back to article World's stealthiest rootkit pushes DNS hijacking trojan

One of the world's most advanced pieces of malware is being used to spread DNS Changer, a trojan at the heart of a massive click fraud scheme that has already hijacked 4 million PCs, security researchers said. Just a few days after federal prosecutors in the US shuttered the international conspiracy, researchers from Dell …

COMMENTS

This topic is closed for new posts.
  1. Mystic Megabyte

    Where's the instructions for a Linux box?

    1. Anonymous Coward
      Anonymous Coward

      Whilst I appreciate you're likely feeling hard done by as a member of a digital minority, a clue as to why this vital piece of info might have been omitted could be in "The scheme preyed on users of computers running Microsoft Windows and Apple OS X operating systems".

      1. Anonymous Coward
        Anonymous Coward

        @AC 23:27 GMT - Nah, it's Windows only!

        As far as the AV companies have discovered so far.

      2. Scorchio!!
        WTF?

        OK, but just one small point here; it can alter routers (not windows machines)? I'd like to know more about that as it is causing me a little discomfort, for obvious reasons. How does it attack router settings?

    2. bolccg
      FAIL

      Heh

      That's amusing - missed a chance to gloat over a more secure O/S in order to bitch about having a more overlooked O/S :)

      1. Destroy All Monsters Silver badge
        Trollface

        10/10 for a short but successfull trolling by OP

  2. Anonymous Coward
    Anonymous Coward

    Linux:

    cat /etc/resolv.conf.

    My laptop says I use 127.0.0.1 8)

  3. Anonymous Coward
    Anonymous Coward

    What I find funny is that apparently security update MS10-015 caused PC's infected with this rootkit (earlier version) to crash so Microsoft changed the update so it wouldn't install on infected machines. The rootkit author then updated his software to fix the bug that MS10-015 exposed and everybody was happy again.

    It just goes to show that Microsoft can work with 3rd party developers to improve the users experience.

    1. Smokey Joe

      Makes perfect sense though...

      ...often the best way to familiarise yourself with such tools is to run them on one's own machine first.

  4. Head
    Thumb Up

    Hmmm

    Thanks for that El'Reg :D

    Have started investigating this more and come up with some simple scripting checks to audit every PC we have.

  5. Anonymous Coward
    Anonymous Coward

    Why is the author mentioning the MAc OS X infection here ?

    In all honesty, I tried to find a serious virus analysis specific to non-Windows computers and I couldn't find one. In case OS X is vulnerable, I'm just curious to learn a few things about the mechanisms the virus uses because I strongly doubt injecting Windows 64-bit drivers would work on an Apple machine.

    I would appreciate if someone could point me to such info.

    1. Tchou
      Holmes

      Enjoy

      What about OSX security issues? Its drivers, system files, font types, and all are just as targetable as anything else.

      Some of Apple products security issues are listed here (1466 vulneranilities):

      http://secunia.com/advisories/search/?search=Apple

      And Microsoft ones are here (1313 vulnerabilities):

      http://secunia.com/advisories/search/?search=Microsoft

      No big number difference as you can see....

    2. Anonymous Coward
      Anonymous Coward

      Try

      http://www.theregister.co.uk/2011/11/09/dns_malware_scam/

  6. Pete 39
    Stop

    Update Coming

    I wouldn't rely on IPCONFIG /all for too much longer. The rootkit could be updated to catch all calls for the DNS settings, and then to return the values that were there before it changed the ones the TCP/IP stack uses.

    It might be necessary to watch the actual traffic on the 'wire'.

    Even then if a local but hidden host table has been modified you wouldn't know.

    1. Sir Runcible Spoon

      Sir

      Quick, everyone install Wireshark and filter for dns.

      Oh, and don't forget to check the checksum :)

  7. Crazy Operations Guy

    A firewall solution

    At work I set up a firewall to block outgoing DNS connections from everything except the two corporate DNS boxes and even then blocked the mentioned IP address ranges for the DNS servers, of course this isn't really necessary as the DNS servers just use root hints and thus only contact the authoritative DNS servers for domains.

    Immediately afterwards, we got calls about being unable to connect to the internet and found that a bunch of OS X boxes in the marketing department were infected and traced it to some stupid game they were trying to play.

    Amazing what an a couple of Pentium 4 boxes with Firewall software can do, OpenBSD FTW.

  8. Anonymous Coward
    Anonymous Coward

    >"the IP numbers that correspond to domain names"

    Just to be technically accurate about it, there aren't any IP numbers corresponding to domain names; they correspond to the names of individual hosts within those domains - some of which may by design have names that match the domains, but that's not necessarily the case, and the IP address still doesn't refer to the domain itself.

    (Pedantic Dickweedery™ is a trademark of TDWTF.)

This topic is closed for new posts.

Other stories you might like