Daily cyber threats and internet security news: network security, online safety and latest security alerts
June 12th, 2008

New Zlob Trojan Version Alters Wireless Router Settings And Hijacks DNS

Recent versions of the notorious “Zlob” Trojan are checking the victims for wireless or wired hardware router. The Trojan attempts to guess the password needed to administer the suitable router by consulting a built-in list of default router username/password combinations. If successful, the malware alters the victim’s domain name system (DNS) records so that all future traffic passes through the attacker’s network first. DNS translate names into IP addresses and changed settings might expose victims Internet traffic.

The new Zlob Trojan, also known as DNSChanger, is using same old technique and presents itself as a video codec required to view content on certain infected websites. When installed in the system, it tries to change key settings on the victim’s Internet router so that all of the victim’s Web traffic is routed through servers controlled by the attackers. The DNS hijack occurs during the installer program, so by the time the user sees the fake codec installer screen, the malware has already attempted to change DNS settings on the victim’s router.

This appears to be the first time this behavior has been spotted in malware released into the wild. This new function should worry users since Zlob is among the most “popular” types of Trojans downloaded onto Windows machines (14.3 million instances of Zlob-related malware from customer machines in the second half of 2007, according to Microsoft).

Windows user with a machine infected with a Zlob/DNSChanger variant may succeed in cleaning the malware off an infected computer completely, but still leave the network compromised. Users will not look to the router settings, if the Internet connection seems to be functioning fine. In reality, the router might still send traffic to malicious logging servers, even when the system is virus-free.

Sunbelt confirms that the malware successfully changes DNS settings on a Linksys router (model BEFSX41). It was a new, of the factory, box with a default username and password. Another test showed that the Zlob variant successfully changed the DNS settings on a Buffalo router running the DD-WRT open source firmware.

Sunbelt also found that if there are multiple machines using the same router, all of the systems connected to that router will have their traffic hijacked. According to Eric Sites, chief technology officer at Sunbelt, this is something they have not seen before and it was only a matter of time before someone started using this attack. Sites said his team is testing the new Zlob variants against multiple routers to see how they fare against the malware.

Captured traffic shows that the new Zlob variant is trying to reconfigure different routers by requesting the local Web page for various “setup wizards” that ship with the devices. Routers on machines infected by Zlob/DNSchanger should be reset to its default configuration if the settings have been changed. If there are other Zlob-infected machines using the same router, they will need to be cleared of the trojan before resetting the router. Otherwise,the malware will simply go back and change the router’s DNS settings a few minutes after the reboot. You will need to reconfigure any security settings you had in place prior to the reset.

Credit: Sunbelt Blog, Washingtonpost Security Fix Blog

Share this item with others:

More on CyberInsecure:
  • New DNSChanger Trojan Allows Mass DNS Hijack, Non-Windows And Fully Patched Systems Affected
  • Fake iPhone Unlocking App Changes DNS And Hijacks Internet Connection
  • D-Link Routers Vulnerability Mass Scans
  • Malware Posing As Youtube Codec
  • D-Link Wireless Routers With New ‘Security Feature’ Are Susceptible To Network Intrusion

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: New Zlob Trojan Version Alters Wireless Router Settings And Hijacks DNS

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.