New Trojan Circulates, Changing DNS Settings of Networked Computers

Researchers at McAfee security firm have spotted a new Trojan virus that is capable of corrupting various devices connected to an area network by directing them to fake websites irrespective of whether they are wholly patched systems or do not run Windows operating systems.

The Trojan, a fresh version of the DNSChanger, usually arrives as a fake browser plug-in or codec that a computer user is prompted to install if he/she wants to watch videos on the Web. As is evident from the name, the malware changes the DNS (Domain Name System) server configurations on corrupt systems, effectively directing the victim's online activities like web searches through servers under the attackers' command.

According to Security Researcher at McAfee, Craig Schmugar, even if the malware does not infect a system, the system could still be interacting with the deceitful DNS servers through payload on it. This is obtained even without abusing any vulnerability, says the security researcher, as reported by The Register on December 5, 2008.

Moreover, Schmugar stated that the DHCP (Dynamic Host Configuration Protocol) attack never exploits security flaws either in a user's computer or inside the network hardware, permitting it to do its activities with various enterprise and home routers. According to Schmugar, the attack involves a 'ndisprot.sys' driver that is loaded on the computer following the machine's infection. Once loaded, it keeps a watch over the network traffic to find DHCP requests to subsequently reply with phony offers that include the IP address of the corrupt DNS server.

The security researchers also said that this malware is difficult to spot. The only method by which a user could know about the attack is by manually checking the computer's DNS server (such as by typing 'ipconfig/all' following a Windows command prompt). Besides, there are a number of measures to counter the attack, the simplest being to hard-core a DNS server within a system's configurations.

The security researchers also stated that they already observed DNSChanger Trojan to exploit router flaws to modify the DNS settings, but the capability of poisoning other computers' DHCP connections is apparently for the first time, making the Trojan worth watching. The new variant has not circulated much, but the prospects of spreading Trojan are very high.

Related article: New Zealand Releases Code To Reduce Spam

» SPAMfighter News - 12/18/2008