DNS Changer 2.0 (Trojan.Flush.M) is the next –in the wild- variant of this famous malware. Now the strategy has been changed, no need to modify the DNS settings on ADSL routers. Instead it will install a network driver (NDISProt.sys) which allows the malware to send/receive raw Ethernet packets. Such approach will help it bypass Windows TCP/IP, FW and HIPS.
It installs a rogue DHCP server on the infected machine and listens for DHCP requests and responds with its own crafted DHCP offer packets. The reply contains malicious DNS servers, which will redirect hosts to infected websites that include everything from phishing to exploit-and-infect pages.
The question is how to protect and prevent such attacks.
We all have heard of a "Vulnerability Assessment" or a "Network Security Assessment", but what's about a "Malwares Resistance Assessment”?
Well, it came to my mind this morning while talking to one of my customers about hardening their machines to be more "resistant" to malware infections.
It’s not clear if there is any kind of a standard to follow when we need to measure the “resistance level” of our network against malwares, but based on my knowledge and experience, I’d like to craft an essential checklist of questions to answer them by yourself:
Zlob (or as known DNSChanger) will modify the DNS settings to use other rogue DNS servers. These name servers will resolve non-existing domains (typo-squatting) to IP addresses associated with the authors to generate revenue and could potentially re-routes traffic from legitimate web sites to other suspicious web sites.
Today we will continue our talk about malware. Let's go one step forward to see how exciting it is once you get infected with malware on your machine, then clean it. I always call this process "CSI - Malware Analysis." (Not yet broadcast folks) Why? Your antivirus is clueless, because either it's not up-to-date, or there are no signatures yet. You have to come to the rescue, or format the system and loss your data, configurations, forgotten files...etc. So, your job start when the antivirus stops.
The easy way depends on a high-level of skills about operating systems, networking, batch scripting, and security. If you have the required skills you can choose which way to follow. Today I’ll show you how to use free and easy to get tools, with some skills to recover your infected machine.