TDSS rootkit, the hard-to-remove malware behind numerous sophisticated attacks, appears to have helped spread the DNSchanger Trojan.
The infamous TDSS rootkit is known for
its versatility, as it has been put to work in drive-by downloads and a wide
range of malware-based targeted attacks. Now it appears to have been the
delivery mechanism for the DNSchanger Trojan, according to Dell Secureworks.
Researchers at Dell Secureworks Counter
Threat Unit said Nov. 11 that they have seen the TDSS downloading and
installing the Trojan onto compromised systems. There have been between 600,000
and 1 million unique IP addresses infected with the DNSchanger Trojan in recent
weeks, the researchers said.
DNSchanger's main function is to change
the Domain Name System (DNS) settings on the victim's machine and hijack the
user's online surfing experiencing by directing Web traffic to sites under the
DNS servers act as a phone directory on
the Web, translating domain names into the actual IP addresses of the servers
so that users don't have to remember numeric codes. By changing the DNS
configuration, the user may be typing in a domain name, such as Netflix, and be
diverted to a malicious site instead.
"One of the key worries with being
infected with the DNS Changer malware is that it is often an indicator that
your system is infected with a larger malware cocktail," Dell Secureworks
researchers wrote. The cocktail may include other malware types, such as a
rogue antivirus, Zeus banking Trojan or spam bot.
If the system has DNSchanger, the odds
are likely that there are multiple pieces of malware, some with rootkit
capabilities and the ability to modify the Master Boot Record. This makes it a
challenge to remove DNSchanger and associated malware, according to Dell
Secureworks researchers. If DNSchanger was downloaded by the TDSS rootkit
already on the system, cleaning up the system becomes "extremely
difficult," they wrote.
Removing the malware itself is not
difficult, Paul Ferguson, senior threat researcher at Trend Micro, told eWEEK
. The challenge in remediation lies
in identifying all the victims and making sure the malware doesn't get
re-downloaded by the other hard-to-detect malicious pieces of software lurking
in the system, he said. Internet service providers will be identifying victims
over the next four months and cleaning up the system, according to Ferguson.
Attackers can use DNSchanger to control
traffic as part of a pay-per-click ad fraud scheme, to launch man-in-the-middle
attacks and to install additional malware, according to Dell Secureworks.
"Controlling DNS gives an attacker complete access to a system," the
Last week, the FBI
busted a cyber-ring that allegedly used
DNSchanger as part of a massive pay-per-click ad fraud scheme that netted at
least $14 million over the past five years and infected about 4 million
computers. Six Estonians were arrested, while a seventh, a Russian national,
remains at large. The arrested suspects are awaiting extradition to the United
States for trial.
The campaign was "noteworthy"
because the gang had to maintain a set of rogue DNS servers to control the
infected machines, Mike Paquette, chief strategy officer of Corero Network
Security, told eWEEK
Organizations should protect users by
encouraging them to practice safe security hygiene, such as not installing
software from unknown sites, not clicking on links in email messages and being
careful when surfing online. Most major antivirus tools can detect and remove
DNSchanger, so it is important to have an up-to-date scanner installed,
according to Paquette.
The TDSS rootkit was not the only way
DNSchanger spread. An earlier version was downloaded by users themselves as
part of a social engineering attack where a site promised to show a video if
the user installed proper codec files, according to Trend Micro's Ferguson.
However, ISPs should be a
"safety-net" to catch users once they fall prey to cyber-criminals,
Quentin Jenkins, an analyst at Spamhaus
wrote in a Nov. 15 blog post. The Spamhaus Project is an international
organization that tracks email spammers and malicious activity and compiles
Spamhaus moved all IP address ranges
controlled by the DNSchanger gang into its Don't Route Or Peer List (DROP)
several years ago when the campaign was first discovered, according to Jenkins.
The DROP list is a comprehensive list of all the servers controlled by
cyber-criminals, Jenkins said, noting it can be used by anyone to protect
networks and users.
ISPs can either block DNS access to
those "rogue areas" or log all attempts by individual systems to
reach them. The resulting report can be used by the ISP to contact users and
inform them they appear to be infected with malware, he said.