Skip to content

DNSChanger Authors Arrested – So Long, Suckers

2011-11-10

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

The word that the authors of a troublesome family of malware known as DNSChanger (aka Trojan-DNSChanger or w32.dnschanger) had been arrested following a long investigation made me want to throw a party yesterday. DNSChanger hit the big time in 2007-2008, when I was doing malware research for my previous employer. By mid-2009, though, it was fizzling out and had been superceded by other big malware campaigns. I haven’t seen a new sample in more than two years, but when it was a going concern, it was huge, and I was on the front lines.

The way it worked was fairly rudimentary, but it was highly effective. The DNSChanger installer was a small executable delivered as a payload by another infection. All it did, once it was executed, was to change the DNS server settings on the infected machine to IP addresses that were under the control of the operators of DNSChanger, then delete itself.

What happens when DNS gets hijacked is not intuitive.

Remember first that all internet communication involves IP addresses, but to aid human cognition, we’ve created this thing called a domain name system, in which words relate to numbers. All browsers run these kinds of lookups all the time, and it relies on the honesty and accuracy of the DNS server to work.

The game here is a dishonest DNS server, one targeted at gaming display advertising. It returns the address of its own ad server, and instead of the ad that would have been delivered by, for instance, AdSense, the victim sees an ad that was inserted by an ad service in which the malware author, at the cost of the hijacked Web site visitor, earns ad revenue.

To the end user, the change was entirely transparent. And that was both its strength and, as it turned out, also a grave weakness that led investigators like myself and, apparently, law enforcement straight to Rove Digital. I only wish the rogues gallery of six Estonians and the Russian who were responsible had been arrested three years ago, in the midst of the storm, when we were fighting this thing tooth and nail. Better late than never, I suppose.

Once DNSChanger had executed and made its changes, they took effect immediately, and persisted on the infected box until the changes were manually undone. Advertising that was embedded within Web pages came, not from the actual ad network that had a contract with whatever Web site the ads had been placed — companies like AdSense or Doubleclick — but from the ad networks the DNSChanger/Rove Digital guys directed them to (and which paid them, probably quite well). This meant that all the pay-per-view and pay-per-click ad revenue from hijacked computers went directly to the DNSChanger operators. The user of the infected computer almost certainly would not notice any difference in the ads he or she viewed on Web pages.

Bad reputation

It was actually quite slick. And while the operators of the network seemed to be focused on ad revenue, the potential existed — but was never acted upon — for them to suddenly switch gears and decide, for instance, we want to set up a phishing page that looks like Paypal (just by example) and swap out the DNS for the real paypal.com, and have it point to our phishing page, instead. In the end, that might have caused them more grief — hijacked DNS settings are a blunt instrument, and would have affected the infected computer’s ability to browse to those sites normally, which would have called attention to the presence of the hijacked settings. So they seem to have decided to keep it low key, and stuck to hijacking advertising alone. I can imagine it was very lucrative, especially if you’re overeducated, underemployed, lack any ethics, and live in a former bloc country.

The attack was the first massive campaign I can remember that used subtlety and server-side randomization to its advantage. There were thousands of samples each week, and while each sample changed the DNS settings in the infected computer, they rarely used the same two (there were always two) DNS server IP addresses. The operators of DNSChanger, we knew then, controlled large blocks of IP addresses and were using all of them as a way to frustrate mitigation or remediation.

In the end, we just set up our product to block all connectivity to the IP ranges used by DNSChanger’s servers; It was a blunt but effective approach, and those customers who phoned into support complaining that they couldn’t get to cnn.com that morning were walked through the process of deleting those malicious DNS settings.

In many ways, DNSchanger helped pioneer some of what are now common malware techniques: It comprised a tiny payload of malware that propagated using social-engineering techniques, rather than vulnerabilities; It employed server-side randomization, where the payload executable was generated on-the-fly (with random IP addresses in the ranges the authors controlled) when it was requested for download; It was the first to use DNS hijacking as a way to generate a revenue stream; It was among the first modern, single-purpose malware families, lacking any sophisticated downloader or backdoor capability, which kept the file sizes small and unobtrusive; And it was one of the first cross-platform malware families, as the authors eventually released a variant that functioned identically under the Mac OS as it did in Windows, even pointing to the same DNS server ranges as the Windows versions did.

In the end, the malware was simple to detect, had no self-protection mechanisms, and was easy to remediate. It functioned well under virtual machines; It contained no rootkit code; and it deleted itself and made no copies of its installer once its job was complete. For cleanup, you could just delete the malicious DNS settings and, in most cases, Windows would just automatically get new, valid ones from the router when it rebooted. Maybe the authors thought that, because it was so easy to tidy up afterward, they wouldn’t get in as much trouble if they eventually got caught.

There was one big weakness though: Because the malware relied on fixed IP address ranges for its DNS settings, it was fairly obvious where to look to find the culprits. In 2008, everyone in my old department knew that any IP address that began with 85.255, for example, fell within this range used by the malware. The entire class B subnet was on a blacklist for a time.

Because the attack was piggybacked on other, more vicious malware, the way to protect yourself was (and continues to be) education — knowing not to click attachments, not falling for the social engineering tricks, not downloading “codec installers” or other such garbage — and maintaining up-to-date patches on Windows computers, which may prevent the kinds of drive-by downloads that also have a tendency to bring along lots of unwelcome friends like DNSChanger. The FBI has also posted cleanup tips (PDF), just in case there are still infected computers floating around out there.

There are dozens of malware collectives out there now. The black economy is huge and growing larger by the day. But the criminals also figured out better tricks — rogue antivirus, for one egregiously big example — that earn them more revenue with little effort, and are far more difficult for the casual user to trace back to its origin. But businesses can simply watch the outbound traffic on TCP port 53, which is the port used by DNS services.

On any large network, the DNS server addresses are shared among members of that network. Anyone using a DNS server different than the one they should be using — and especially one of the ranges shown in the graphic provided by the FBI, above — should be taken as a possible indication that the computer with those modified settings has been tampered with by malware.Solera blog stats

Comments are closed.

%d bloggers like this: