Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    9:58 am (UTC-7)   |    by

    Note that this entry was first posted last March 27, 2007.

    We’ve received a very interesting write-up from our associates, Feike Hacquebord and Chenghuai Lu, regarding rogue DNS servers. I’m sure you’ll find the report below quite informative.

    Rogue DNS Servers

    Researchers of Trend Micro have identified a network of more than 115 rogue DNS servers, which are used by DNS-changing Trojans. This article describes threats imposed by these rogue DNS servers.


    Domain Name System servers resolve human readable domain names to IP addresses that are assigned to computer servers on the Internet. Normally, when an Internet user types a web address in the address bar of his Internet browser, for example, a DNS server resolves that domain name to an IP address that is hosting the Google webpage. In this way, his computer knows where to fetch If a user mistypes the domain, e.g., the DNS server fails to resolve the domain and the user gets an error message.

    Most Internet users automatically use the DNS servers of their ISP. DNS-changing Trojans silently modify computer settings to use foreign DNS servers. These DNS servers are set up by malicious third parties and translate certain domains to fallacious IP addresses. As a result, victims are redirected to possibly malicious websites without them noticing it. For example, if a user wants to view, a rogue DNS server may resolve to an IP address controlled by an unknown third party. If that third party creates pages that look exactly like those of Google, the user might think that he is browsing Google indeed, without noticing that he is actually visiting a website controlled by somebody else than Google. This may cause the user to leak sensitive information to third parties.

    Network of 115+ rogue DNS servers

    Researchers of Trend Micro have identified a network of more than 115 rogue DNS servers that are used by a certain variant of TROJ_DNSCHANG [1]. These DNS servers exhibit interesting behavior. We found that the DNS servers resolve most existing domains correctly at the times we queried them. However, for non-existing domain names, the rogue DNS servers do not return the usual error message but they instead resolve the domain name to a malicious IP address.

    See Figure 1 for an example.

    (1) The DNS query result on from legitimate DNS server

    (2) The DNS query result on from a rogue DNS server

    Figure 1. DNS queries on

    We entered “” in the address bar of an Internet browser that is using one of the rogue DNS servers to resolve domain names. We found that instead of displaying the usual error message “page not found”, it redirected us to a website that hosts a rogue adult search engine. See Figure 2.

    Figure 2. Result of visiting a non-existent webpage before and after Trojan infection

    Another interesting thing we found is that the rogue DNS servers hijack some known bad domain names that hosted malware or C&C servers. For example, is an old infamous bad domain of such kind, which is currently parked. The rogue DNS servers resolve to different IP addresses than the authoritative nameservers do. See Figure 3.

    Figure 3. DNS queries on from infected hosts

    Resolving bad domain names differently has the result that other malware, which might be present on the victim�¢??s computer, may work in another way than they were originally designed. In particular, a built-in update function that polls a website for updates of malware may now generate automated clicks on adult webpages (clickfraud) . In our example, attempts to fetch malware updates from on a computer infected with the DNS-changing Trojan we are discussing in this article, result in clicks on adult webpages indeed.

    Apparently, the rogue DNS servers are used for click-fraud. The fact that there are more than 115 rogue DNS servers that are all identical suggests that there are a lot of victims infected with this particular kind of DNS -changing malware. The infected computers together form a large network that can generate a lot of traffic to any website.

    The rogue DNS servers include, but are not limited to these addresses:



    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    Comments are closed.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice