The malware initially infects the Windows or Apple computers and subsequently gain access to routers coneected to those systems to exploit weakness like default factory configurations, easily guessable passwords etc.
Once exploited or accessed, changes the DNS settings in the said computers and devices and make them point to rouge foreign DNS servers.
In a typical attack scenario, the unwitting users are enticed to download malware (similar to Trojan:BAT/Dnschanger.B ) which subsequently, tampers the Windows network settings (entry of DNS in the host file, adding a proxy in the browser settings) in the host computer and scans for the connected DSL devices and tries to login directly to the Admin interface to change the DNS settings in the routers.
By achieving this, cyber criminals can control what sites the user connects on the internet. The following actions could be performed on infected system:
- Redirecting the intended queries to malicious servers and hence further downloading of malware , potentially unwanted programs or conducting phishing attacks
- eavesdropping the user sessions
- Man in the Middle attack (MITM)
- Serving advertisements with the attackers choice
- Prevent downloading operating system and Antivirus updates.
Confirming malware Infection
- Check the local or ADSL / VoIP router DNS server settings against the identified rouge DNS servers:
- 18.104.22.168 - 22.214.171.124
- 126.96.36.199 - 188.8.131.52
- 184.108.40.206 - 220.127.116.11
- 18.104.22.168 - 22.214.171.124
- 126.96.36.199 - 188.8.131.52
- 184.108.40.206 - 220.127.116.11
Local DNS list can be found by using "ipconfig /all | findstr "DNS" in the windows command prompt. If found any suspicious entries, delete the entries and use ipconfig / flushdns to clear the previous entries
Access the Router interface and check the DNS entries. Refer the owner┐s manual for accessing and configuring the device.)