Researchers Discover Link Between TDSS Rootkit and DNSchanger Trojan

TDSS rootkit, the hard-to-remove malware behind numerous sophisticated attacks, appears to have helped spread the DNSchanger Trojan.

The infamous TDSS rootkit is known for its versatility, as it has been put to work in drive-by downloads and a wide range of malware-based targeted attacks. Now it appears to have been the delivery mechanism for the DNSchanger Trojan, according to Dell Secureworks.

Researchers at Dell Secureworks Counter Threat Unit said Nov. 11 that they have seen the TDSS downloading and installing the Trojan onto compromised systems. There have been between 600,000 and 1 million unique IP addresses infected with the DNSchanger Trojan in recent weeks, the researchers said.

DNSchanger's main function is to change the Domain Name System (DNS) settings on the victim's machine and hijack the user's online surfing experiencing by directing Web traffic to sites under the attacker's control.

DNS servers act as a phone directory on the Web, translating domain names into the actual IP addresses of the servers so that users don't have to remember numeric codes. By changing the DNS configuration, the user may be typing in a domain name, such as Netflix, and be diverted to a malicious site instead.

"One of the key worries with being infected with the DNS Changer malware is that it is often an indicator that your system is infected with a larger malware cocktail," Dell Secureworks researchers wrote. The cocktail may include other malware types, such as a rogue antivirus, Zeus banking Trojan or spam bot.

If the system has DNSchanger, the odds are likely that there are multiple pieces of malware, some with rootkit capabilities and the ability to modify the Master Boot Record. This makes it a challenge to remove DNSchanger and associated malware, according to Dell Secureworks researchers. If DNSchanger was downloaded by the TDSS rootkit already on the system, cleaning up the system becomes "extremely difficult," they wrote.

Removing the malware itself is not difficult, Paul Ferguson, senior threat researcher at Trend Micro, told eWEEK. The challenge in remediation lies in identifying all the victims and making sure the malware doesn't get re-downloaded by the other hard-to-detect malicious pieces of software lurking in the system, he said. Internet service providers will be identifying victims over the next four months and cleaning up the system, according to Ferguson.

Attackers can use DNSchanger to control traffic as part of a pay-per-click ad fraud scheme, to launch man-in-the-middle attacks and to install additional malware, according to Dell Secureworks. "Controlling DNS gives an attacker complete access to a system," the researchers said.

Last week, the FBI busted a cyber-ring that allegedly used DNSchanger as part of a massive pay-per-click ad fraud scheme that netted at least $14 million over the past five years and infected about 4 million computers. Six Estonians were arrested, while a seventh, a Russian national, remains at large. The arrested suspects are awaiting extradition to the United States for trial.

The campaign was "noteworthy" because the gang had to maintain a set of rogue DNS servers to control the infected machines, Mike Paquette, chief strategy officer of Corero Network Security, told eWEEK.

Organizations should protect users by encouraging them to practice safe security hygiene, such as not installing software from unknown sites, not clicking on links in email messages and being careful when surfing online. Most major antivirus tools can detect and remove DNSchanger, so it is important to have an up-to-date scanner installed, according to Paquette.

The TDSS rootkit was not the only way DNSchanger spread. An earlier version was downloaded by users themselves as part of a social engineering attack where a site promised to show a video if the user installed proper codec files, according to Trend Micro's Ferguson.

However, ISPs should be a "safety-net" to catch users once they fall prey to cyber-criminals, Quentin Jenkins, an analyst at Spamhaus, wrote in a Nov. 15 blog post. The Spamhaus Project is an international organization that tracks email spammers and malicious activity and compiles several blacklists.

Spamhaus moved all IP address ranges controlled by the DNSchanger gang into its Don't Route Or Peer List (DROP) several years ago when the campaign was first discovered, according to Jenkins. The DROP list is a comprehensive list of all the servers controlled by cyber-criminals, Jenkins said, noting it can be used by anyone to protect networks and users.

ISPs can either block DNS access to those "rogue areas" or log all attempts by individual systems to reach them. The resulting report can be used by the ISP to contact users and inform them they appear to be infected with malware, he said.