DNS stands for "Domain Name System." It is the Internet standard for assigning IP addresses to domain names. A DNS acts like a phone book that translates human-friendly host names to PC-friendly IP addresses.
It is typical for users to automatically use a DNS server operated by their own ISPs. Some users, however, choose to use third-party DNS servers for different reasons. ISP-operated DNS servers can be slow or unreliable, which is why third-party ones are preferred.
What is a DNS changer Trojan?
DNS changer Trojans are malware designed to modify infected systems' DNS settings without the users' knowledge nor consent. Once modified, systems use foreign DNS servers, which are usually set up by cybercriminals. Users with infected systems who try to access certain sites are instead redirected to possibly malicious sites.
How does a DNS changer Trojan work?
DNS changer Trojans are dropped onto systems by other malware such as TDSS and KOOBFACE. Once installed, DNS changer Trojans silently modify infected systems' DNS settings. Cybercriminals do this so victims would use foreign DNS servers instead of the ones provided by their ISPs. They set up DNS servers to resolve certain domains to malicious IP addresses.
Modifying systems' DNS settings allows cybercriminals to perform malicious activities like:
How do cybercriminals profit from spreading DNS changer Trojans?
Money makes the world go round, especially in the world of cybercrime. DNS changer Trojans are, of course, no exception to the profit rule.
DNS changer Trojan creators' profiteering schemes have been well-documented, particularly in Rove Digital's case. According to the official U.S. legal indictment, Rove Digital took on advertising contracts from which it made money in exchange for user ad clicks and the display of ads on certain sites.The document also revealed that its business model was not limited to advertising fraud. The group also hijacked search results.
The following techniques allow cybercriminals to profit from spreading DNS changer Trojans:
Why should users be concerned with this threat?
DNS changer Trojans may lead to a lot of problems for users, including:
Users of systems that have already been infected by DNS changer Trojans, particularly those distributed by Rove Digital, may experience more serious consequences. Systems that remain infected and whose DNS settings are not reset before July 9 will lose Internet access once the Rove Digital DNS servers are shut down.
DNS changer Trojans also affect Macs. OS X-specific Trojans can also change the DNS settings of infected systems and redirect users to bogus sites.
How can affected users get rid of DNS changer Trojans?
Affected users should reset the DNS settings of their systems after getting rid of DNS changer Trojans using their anti-malware solutions. To manually reset your DNS settings, follow these steps:
For Windows OS
For Mac OS X
Are Trend Micro users protected from this threat?
Yes, Trend Micro protects your system and confidential information from DNS changer Trojans and other threats via solutions like Trend Micro™ Titanium™ Maximum Security at home and Trend Micro™ Worry-Free™ Business Security—Advanced or OfficeScan for your business.
FROM THE FIELD: EXPERT INSIGHTS
"Cybercriminals use a variety of methods to monetize their DNS changer Trojan botnets, including hijacking search results, replacing the ads victims see on legitimate sites, and pushing additional malware. We successfully identified Rove Digital's command-and-control (C&C) and back-end infrastructure at an early stage and continued to monitor this until November 8, 2011. Other industry partners did a tremendous job by making sure that the botnet takedown happened in a controlled way, with minimal inconvenience on the part of infected customers."— Feike Hacquebord, senior threat researcher