Aside from the new Twitter component we’ve also seen Koobface download a new component with the filename dns.exe, whose main purpose, it seems, is to modify the system’s DNS registry settings.
It is accomplished by inserting 126.96.36.199 (IP of the rogue DNS server) into the values of NameServer and DhcpNameServer found in the following registry key:
What this system modification does is, every time a website is visited, the domain of the website is resolved by asking the rogue DNS, which can then serve a bad IP that will redirect the unsuspecting user to a malicious or phishing site.
As of writing, the rogue DNS IP is inactive, but we recommend anyone who suspects that something fishy is happening while browsing should search for the presence of that bad IP and remove it (do NOT remove your original DNS IP though). The rouge DNS IP has a history of hosting various malware and malicious pages before so whatever it will do when it wakes up will be anything but good.
The said DNS changer is now detected as TROJ_DNSCHANG.UB, thus the Smart Protection Network also protects Trend Micro users from this.
Other notorious DNS-changers in the past can be read here:
- DNS Changer Malware Evolves – Again
- New ZLOB Rigs Routers
- Blended Targeted Attack in Mexico Now a DNS Changer and a Botnet