What are the characteristics of the recently discovered new variant of the DNSChanger Trojan?
The new DNSChanger trojan now conducts brute-force attacks against the administration web interface of popular routers. The malware performs a "dictionary attack" based on a list of hardcoded credentials, consisting of the web interface URLs to popular routers - such as from vendors D-Link, Linksys and others -, and their default user names and passwords. This poses a great security risk for those users that do not change their router's factory default settings. The Trojan tries one combination per approximately 100 milliseconds, which makes 600 combinations per minute.
Once DNSChanger has successfully brute-force cracked the credentials, it has access to all the settings and functions provided by the router. It will change its DNS server settings in order to send all DNS queries to the attackers' DNS servers located in the Ukraine. From there, they can then flexibly redirect all your Internet traffic in whatever way they want.
What makes this Trojan stand out from the vast number of other malware discovered daily?
It's the first major malware family seen in-the-wild that also attacks networking hardware. "Major" malware family, because it is quite prevalent and we believe DNSChanger to be related to the Zlob malware family - one of the most prevalent families out there today. Zlob is well-known for their infamous "missing codec" trick: they advertise adult content to visitors, but in order to view the videos, you're told you'd need to install a missing video codec first. The executable that you get to install is everything else than a video codec.
In contrast to previous variants, this latest DNSChanger does not only affect the infected PC itself, but also tries to alter DNS settings on the router. Once this is successful, all traffic going through this router can be redirected by the attackers. That is, other PCs that have not been infected by the malware directly, but go through the same (compromised) router, will also become affected. In turn, cleaning the infected PC is not enough to get rid of the pest - victims will need to reset the DNS settings in their router, too.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.