Feeds

back to article World's stealthiest rootkit pushes DNS hijacking trojan

One of the world's most advanced pieces of malware is being used to spread DNS Changer, a trojan at the heart of a massive click fraud scheme that has already hijacked 4 million PCs, security researchers said. Just a few days after federal prosecutors in the US shuttered the international conspiracy, researchers from Dell …

COMMENTS

This topic is closed for new posts.
Silver badge

Where's the instructions for a Linux box?

2
1
Anonymous Coward

Whilst I appreciate you're likely feeling hard done by as a member of a digital minority, a clue as to why this vital piece of info might have been omitted could be in "The scheme preyed on users of computers running Microsoft Windows and Apple OS X operating systems".

4
0
FAIL

Heh

That's amusing - missed a chance to gloat over a more secure O/S in order to bitch about having a more overlooked O/S :)

4
0
Silver badge
Trollface

10/10 for a short but successfull trolling by OP

5
1
Anonymous Coward

@AC 23:27 GMT - Nah, it's Windows only!

As far as the AV companies have discovered so far.

0
1
Bronze badge
WTF?

OK, but just one small point here; it can alter routers (not windows machines)? I'd like to know more about that as it is causing me a little discomfort, for obvious reasons. How does it attack router settings?

0
0
Bronze badge

Linux:

cat /etc/resolv.conf.

My laptop says I use 127.0.0.1 8)

2
0
Anonymous Coward

What I find funny is that apparently security update MS10-015 caused PC's infected with this rootkit (earlier version) to crash so Microsoft changed the update so it wouldn't install on infected machines. The rootkit author then updated his software to fix the bug that MS10-015 exposed and everybody was happy again.

It just goes to show that Microsoft can work with 3rd party developers to improve the users experience.

17
0

Makes perfect sense though...

...often the best way to familiarise yourself with such tools is to run them on one's own machine first.

0
0
Thumb Up

Hmmm

Thanks for that El'Reg :D

Have started investigating this more and come up with some simple scripting checks to audit every PC we have.

0
0
Anonymous Coward

Why is the author mentioning the MAc OS X infection here ?

In all honesty, I tried to find a serious virus analysis specific to non-Windows computers and I couldn't find one. In case OS X is vulnerable, I'm just curious to learn a few things about the mechanisms the virus uses because I strongly doubt injecting Windows 64-bit drivers would work on an Apple machine.

I would appreciate if someone could point me to such info.

0
5
Holmes

Enjoy

What about OSX security issues? Its drivers, system files, font types, and all are just as targetable as anything else.

Some of Apple products security issues are listed here (1466 vulneranilities):

http://secunia.com/advisories/search/?search=Apple

And Microsoft ones are here (1313 vulnerabilities):

http://secunia.com/advisories/search/?search=Microsoft

No big number difference as you can see....

0
1
Anonymous Coward

Try

http://www.theregister.co.uk/2011/11/09/dns_malware_scam/

0
0
Stop

Update Coming

I wouldn't rely on IPCONFIG /all for too much longer. The rootkit could be updated to catch all calls for the DNS settings, and then to return the values that were there before it changed the ones the TCP/IP stack uses.

It might be necessary to watch the actual traffic on the 'wire'.

Even then if a local but hidden host table has been modified you wouldn't know.

2
0
Silver badge

Sir

Quick, everyone install Wireshark and filter for dns.

Oh, and don't forget to check the checksum :)

0
0
Bronze badge

A firewall solution

At work I set up a firewall to block outgoing DNS connections from everything except the two corporate DNS boxes and even then blocked the mentioned IP address ranges for the DNS servers, of course this isn't really necessary as the DNS servers just use root hints and thus only contact the authoritative DNS servers for domains.

Immediately afterwards, we got calls about being unable to connect to the internet and found that a bunch of OS X boxes in the marketing department were infected and traced it to some stupid game they were trying to play.

Amazing what an a couple of Pentium 4 boxes with Firewall software can do, OpenBSD FTW.

2
0
Anonymous Coward

>"the IP numbers that correspond to domain names"

Just to be technically accurate about it, there aren't any IP numbers corresponding to domain names; they correspond to the names of individual hosts within those domains - some of which may by design have names that match the domains, but that's not necessarily the case, and the IP address still doesn't refer to the domain itself.

(Pedantic Dickweedery™ is a trademark of TDWTF.)

0
0
This topic is closed for new posts.