SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Windows flaw enhances DNS hijacking
Tue, 7th Jun 2016
FYI, this story is more than a year old

ESET experts have found a new version of the DNS Unlocker Potentially Unwanted Application (PUA) equipped with a unique capability to re-configure DNS settings on a victim's computer, while hiding those configuration changes. Through use of this new sleight-of-hand, DNS Unlocker can be tricky to defang, as it can continue to act in the shadow of a victim's computer and do more damage than expected.

About DNS hijacking

DNS Unlocker's purpose is to display advertisements to the victim, embedded in webpages. It does this by redirecting normally legitimate requests for ads from Google's ad servers to servers run by the folk behind DSN Unlocker. Typically, a computer user affected by DNS Unlocker will see advertisements with a note at the bottom like “Ads by DNS Unlocker”, and multiple variations of “support scam” pop-ups.

ESET experts have found that what sets DNS Unlocker apart is its use of a trick whereby Windows will display a different DNS configuration from what is actually set and in use.

Notification to Microsoft

ESET experts analysed the trick and identified the underlying issue with how Windows handled these DNS addresses and sent the details to Microsoft on May 10th 2016. The Microsoft Security Response Center (MSRC) acknowledged the problem, but, unfortunately, did not classify it as a security vulnerability. “As modifying the registry requires administrative privileges, we do not consider this to meet the bar for security servicing through MSRC”, the reasoning reads.

“Within the graphical interface, it appears that you are using an automatically assigned DNS server address when in fact you are using the static ones supplied by DNS Unlocker. In short, this is a DNS hijack which forces the use of hidden DNS servers. This makes the issue quite difficult to solve for typical users,” says James Rodewald, ESET Malware Removal Support Supervisor.

“Hopefully, Microsoft will address this issue in future versions of Windows. Until then, users should be aware of the possibility of DNS hijacking,” comments Marc-Etienne Léveillé, an ESET Malware Researcher who participated in the research.

Tips and preventative measures from ESET experts:

  • Don't surf the web with administrator's privileges; use them only where necessary
  • If you see unexpected advertisements, especially if they offer an “Ads by DNS Unlocker” badge or similar, check your DNS settings in the advanced pane of TCP/IP settings
  • If you see a pop-up window with some kind of offer for support, be extremely wary and prior to any other actions, check your DNS settings taking heed of the advice in the article
  • If in any doubt about DNS settings, you can remove the bad DNS entries from the DNS tab of the Advanced TCP/IP Settings page. Scan your computer with ESET's Online Scanner to remove the DNS Unlocker malware and to make it stop tampering with your DNS settings.
  • Follow all basic rules for the safe use of the internet, including having a quality security solution; ESET Smart Security fully protects from the DNS Unlocker.

Article courtesy of ESET