NEWS FROM THE LAB - Friday, December 11, 2009

DNSChanger Trojans & Modems Posted by Alia @ 01:42 GMT

Quick note: we're still occasionally getting reports of DNSChanger trojan variants altering the DNS information on both the infected system and on certain ADSL modems. It's an old, unsophisticated problem, but more awareness of it can't hurt.

There are a couple twists on the basic strategy — the trojan may modify the modem's settings to use a rogue DNS server (that serves tainted information) or it can install a DHCP driver on the modem. Either way, it redirects users to a malicious site doing drive-by downloads.

The trojan gets access to the modem's settings by brute-forcing the user name and password, which many people leave set as default. A simple, user-doable prevention measure is to change the default to a strong password. We've got a couple of previous posts (May 26, October 7) on how to do this.

For our users, if the infection was already on the computer before our product was installed, the product will clean up the infection on the computer, but the modem settings will still point to the rogue DNS server.

To clean out the modems, its settings need to be manually reset. Instructions would be specific for each modem type, so if necessary call your ISP for more details.