90:. The user's browsing activity is manipulated through various means of modification (such as altering the destination of a legitimate link to then be forwarded to another site), allowing the
160:: Users of infected systems may not be granted access to download important OS and software updates from vendors like Microsoft and from their respective security vendors.
618:
144:: These sites can be phishing pages that spoof well-known sites in order to trick users into handing out sensitive information. A user who wants to visit the
123:
in the body of the trojan itself. As a result of this change, the victim's device would contact the newly assigned DNS server to resolve names of malicious
530:
468:
569:
434:
300:
was likely. The trojan was programmed to change the DNS server name of a victim's computer to an IP address in the 193.227.xxx.xxx range.
403:
628:
154:: Visiting certain sites can serve users with infected systems a different set of ads from those whose systems are not infected.
608:
553:
623:
603:
501:
83:
638:
68:
28:
613:
593:
67:
file that cannot spread towards other computers. Therefore, it performs several actions on behalf of the
105:
75:
settings in order to divert traffic to unsolicited, and potentially illegal and/or malicious domains.
25:
55:
DNS changer trojans are dropped onto infected systems by other means of malicious software, such as
598:
108:. The trojan is commonly found as a small file (+/- 1.5 kilobytes) that is designed to change the
444:
102:
72:
32:
633:
375:
200:
588:
263:
541:
515:
469:
How DNS Changer
Trojans Direct Users to Threats – Threat Encyclopedia – Trend Micro USA
233:
166:: Infected systems are more prone to other malware infections (e.g., FAKEAV infection).
582:
370:
99:
31:
that redirects users to various malicious websites through the means of altering the
112:
481:
558:
380:
253:
218:
130:
87:
44:
573:
365:
116:
408:
124:
120:
40:
330:
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{random}
321:
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{random}
317:
Other registry modifications made involved the creation of the below keys:
546:
309:
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\NameServer
297:
288:, a cybersecurity company, received samples of a variant that were named
284:
91:
60:
95:
56:
36:
148:
site, for instance, is instead unknowingly redirected to a rogue site.
439:
293:
243:
210:
145:
190:
180:
223:
64:
516:
News from the Lab
Archive : January 2004 to September 2015
348:
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
339:
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
305:
The registry key that is affected by this trojan is:
71:
within a compromised computer, such as changing the
511:
509:
464:
462:
429:
427:
398:
396:
532:How DNS Changer Trojans Direct Users to Threats
343:DhcpNameServer = 85.255.xxx.xxx,85.255.xxx.xxx
142:Steering unknowing users to malicious websites
325:DhcpNameServer = 85.255.xx.xxx,85.255.xxx.xxx
8:
502:Phishing attack hits PayPal subscribers | V3
554:‘Biggest Cybercriminal Takedown in History’
158:Controlling and redirecting network traffic
352:NameServer = 85.255.xxx.xxx,85.255.xxx.xxx
334:NameServer = 85.255.xxx.133,85.255.xxx.xxx
43:on December 7, 2006 and later detected by
619:Internet Protocol based network software
392:
133:described the following behaviors of
35:settings of a victim's computer. The
7:
290:PayPal-2.5.200-MSWin32-x86-2005.exe
41:Microsoft Malware Protection Center
14:
152:Replacing ads on legitimate sites
443:. April 19, 2009. Archived from
409:Microsoft Security Intelligence
39:strain was first discovered by
1:
570:Analysis of a DNSChanger file
296:attribution indicated that a
260:MalwareScope.Trojan.DnsChange
63:. The trojan is a malicious
16:Trojan for Microsoft Windows
435:"Virus Profile: DNSChanger"
219:Win32/TrojanDownloader.Zlob
655:
542:FBI: Operation Ghost Click
277:Trojan.Win32.DNSChanger.al
164:Pushing additional malware
84:organized crime syndicates
404:"Trojan:Win32/Dnschanger"
197:MemScan:Trojan.DNSChanger
629:Organized crime activity
482:"Trojan:W32/DNSChanger"
21:Trojan.Win32.DNSChanger
207:Win.Trojan.DNSChanger
609:Hacking in the 2000s
447:on September 3, 2017
292:. In this case, the
564:krebsonsecurity.com
230:Trojan.Win32.Monder
171:Alternative aliases
47:on April 19, 2009.
624:Online advertising
604:Domain Name System
412:. December 7, 2006
119:or domain that is
115:value to a custom
103:online advertising
82:trojan is used by
65:Windows executable
376:Rove Digital case
646:
518:
513:
504:
499:
493:
492:
490:
488:
477:
471:
466:
457:
456:
454:
452:
431:
422:
421:
419:
417:
400:
353:
349:
344:
340:
335:
331:
326:
322:
310:
201:Bitdefender Labs
136:
135:Win32.DNSChanger
111:
81:
80:Win32.DNSChanger
654:
653:
649:
648:
647:
645:
644:
643:
639:Windows trojans
579:
578:
527:
522:
521:
514:
507:
500:
496:
486:
484:
479:
478:
474:
467:
460:
450:
448:
433:
432:
425:
415:
413:
402:
401:
394:
389:
362:
351:
347:
342:
338:
333:
329:
324:
320:
308:
298:phishing attack
273:
264:Vba32 AntiVirus
173:
134:
109:
79:
53:
17:
12:
11:
5:
652:
650:
642:
641:
636:
631:
626:
621:
616:
614:Internet fraud
611:
606:
601:
596:
594:Consumer fraud
591:
581:
580:
577:
576:
567:
551:
539:
526:
525:External links
523:
520:
519:
505:
494:
472:
458:
423:
391:
390:
388:
385:
384:
383:
378:
373:
368:
361:
358:
357:
356:
355:
354:
345:
336:
327:
314:
313:
312:
311:
302:
301:
280:
279:
272:
271:Other variants
269:
268:
267:
257:
247:
237:
234:Kaspersky Labs
227:
214:
204:
194:
184:
172:
169:
168:
167:
161:
155:
149:
52:
49:
15:
13:
10:
9:
6:
4:
3:
2:
651:
640:
637:
635:
632:
630:
627:
625:
622:
620:
617:
615:
612:
610:
607:
605:
602:
600:
597:
595:
592:
590:
587:
586:
584:
575:
571:
568:
565:
561:
560:
555:
552:
549:
548:
543:
540:
538:
534:
533:
529:
528:
524:
517:
512:
510:
506:
503:
498:
495:
483:
476:
473:
470:
465:
463:
459:
446:
442:
441:
436:
430:
428:
424:
411:
410:
405:
399:
397:
393:
386:
382:
379:
377:
374:
372:
371:DNS hijacking
369:
367:
364:
363:
359:
346:
337:
328:
319:
318:
316:
315:
307:
306:
304:
303:
299:
295:
291:
287:
286:
282:
281:
278:
275:
274:
270:
265:
261:
258:
255:
251:
248:
245:
241:
238:
235:
231:
228:
225:
221:
220:
215:
212:
208:
205:
202:
198:
195:
192:
188:
185:
182:
178:
177:Win32:KdCrypt
175:
174:
170:
165:
162:
159:
156:
153:
150:
147:
143:
140:
139:
138:
132:
128:
126:
122:
118:
114:
107:
104:
101:
100:pay-per-click
97:
93:
89:
85:
76:
74:
70:
66:
62:
58:
50:
48:
46:
42:
38:
34:
30:
27:
23:
22:
563:
557:
545:
536:
531:
497:
485:. Retrieved
475:
449:. Retrieved
445:the original
438:
414:. Retrieved
407:
289:
283:
276:
259:
249:
239:
229:
217:
206:
196:
187:TR/Vundo.Gen
186:
176:
163:
157:
151:
141:
129:
113:registry key
94:to generate
86:to maintain
77:
54:
20:
19:
18:
559:Brian Krebs
487:17 December
451:January 16,
416:January 16,
381:Zlob trojan
254:Trend Micro
240:Troj/DNSCha
216:variant of
131:Trend Micro
88:click fraud
45:McAfee Labs
599:Cybercrime
583:Categories
574:VirusTotal
537:TrendMicro
480:F-Secure.
387:References
366:DNSChanger
125:webservers
117:IP address
110:NameServer
121:encrypted
92:attackers
51:Behaviour
634:Spamming
547:F-Secure
360:See also
285:F-Secure
250:Mal_Zlob
69:attacker
61:Koobface
26:backdoor
106:schemes
96:revenue
37:malware
589:Adware
440:McAfee
294:PayPal
244:Sophos
211:ClamAV
146:iTunes
29:trojan
191:Avira
181:Avast
98:from
24:is a
489:2018
453:2021
418:2021
224:ESET
78:The
57:TDSS
572:at
535:by
73:DNS
59:or
33:DNS
585::
562:@
508:^
461:^
437:.
426:^
406:.
395:^
350:,
341:,
332:,
323:,
137::
127:.
566:)
556:(
550:)
544:(
491:.
455:.
420:.
266:)
262:(
256:)
252:(
246:)
242:(
236:)
232:(
226:)
222:(
213:)
209:(
203:)
199:(
193:)
189:(
183:)
179:(
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.