main

DNS-Changer Trojan Virus Hijacks Your Router!

Symptom – clicking on links in web pages, a new window opens up – the status bar says something like “Waiting for google-analytics.com” then redirects to some advertising site like epoclick.com. I was also getting a message “jsc.google-analytics.com fails to load”

I was suspicious since my partner’s laptop and mine were infected with the same behaviour at the same time.

I don’t have a problem any more, but thought I would share the solution I have found.

It turned out not to be my laptop, but our router – appears to have gotten hijacked.

I reset the router = problem gone!

  • Could not run Combofix as I am running Win 7 64bit. This and Malwarebytes usually fixes virus problems I have with XP.
  • Tried installing Malwarebytes, but its updates got blocked with the message “MBAM_ERROR_UPDATING (12007, 0, WinHttpSendRequest)”
  • Managed to get Malwarebytes to update through a proxy server. Found and removed one Browser Helper Object, but no effect.
  • Tried System Restore – setting back 10 days (the problem was only 48 hours old) – restore was successful but problem persisted.

I had a suspicion all along that it wasn’t my laptop, as it started simultaneously on both of our laptops.

I googled the symptoms and initially came upon a lot of discussion about a “Google Redirect Virus” where a DNS-Changer Trojan can alter your network settings on your PC. But I checked and mine were OK.

Digging deeper, I came across the concept of DNS Poisoning” and the suggestion was to check the router.

I checked my router and discovered that the DNS settings had been changed – two DNS addresses had been specified, rather than “obtain settings dynamically DNS from your ISP”.

router Hijack

I changed the settings back to “obtain settings dynamically DNS from your ISP”, suspecting this would solve the problem, but it didn’t.

So I reset the router back to Factory Settings, and configured it again for my ISP and wireless network, and lo and behold – the problem is gone.

I hope this solution helps someone else – in my case no matter what I did to my laptop, nothing would have made a difference.

The following gave me the clues I needed:

“Poisoned” Router DNS Settings

http://www.technibble.com/forums/showpost.php?p=144318&postcount=1

Discovered a new one today (new to me!). A virus that changed the DNS settings in a Netgear WPN824 router. The router had the default password. A quick search on the Internet shows routers “poisoned” by viruses that can modify router settings when the user has NOT changed the default password. Y’all be sure to change your default passwords on customer routers (I usually do this).

Background:

Customer brings me an infected laptop that has a hijacked browser and I pulled the hard disk and slaved to my bench PC to clean it (SOP). It had several Java script viruses (AVG shows twitters.class, skypeqd.class, mailvue.class, AppleT.class all in jar_cache). Removed viruses with AVG.
So I gave the laptop a “clean up/tune up” afterward. Customer picks up laptop, goes back home, and calls me within hours: “it’s still going to the wrong web sites”. So I ask him to drop it back by the shop to check it out again. Pull the hard disk, scan with AVG & Malwarebytes and it’s clean.

The browser is NOT hijacked in my shop. Put it back into PC and scan with his AVG & Malwarebytes and it’s clean. He calls while I have it and says: “now my wife’s laptop is hijacked!”. I pack up his machine and go over to his home and run an IPCONFIG /ALL in a CMD window and the DNS servers shown is 213.109.64.5 (which resolves to a Russian network!) Wow!

Go into his Netgear router and lo and behold the DNS setting has been change from “Get Automatically from ISP” to “use these DNS Servers” with the above numbers typed in. Bingo. Change it to “Get Automatically from ISP” and it’s all good.

It is a good reason to always change the default password.

the problem was the router….

http://forums.techarena.in/antivirus-software/1356539.htm

Spotted it today, a DG834g Netgear router was accessed by some malicious software which followed a LimeWire download.

The software logged onto the router (using default password) and changed DNS settings from automatic to a set of manual addresses.

The consequence was, of say a Google search, any link had a results5 prefix.

The standard fix for results5 infections was the TDDS killer etc, of course no good here as the source of the problem was the router.

Removed the DNS addresses, changed the password on the router and flushed the DNS cache of the connected machines.

Warning! A New Zlob Trojan Modifies Wireless Router Settings

http://www.pc1news.com/news/0017/war…-settings.html

The new version of Zlob Trojan, or DNSChanger, is attacking wireless router and changes its settings. In general, Zlob Trojans, believed to be of Russian origin, masquerade to be a video codec that is necessary to view certain contents on the sites.

Recently, it has been found that the new version of Zlob Trojan is able to determine whether the potential victim uses wired or wireless hardware router and manages to guess the password in order to administrate the found router and affect DNS (domain name system) records. Attackers are then able to alter the major settings on the victim’s Internet route in such a way that all Web-traffic is re-routed from legitimate web sites to the servers controlled by hackers.

Should we really be concerned about this new version of Zlob Trojan? Yes! And for a number of reasons. First, Microsoft indicates that Zlob Trojans are among the most frequently found Trojans that are downloaded to the Windows system. Besides, it is very important to note that even though the user may successfully clean the computer affected by Zlob Trojan (DNSChanger), the network is left compromised. If several computers use the same router, all the systems connected to that router have their Web-traffics re-routed to the servers that are administered by hackers. Last but not least, this malware can corrupt computers with various components that are often improperly detected by many current anti-virus tools.

Now, when it is clear that this Trojan is worth our concern, a piece of advice should be provided. In order to avoid Zlob Trojan attacks, it is, first of all, recommended to choose strong router administration usernames and passwords. They should not be easily guessed. The username should not be used also as a password. It is also strongly advised to change all default passwords, if possible. However, the problem is that most often users do not change these usernames and passwords on wireless routes even though they have locked down their wireless router with encryption and used other security settings.

And what to do if the wireless router is already affected by Zlob Trojan and its settings are modified? It is, first of all, recommended to reset the wireless router to its default configuration. Remember, that all security settings that were used before the reset will have to be reconfigured. Sometimes it is also worthwhile to consult your Internet Service provider and clarify what DNS servers should be used. Finally, when several computers are using the same router and are infected by Zlob Trojan, it is absolutely necessary for all of them to clear the Trojan and only then reset the router. Otherwise, the problem will reoccur immediately after the reboot and router’s settings will be changed again.

A Frustrating Experience

http://www.rootschat.com/forum/index.php?PHPSESSID=l8n6p2sjl0d5dpgktfe8p0ck40&topic=494398.0

Since I was last here we tried the  “answer is to edit your hosts file using NotePad and add an extra line” theory, this did work and stop going to the Google search page, which by now was happening every single time I clicked on a link on this site.  Doing a search with Google still got me being redirected to other places.

My PC man just wasnt happy about this as as far as he was concerned it was just covering up the problem as Sikes also said.
So my PC was taken away to repairman’s home, after 36 hours he brought it back and told me that during all that time the problem had not happened once. He said he had `hammered` it downloading all sorts of stuff, and using sites that I never heard of trying to get it to happen just once.

I had previously  found a web page discussing router infections, and sent this to my PC man , he had a good look at all the possibilities of this.
Then he wiped it clean again, for the 3rd time, and just reinstalled Windows.

He brought it back yesterday , reconnected it and $%&*//@ heck it started again.

The only thing different from his house and mine was the router.

He reset it and Lo and Behold it worked with no problem at all. Then he reinstalled all my files etc, then my programmes and it`s still OK.

He did say that there seemed to have been 2 settings on the router, one which was correct and another that possibly taking me to goodness knows where.

Now I did get a bad virus  a couple of weeks after installing the new router and a scan showed me there were appx 854 infections.

This was before the second reinstall.  Every  removal tool showed absolutely  nothing , so at the end of a very frustrating couple of weeks we have come to the conclusion that somehow the router had become corrupted, settings had changed and caused the problem.

PC man has now stored this problem of mine in his mind as something to consider if anyone else has similar issues.

2 Responses to DNS-Changer Trojan Virus Hijacks Your Router!

  1. Brian August 14, 2011 at 1:49 pm #

    Thank you very much. I had been having this problem on my computers at home and it was very frustrating. Then I finally had to reformat one of my computers (the last one to move from Windows XP to Windows 7) and right after I finished the install and doing all of the Windows updates, I installed Google Chrome and the first time I launched it, it redirected it. That was the last straw for me. I searched all over and kept on finding stuff that was all about viruses on the computer without any decent solutions. Then I came across this page and it talked about exactly what my problem was, especially since I had just reformatted a computer and it immediately had the same problem.

    Thank you again. You helped me make this problem go away.

    Brian

  2. Teodoro Bibiano July 10, 2012 at 8:20 am #

    Was the ~250000 users that were supposed to be affected, accurate?

Leave a Reply

Share