English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Is it the end of the DNSChanger Trojan?

Dmitry Bestuzhev
Kaspersky Lab Expert
Posted July 10, 18:08  GMT
Tags: Microsoft Windows, Internet Banking, Botnets, Malware Creators, DNS, Email
0.2
 

=== Not really, especially in Latin America. Every day we register lots of similar attacks, each abusing local DNS settings. Actually these attacks are a bit different because they modify the local HOST file but the principle is the same – redirecting the victim to a malicious host via malicious DNS records.

Latin American cybercriminals are used to recycling old techniques used elsewhere in the past and what is happening right now is a growth of attacks abusing local DNS settings. The latest social engineering-based malware attack in Mexico – which imitated the Mexican tax office – is a recent example of this.

By clicking on the link the victim downloads and installs a Trojan which is related to Ngrbot and modifies the local HOST file. It steals money from two Mexican banks by redirecting the infected victims to fake banking websites.

There is interesting information contained inside the code – the source of the Trojan before the compilation.

(C:\Users\Alx\Desktop\pharming_root3d\Project1.vbp)

After browsing some underground Spanish-language forums, I found that the author of this malware has been operating since at least 2004 and apparently lives in Peru.

Most of the victims are, of course, from Mexico. The main means of spreading the malware is email and the most widely-targeted email provider is Yahoo mail.


There are at least 11,540 downloads of this malware and the overall it has been detected by 9 out of 31 antivirus engines. That basically means there are some 8,000 infections out there.

The fact that a fairly experienced cybercriminal (operating from 2004) still uses malicious techniques to abuse local DNS settings and can still net a large number of victims (8,000) once again confirms that the DNSChanger trend won’t change in the near feature. We will keep seeing new pieces of malware using and refining the same technique. This story is set to continue…


1 comments

isolthai

2012 Jul 13, 13:25
0
 

ccnp voice training

DNSChanger is a trojan that will change the infected system's Domain Name Server (DNS) settings, in order to divert traffic to unsolicited, and potentially illegal sites, by ccnp voice training

Reply    
If you would like to comment on this article you must first
login


Bookmark and Share
Share

Analysis

Blog

Alerts