User Tools

DNSChanger

Behavior

  • Can compromise Windows, Mac, and some routers and modems.
  • Modifies the DNS server entries to point to IP's in the Ukraine.
  • Redirects certain lookups. This prevents updating of anti-malware.

Removal and Recommendations

From everything I've gathered, most up-to-date anti-virus and anti-spyware should detect this. The problem is that the DNSChanger redirects away from anti-malware update sites. I personally recommend either scanning from a bootable CD/DVD (BartPE, UBCD4Windows, etc.) or pulling the drive to scan it from a clean, updated system.

Apple has an antivirus tool out that is supposed to remove it from their OS. http://www.apple.com/downloads/macosx/networking_security/iantivirus.html

Block and/or monitor all traffic to and from 85.255.112.0 – 85.255.127.255 (85.255.112.0/20).

References

http://isc.sans.org/diary.html?storyid5434<br /> http://www.symantec.com/security_response/writeup.jsp?docid2008-120318-5914-99&tabid''2<br /> http://asert.arbornetworks.com/2008/11/rogue-dns-servers-on-the-move/

– Main.FredPettis - 03 Apr 2009

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also, you acknowledge that you have read and understand our Privacy Policy. If you do not agree, please leave the website.

More information