TDSS Rootkit and DNSchanger: An Unholy Alliance

The TDSS rootkit has proven to be more pliable and adaptable than a campaigning politician, and attackers have used it in various forms for the last three or four years for all sorts of different attacks. It shows up in drive-by downloads, targeted attacks and just about everything in between, and one of the newer jobs it’s been assigned is to deliver the DNSchanger Trojan.

TDSS RootkitThe TDSS rootkit has proven to be more pliable and adaptable than a campaigning politician, and attackers have used it in various forms for the last three or four years for all sorts of different attacks. It shows up in drive-by downloads, targeted attacks and just about everything in between, and one of the newer jobs it’s been assigned is to deliver the DNSchanger Trojan.

As much of a nightmare as TDSS, also known as Alureon or TDL4, can be, an infection by DNSchanger can be just as problematic in some respects. The malware’s main function is to hijack the victim’s Web traffic by changing the DNS settings on the infected machine, redirecting him to malicious sites rather than whichever ones he’s aiming to visit. So once the Trojan has changed the DNS configuration on the machine, DNS queries from the PC will be redirected to the attacker-controlled DNS servers, allowing the attackers to force the user to visit malicious sites.

The attackers can use that traffic for any number of things, including installing other pieces of malware or as part of a pay-per-click ad fraud scheme. Researchers at Dell’s Secureworks unit said that they have been seeing between 600,000 and 1 million unique IP addresses infected with the DNSchanger Trojan in recent weeks, and they’ve seen TDSS downloading and installing the Trojan.

The FBI last week helped take down six Estonians whom they allege are behind the DNSchanger malware campaigns. There is more information on the way the operation worked and what users can do to fix compromised machines available from the FBI. The six men have been arrested in Estonia and are awaiting extradition to the United States.

“One of the key worries with being infected with the DNS Changer malware is that it often an indicator that your system is infected with a larger malware cocktail , where the hacker, along with DNS Changer, has downloaded a slew of malware: Rogue AV, ZeuS Banking Trojan, Spam Bot, etc.  Also, controlling the DNS servers allows the attackers to modify the results for the DNS queries and redirect users to any sites the attacker chooses. These sites may attempt to install additional malicious components on the system. There are also more devious options, including man in the middle attacks. Controlling DNS gives an attacker complete access to a system,” a Secureworks research report on TDSS and DNSchanger says.

Removing TDSS can be a challenge, and the same is true of the DNSchanger component. One symptom of an infection by DNSchanger can be difficulty reaching popular sites such as Google, and instead ending up at an unfamiliar ad-laden site. These sites often will be used for drive-by download attacks. Users can check their DNS settings on a Windows machine by going to the command line and typing: ipconfig/all. If the DNS server field shows an address in any of the following ranges, the Secureworks researchers say, it’s infected:

85.255.112.0 through 85.255.127.255

67.210.0.0 through 67.210.15.255

93.188.160.0 through 93.188.167.255

77.67.83.0 through 77.67.83.255

213.109.64.0 through 213.109.79.255

64.28.176.0 through 64.28.191.255

Suggested articles