of the normal ones when working on a search engine.

The DNS redirection often leads the user to a hoax financial site wherein the fraudster steals the login details and forwards it to scammers. This all happens and the user is not even able to notice anything.

» SPAMfighter News - 4/10/2007