Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2014
    S M T W T F S
    « Nov    
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  
  • Email Subscription

  • About Us

    New Koobface ComponentAside from the new Twitter component we’ve also seen Koobface download a new component with the filename dns.exe, whose main purpose, it seems, is to modify the system’s DNS registry settings.

    It is accomplished by inserting 213.174.139.72 (IP of the rogue DNS server) into the values of NameServer and DhcpNameServer found in the following registry key:
    HKEY_LOCAL_MACHINESYSTEMCurrentControlSet
    ServicesTcpipParametersInterfaces{Device ID}

    What this system modification does is, every time a website is visited, the domain of the website is resolved by asking the rogue DNS, which can then serve a bad IP that will redirect the unsuspecting user to a malicious or phishing site.

    As of writing, the rogue DNS IP is inactive, but we recommend anyone who suspects that something fishy is happening while browsing should search for the presence of that bad IP and remove it (do NOT remove your original DNS IP though). The rouge DNS IP has a history of hosting various malware and malicious pages before so whatever it will do when it wakes up will be anything but good.

    The said DNS changer is now detected as TROJ_DNSCHANG.UB, thus the Smart Protection Network also protects Trend Micro users from this.

    Other notorious DNS-changers in the past can be read here:





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon






     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice