Latest news
Christoph Alme is the Principal Engineer and Team Lead of anti-malware research at Secure Computing Corporation. He is the inventor of several patent-pending key technologies in the field of proactive malware detection. In this interview he discusses a new variant of the DNSChanger Trojan.What are the characteristics of the recently discovered new variant of the DNSChanger Trojan?
The new DNSChanger trojan now conducts brute-force attacks against the administration web interface of popular routers. The malware performs a "dictionary attack" based on a list of hardcoded credentials, consisting of the web interface URLs to popular routers - such as from vendors D-Link, Linksys and others -, and their default user names and passwords. This poses a great security risk for those users that do not change their router's factory default settings. The Trojan tries one combination per approximately 100 milliseconds, which makes 600 combinations per minute.
Once DNSChanger has successfully brute-force cracked the credentials, it has access to all the settings and functions provided by the router. It will change its DNS server settings in order to send all DNS queries to the attackers' DNS servers located in the Ukraine. From there, they can then flexibly redirect all your Internet traffic in whatever way they want.
What makes this Trojan stand out from the vast number of other malware discovered daily?
It's the first major malware family seen in-the-wild that also attacks networking hardware. "Major" malware family, because it is quite prevalent and we believe DNSChanger to be related to the Zlob malware family - one of the most prevalent families out there today. Zlob is well-known for their infamous "missing codec" trick: they advertise adult content to visitors, but in order to view the videos, you're told you'd need to install a missing video codec first. The executable that you get to install is everything else than a video codec.
In contrast to previous variants, this latest DNSChanger does not only affect the infected PC itself, but also tries to alter DNS settings on the router. Once this is successful, all traffic going through this router can be redirected by the attackers. That is, other PCs that have not been infected by the malware directly, but go through the same (compromised) router, will also become affected. In turn, cleaning the infected PC is not enough to get rid of the pest - victims will need to reset the DNS settings in their router, too.
Spotlight
A closer look at Mega cloud storage
Posted on 21 May 2013. | Once a novelty, nowadays many cloud storage services are fighting for their piece of the market in the virtual world. Mega offers 50GB of free space with great pricing on Pro accounts.
The CSO perspective on healthcare security and compliance
Posted on 20 May 2013. | Randall Gamby is the CSO of the Medicaid Information Service Center of New York. In this interview he discusses healthcare security and compliance challenges and offers a variety of tips.
Cyber espionage campaign uses professionally-made malware
Posted on 20 May 2013. | A massive cyber espionage campaign has been hitting government ministries, IT companies, academic research institutions, and more.
Ransomware adds password stealing to its arsenal
Posted on 17 May 2013. | Microsoft researchers are warning about a new variant of the well-known Reveton ransomware doing rounds.
IT security jobs: What's in demand and how to meet it
Posted on 15 May 2013. | Let's say you want a career in information security, where do you start? What credentials do you need? What are employers looking for? Read on to find some answers.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
