ZLob/DNSChanger Trojan now can modify DNS Servers in your SOHO Router

Discussion in 'Virus Information' started by David H. Lipman, Jun 13, 2008.

  1. A variant of the ZLob Trojan known as DNSChanger has been known to modify the DNS servers on
    your PC. Thus you get directed to malicious web sites instead of the web site you are
    trying to get to.

    Now there is a variant of the DNSChanger, installer ~300KB, that can use TCP port 80 and a
    dictionary of passwords to modify the DNS Server list on SOHO Routers.

    http://www.trustedsource.org/blog/42/New-DNSChanger-Trojan-hacks-into-routers
    http://blog.washingtonpost.com/securityfix/2008/06/malware_silently_alters_wirele_1.html
     
    David H. Lipman, Jun 13, 2008
    #1
    1. Advertisements

  2. I always update my anti-virus software regularly so I should be OK.

    Thanks for the news anyway.
     
    Andrew McGovern, Jun 13, 2008
    #2
    1. Advertisements

  3. David H. Lipman

    Kerry Brown Guest

    There are other exploits that do this as well. The best protection against
    this is to use a strong password on your router.
     
    Kerry Brown, Jun 13, 2008
    #3
  4. From: "Kerry Brown" <*a*m>

    | There are other exploits that do this as well. The best protection against
    | this is to use a strong password on your router.
    |

    Yes. There have been discussions about SOAP in conjunction with uPnP. However using uPnP
    you may be able to bypass the TCP port 80 authentication.
     
    David H. Lipman, Jun 14, 2008
    #4
  5. David H. Lipman

    Kerry Brown Guest


    And turn off uPnP. I forgot about that. It's the first thing I do with
    anything I set up that may have it enabled. If you can believe this
    Microsoft wants uPnP turned on so they can automagically configure the
    router with the still in beta SBS 2008. Trustworthy computing :)
     
    Kerry Brown, Jun 14, 2008
    #5
  6. David H. Lipman

    Dell Techie Guest

    1. Run Deckard's System Scanner (DSS
    http://securitynewsfromthenet.blogspot.com/2008/06/deckards-system-scanner-dss.html

    2. Run the vundo and combo fix
    http://securitynewsfromthenet.blogspot.com/2007/05/vundofix-and-combo-fix.html

    3. Run Malwarebytes Anti-Malwar
    http://securitynewsfromthenet.blogspot.com/2008/03/malwarebytes-anti-malware-105.html

    4. Run the anti spyware removal programs spybot
    http://securitynewsfromthenet.blogspot.com/2007/03/spybot-search-and-destroy-spyware-and.html

    5 Run Superantispyware
    http://securitynewsfromthenet.blogspot.com/2007/04/superantispyware-home-edition-free.html

    6. Run a complete scan with free curing utility Dr.Web CureIt!
    http://securitynewsfromthenet.blogspot.com/2008/05/dr-web-cureit.html
     
    Dell Techie, Jun 16, 2008
    #6
  7. [spam snipped]


    I would rather download from reputable sources than your blogspot
    spam site.

    Len Agoado
     
    Leonard Agoado, Jun 16, 2008
    #7
  8. From: "Dell Techie" <>

    < snip >

    Is that all you can do is repeat the SAME response in multiple replies ?

    The fact is MY POST was a statement. An informative post. It was NOT a request for help
    and you should have replied to the thread and NOT create a new one.

    Additionally, if one was infected with this variant of the DNSChanger Trojan your response
    would be incomplete as the Router would have the malware author's DNS servers and the
    infected person would be redirected to malicious sites, reinfecting the user.

    Please let those have have direct klnowledge using News Clients deal with malware. The fact
    that you are using a web front-end to the Microsoft News Groups and can't even properly
    respond to a thread indicates you lack the capabilities needed.
     
    David H. Lipman, Jun 16, 2008
    #8
  9. David H. Lipman

    ~BD~ Guest

    Your English is getting worse, Mr Lipman!

    Perhaps others reading here would better understand you if you were to take
    more care over your spelling and grammar. ;)

    BD
     
    ~BD~, Jun 16, 2008
    #9
  10. David H. Lipman

    Leythos Guest

    Seemed clear to me.
     
    Leythos, Jun 17, 2008
    #10
  11. Your tin foil hat needs re-aligning, and you need your meds refilled.

    : Your English is getting worse, Mr Lipman!
    :
    : Perhaps others reading here would better understand you if you were to
    take
    : more care over your spelling and grammar. ;)
    :
    : BD
    :
    :
     
    Tom [Pepper] Willett, Jun 17, 2008
    #11
  12. David H. Lipman

    ---Fitz--- Guest

    Seemed pretty clear to me also.
     
    ---Fitz---, Jun 18, 2008
    #12
  13. David H. Lipman

    a.qarta Guest

    I've compiled a checklist to follow

    http://extremesecurity.blogspot.com/2008/06/use-default-password-get-hijacked.html
     
    a.qarta, Jun 18, 2008
    #13
  14. From: "a.qarta" <>


    |
    | I've compiled a checklist to follow
    |
    | http://extremesecurity.blogspot.com/2008/06/use-default-password-get-hijacked.html

    Very good Aa'ed !
     
    David H. Lipman, Jun 18, 2008
    #14
  15. David H. Lipman

    Kerry Brown Guest

    Looks good.
     
    Kerry Brown, Jun 19, 2008
    #15
  16. David H. Lipman

    ~BD~ Guest

    Thanks Tom. Action taken accordingly! ;)
     
    ~BD~, Jun 20, 2008
    #16
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.