Trojan.Win32.DNSChanger

Trojan.Win32.DNSChanger is a backdoor trojan that redirects users to various malicious websites through the means of altering the DNS settings of a victim's computer. The malware strain was first discovered by Microsoft Malware Protection Center on December 7, 2006 and later detected by McAfee Labs on April 19, 2009.

Behaviour
DNS changer trojans are dropped onto infected systems by other means of malicious software, such as TDSS or Koobface. The trojan is a malicious Windows executable file that cannot spread towards other computers. Therefore, it performs several actions on behalf of the attacker within a compromised computer, such as changing the DNS settings in order to divert traffic to unsolicited, and potentially illegal and/or malicious domains.

The  trojan is used by organized crime syndicates to maintain click fraud. The user's browsing activity is manipulated through various means of modification (such as altering the destination of a legitimate link to then be forwarded to another site), allowing the attackers to generate revenue from pay-per-click online advertising schemes. The trojan is commonly found as a small file (+/- 1.5 kilobytes) that is designed to change the  registry key value to a custom IP address or domain that is encrypted in the body of the trojan itself. As a result of this change, the victim's device would contact the newly assigned DNS server to resolve names of malicious webservers.

Trend Micro described the following behaviors of :
 * Steering unknowing users to malicious websites: These sites can be phishing pages that spoof well-known sites in order to trick users into handing out sensitive information. A user who wants to visit the iTunes site, for instance, is instead unknowingly redirected to a rogue site.
 * Replacing ads on legitimate sites: Visiting certain sites can serve users with infected systems a different set of ads from those whose systems are not infected.
 * Controlling and redirecting network traffic: Users of infected systems may not be granted access to download important OS and software updates from vendors like Microsoft and from their respective security vendors.
 * Pushing additional malware: Infected systems are more prone to other malware infections (e.g., FAKEAV infection).

Alternative aliases

 * Win32:KdCrypt[Cryp] (Avast)
 * TR/Vundo.Gen (Avira)
 * MemScan:Trojan.DNSChanger (Bitdefender Labs)
 * Win.Trojan.DNSChanger (ClamAV)
 * variant of Win32/TrojanDownloader.Zlob (ESET)
 * Trojan.Win32.Monder (Kaspersky Labs)
 * Troj/DNSCha (Sophos)
 * Mal_Zlob (Trend Micro)
 * MalwareScope.Trojan.DnsChange (Vba32 AntiVirus)

Other variants

 * Trojan.Win32.DNSChanger.al
 * F-Secure, a cybersecurity company, received samples of a variant that were named PayPal-2.5.200-MSWin32-x86-2005.exe. In this case, the PayPal attribution indicated that a phishing attack was likely. The trojan was programmed to change the DNS server name of a victim's computer to an IP address in the 193.227.xxx.xxx range.


 * The registry key that is affected by this trojan is:


 * Other registry modifications made involved the creation of the below keys: