Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cloud
    • Cloud
    • Cybersecurity
    • Networking

    Researchers Discover Link Between TDSS Rootkit and DNSchanger Trojan

    By
    Fahmida Y. Rashid
    -
    November 15, 2011
    Share
    Facebook
    Twitter
    Linkedin

      The infamous TDSS rootkit is known for its versatility, as it has been put to work in drive-by downloads and a wide range of malware-based targeted attacks. Now it appears to have been the delivery mechanism for the DNSchanger Trojan, according to Dell Secureworks.

      Researchers at Dell Secureworks Counter Threat Unit said Nov. 11 that they have seen the TDSS downloading and installing the Trojan onto compromised systems. There have been between 600,000 and 1 million unique IP addresses infected with the DNSchanger Trojan in recent weeks, the researchers said.

      DNSchanger’s main function is to change the Domain Name System (DNS) settings on the victim’s machine and hijack the user’s online surfing experiencing by directing Web traffic to sites under the attacker’s control.

      DNS servers act as a phone directory on the Web, translating domain names into the actual IP addresses of the servers so that users don’t have to remember numeric codes. By changing the DNS configuration, the user may be typing in a domain name, such as Netflix, and be diverted to a malicious site instead.

      “One of the key worries with being infected with the DNS Changer malware is that it is often an indicator that your system is infected with a larger malware cocktail,” Dell Secureworks researchers wrote. The cocktail may include other malware types, such as a rogue antivirus, Zeus banking Trojan or spam bot.

      If the system has DNSchanger, the odds are likely that there are multiple pieces of malware, some with rootkit capabilities and the ability to modify the Master Boot Record. This makes it a challenge to remove DNSchanger and associated malware, according to Dell Secureworks researchers. If DNSchanger was downloaded by the TDSS rootkit already on the system, cleaning up the system becomes “extremely difficult,” they wrote.

      Removing the malware itself is not difficult, Paul Ferguson, senior threat researcher at Trend Micro, told eWEEK. The challenge in remediation lies in identifying all the victims and making sure the malware doesn’t get re-downloaded by the other hard-to-detect malicious pieces of software lurking in the system, he said. Internet service providers will be identifying victims over the next four months and cleaning up the system, according to Ferguson.

      Attackers can use DNSchanger to control traffic as part of a pay-per-click ad fraud scheme, to launch man-in-the-middle attacks and to install additional malware, according to Dell Secureworks. “Controlling DNS gives an attacker complete access to a system,” the researchers said.

      Last week, the FBI busted a cyber-ring that allegedly used DNSchanger as part of a massive pay-per-click ad fraud scheme that netted at least $14 million over the past five years and infected about 4 million computers. Six Estonians were arrested, while a seventh, a Russian national, remains at large. The arrested suspects are awaiting extradition to the United States for trial.

      The campaign was “noteworthy” because the gang had to maintain a set of rogue DNS servers to control the infected machines, Mike Paquette, chief strategy officer of Corero Network Security, told eWEEK.

      Organizations should protect users by encouraging them to practice safe security hygiene, such as not installing software from unknown sites, not clicking on links in email messages and being careful when surfing online. Most major antivirus tools can detect and remove DNSchanger, so it is important to have an up-to-date scanner installed, according to Paquette.

      The TDSS rootkit was not the only way DNSchanger spread. An earlier version was downloaded by users themselves as part of a social engineering attack where a site promised to show a video if the user installed proper codec files, according to Trend Micro’s Ferguson.

      However, ISPs should be a “safety-net” to catch users once they fall prey to cyber-criminals, Quentin Jenkins, an analyst at Spamhaus, wrote in a Nov. 15 blog post. The Spamhaus Project is an international organization that tracks email spammers and malicious activity and compiles several blacklists.

      Spamhaus moved all IP address ranges controlled by the DNSchanger gang into its Don’t Route Or Peer List (DROP) several years ago when the campaign was first discovered, according to Jenkins. The DROP list is a comprehensive list of all the servers controlled by cyber-criminals, Jenkins said, noting it can be used by anyone to protect networks and users.

      ISPs can either block DNS access to those “rogue areas” or log all attempts by individual systems to reach them. The resulting report can be used by the ISP to contact users and inform them they appear to be infected with malware, he said.

      Avatar
      Fahmida Y. Rashid

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Information

      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×