Network News

X My Profile
View More Activity

A Scary Twist in Malware Evil-ution

Security experts are warning Internet users to be aware of a disturbing evolution in malicious software that can turn a single infected computer into a vehicle for stealing data from nearby systems, regardless of what operating system or security software those computers may be running.

The evolution comes compliments of the DNSChanger family of malware, which usually comes disguised as a codec or browser plug-in that a user is told he or she needs to install in order to view Web-based videos. As its name suggests, the malware alters the domain name system (DNS) server settings on infected systems, effectively routing the victim's Web searches and other online activities through servers that the attackers control. DNSChanger can install on a Mac or Windows computer.

The added feature in the latest version of DNSChanger is that it installs its own DHCP server on the victim's machine. DHCP stands for "dynamic host control protocol," and it is what wired and wireless routers use to hand out addresses to computers on a network. In fact, most laptops are configured to automatically request an Internet address from any local wireless network that happens to be handing them out.

Why is this a big deal? By adding its own DHCP server to a host machine, DNSChanger can now offer nearby wireless-equipped devices an Internet address, complete with its own set of rogue DNS servers.

Craig Schmugar from McAfee breaks down the threat from this malware with the following scenario:

• Jill is using the free WiFi access point at her favorite coffee shop from her infected Windows laptop.
• Steve sits down at the next table and fires up his laptop, which requests an IP address over the wireless local area network.
• Jill's PC injects a DHCP offer command to instruct Steve's computer to route all DNS requests through a rogue DNS server.
• Steve fires up his Web browser and navigates to his favorite social networking site, but while the browser displays the correct URL name, the rogue DNS server has actually directed the browser to another site.

Symantec calls this variant Trojan.Flush.M. McAfee says it does not appear to be widely implemented in the DNSChanger family as yet, but that it expects this will change soon, noting that DNSChanger is one of the most prolific strains of malware out there today. What's more, a single infected system could potentially impact hundreds of other systems on the local network.

By Brian Krebs  |  December 8, 2008; 4:30 PM ET
Categories:  Fraud , Latest Warnings , Safety Tips , Web Fraud 2.0  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Digging Deeper Into the CheckFree Attack
Next: Report: Cybercrime is Winning the Battle Over Cyberlaw


Is there any way currently to know when this happens? Is there any way to protect our computers?
I use a Dell at work and have only Apple computers at home, but if I accidentally am taken over by the malware at work, then will it automatically infect my machines at home when I open them to my email account, for instance?

Posted by: sovaza | December 8, 2008 6:16 PM | Report abuse

And how long are people like 'Jill' going to be immune from civil or criminal charges because they did not secure their computer properly?

If I left a unsecured handgun on my porch and it was used in a crime, wouldn't I be liable?

It just seems that the internet is being taken over by criminal gangs and nothing is being done about it except to wring our hands...

Posted by: news5 | December 8, 2008 7:02 PM | Report abuse

Would the use of a VPN over the wi-fi network make any difference? Meaning, I login into the wifi network, and then immediately activate a VPN for my connection. Does that offer any kind of protection from this?

Posted by: alan_am8 | December 8, 2008 9:13 PM | Report abuse

Until people in the USA are willing to see our Canadian neighbors for what they are - pot smoking beer swilling steak eating subversives - there will be no computer security in the USA.

Posted by: officermancuso | December 8, 2008 9:57 PM | Report abuse

VPNs won't help unless you connect to your VPN server by IP address instead of a domain name (ie, Corporate VPN configurations almost always specify a domain name for their server location.

The simplest solution would be to specify your own DNS server ( is a great choice if you need one) instead of using whatever is provided by your access point. I can't stress this enough if you roam with your laptop a lot: it's extremely easy for a malicious person to set up an open wifi AP and quietly redirect hapless connectors as they please, for example to phishing sites where they can then collect login credentials. This attack vector will work against PCs, Macs, Linux boxes, iPhones, Blackberries, Nintendo DSes, and the 802.11N-enabled toaster you're getting for Christmas.

Posted by: bmac4 | December 8, 2008 10:00 PM | Report abuse

BMAC4 -- Not sure I understand.

If I have a Blackberry or I-phone, I am using my wireless phone connection to either Verizon Wireless, or whoever, not a WiFi access point.

Open DNS had an interesting demo at, but how is it relevant in this instance ???

Posted by: | December 9, 2008 5:21 AM | Report abuse

Its not Evil-ution, its Elvis-lution!

Posted by: kiaser_zohsay | December 9, 2008 9:53 AM | Report abuse

The blackberry/iphone will only use its phone connection if that's how its configured. If its setup to use WiFi (no airtime charges) it will get an IP address from whatever local DHCP it finds.

By specifying a DNS Server from OpenDNS, you've given the device (any device, not just a phone) a preset server to use and it will ignore all DHCP offers.

Posted by: dactyl | December 9, 2008 9:57 AM | Report abuse

This particular evil (and many others as well) would fail if Jill would follow your advice and login as a limited user.

Posted by: washpost34 | December 9, 2008 11:12 AM | Report abuse

Unsophisticates having the capability to blithely install codecs and plugins is yet another reason why Windows is harmful (because it does not insist that users know what they are doing). Vista's UAC is a step in the right direction away from the "personal" computer mentality, but, of course, MSFT implemented it terribly.

The bottom lines are that people who are "just users" shouldn't be given Administrator privilege, and your poorly-designed Operating System shouldn't require you to have Administrator privs to run apps. (Yes, Windows' single-user legacy and developers' 25 year old sloppy "I own the hardware" mentality cause many apps not to run properly without Administrator privs.)

Wait, you say, OSX is vulnerable too, and it's Unix!! Well, Steve Jobs' successful drive for user friendliness has castrated Unix's security model.

Posted by: ronljohnson | December 9, 2008 11:16 AM | Report abuse

"DNSChanger can install on a Mac or Windows computer."

Not Linux or Unix? If not, why not?

Posted by: elmo46 | December 9, 2008 11:17 AM | Report abuse

@Washpost134 -- I don't believe even a limited user would be immune to having rogue DNS servers assigned to them from a new DHCP lease. Unless that user had already keyed in specific DNS server settings in their network control panel. In that case, those settings should override any DNS servers the infected PC or router tries to offer.

Posted by: Brian Krebs | December 9, 2008 11:18 AM | Report abuse

@Elmo46 -- There simply is no known version of DNSchanger for anything but Mac and Windows. You'd have to ask the malware writers why they haven't bothered with Linux.

Bear in mind, though, that while there is no known version of this malware for Linux, a Linux user could just as easily be affected by this attack simply by being in the vicinity of a user whose computer IS infected.

Posted by: Brian Krebs | December 9, 2008 11:19 AM | Report abuse

I've encountered DNSChanger variants a couple of times recently, and the ones I've seen were easily removed with Spybot or NOD32. However, removal of the malware WILL NOT reconfigure your compromised DNS settings on a previously infected machine; that has to be done manually. Sorry if this seems too obvious to be worth pointing out, but I recently had to go behind another tech and fix this after he failed to catch the problem.

Posted by: slgrieb | December 9, 2008 11:29 AM | Report abuse

Site admins can mitigate this threat somewhat by blocking DNS requests from clients to unknown DNS servers (at the router/firewall).

Posted by: heathk | December 9, 2008 1:47 PM | Report abuse

I noticed some letters after my domain home page eg;

Is this what you mean?

The domain is redirected to my .com page but I've not noticed it before.

Posted by: arith | December 9, 2008 2:06 PM | Report abuse


You missed my point about the original infection with Jill. She couldn't have gotten infected if she couldn't install malware.

Posted by: washpost34 | December 9, 2008 2:46 PM | Report abuse

Hackers make yet another intelligent design, but it's evil-ution. Yep. It's not their latest creation. I read it on the internet.

Posted by: list2008 | December 9, 2008 2:52 PM | Report abuse

@Washpost34 -- Not entirely true. The reason this malware succeeds is that it convinces people to install software; it doesn't use drive-by install techniques.

Even if the user is running under a limited user account, if they want to install a video codec or browser add-on, then while they will have to go through an extra step of entering their password or switching over to an admin account, the limited user account is not going to prevent this. Hopefully, at this point, the user's anti-virus software would flag the add-on as malicious, but we've seen time and again how that fails as well.

Posted by: Brian Krebs | December 9, 2008 2:53 PM | Report abuse

I find the comment by Officer Mancuso to be offensive and unprofessional.It is also in violation of the rules governing commentaries and discussions. Please remove it.

Posted by: amcook1 | December 9, 2008 2:59 PM | Report abuse

As fundamental as DNS is to the operation of the world-wide web, it is amazingly susceptible to compromise. DNSSEC and other techniques, which seek to add security features to DNS clients and servers, are being deployed very slowly. We are still years away from a reliable DNS system.

I believe the best approach for consumers is to assume a computer and the network it connects to is compromised. What does one do with such a radical assumption? Check out SafeCentral, which delivers secure browsing even on infected computers and networks. You can find out more here:

Posted by: rdickenson | December 9, 2008 7:02 PM | Report abuse

1. A VPN is a solution because it can successfully connect only to the real VPN endpoint - if DNS is being manipulated, the VPN connect will fail.

2. Relying on OpenDNS alone will not protect you from the second WiFi cafe attack - the 'Evil twin' who can modify responses from OpenDNS servers.

Posted by: moike | December 10, 2008 3:27 PM | Report abuse


I made a first yr rookie mistake and as a result infected my desktop with the Koobface virus.

I run my desktop and laptop on a wireless system. Can I infect the other two computers via the wirless system?

There is NO information on Facebook and I am so angry with their lack of support, I am going to discontinue my page due to security issues.

I am pleading with anyone with any kind of information, please let me know how I can eradicate this garbage.

Even after running multiple anti virus packs, I am only able to get online via Explorer(which I hate).

Every attempt to download new Firefox browser software ends in a server protocol violation and I am unable to download the browser.

Is the next step to have the hard drive wiped clean? Suggestions are much appreciated.


Posted by: dean_guadagni | December 10, 2008 3:29 PM | Report abuse

To officermancuso: Canadians aren't pot smoking, beer swilling subversives. We are guilty of steak eating as you say and we are also salmon smoking, coffee swilling
friendly folks north of the border. Relax and join us in enjoying the good things in life. After all we are allies in Afganistan
and name calling is out of place. Merry
Chistmas to all and to all a good night.

Posted by: gbeard2 | December 12, 2008 2:18 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company