Story image

Windows flaw enhances DNS hijacking

07 Jun 2016

ESET experts have found a new version of the DNS Unlocker Potentially Unwanted Application (PUA) equipped with a unique capability to re-configure DNS settings on a victim’s computer, while hiding those configuration changes. Through use of this new sleight-of-hand, DNS Unlocker can be tricky to defang, as it can continue to act in the shadow of a victim’s computer and do more damage than expected.

About DNS hijacking

DNS Unlocker’s purpose is to display advertisements to the victim, embedded in webpages. It does this by redirecting normally legitimate requests for ads from Google’s ad servers to servers run by the folk behind DSN Unlocker. Typically, a computer user affected by DNS Unlocker will see advertisements with a note at the bottom like “Ads by DNS Unlocker”, and multiple variations of “support scam” pop-ups.

ESET experts have found that what sets DNS Unlocker apart is its use of a trick whereby Windows will display a different DNS configuration from what is actually set and in use.

Notification to Microsoft

ESET experts analysed the trick and identified the underlying issue with how Windows handled these DNS addresses and sent the details to Microsoft on May 10th 2016. The Microsoft Security Response Center (MSRC) acknowledged the problem, but, unfortunately, did not classify it as a security vulnerability. “As modifying the registry requires administrative privileges, we do not consider this to meet the bar for security servicing through MSRC”, the reasoning reads.

“Within the graphical interface, it appears that you are using an automatically assigned DNS server address when in fact you are using the static ones supplied by DNS Unlocker. In short, this is a DNS hijack which forces the use of hidden DNS servers. This makes the issue quite difficult to solve for typical users,” says James Rodewald, ESET Malware Removal Support Supervisor.

“Hopefully, Microsoft will address this issue in future versions of Windows. Until then, users should be aware of the possibility of DNS hijacking,” comments Marc-Etienne Léveillé, an ESET Malware Researcher who participated in the research.

Tips and preventative measures from ESET experts:

  • Don’t surf the web with administrator’s privileges; use them only where necessary
  • If you see unexpected advertisements, especially if they offer an “Ads by DNS Unlocker” badge or similar, check your DNS settings in the advanced pane of TCP/IP settings
  • If you see a pop-up window with some kind of offer for support, be extremely wary and prior to any other actions, check your DNS settings taking heed of the advice in the WeLiveSecurity.com article
  • If in any doubt about DNS settings, you can remove the bad DNS entries from the DNS tab of the Advanced TCP/IP Settings page. Scan your computer with ESET’s Online Scanner to remove the DNS Unlocker malware and to make it stop tampering with your DNS settings.
  • Follow all basic rules for the safe use of the internet, including having a quality security solution; ESET Smart Security fully protects from the DNS Unlocker.

Article courtesy of ESET

Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.
How blockchain could help stop video piracy in its tracks
An Australian video tech firm has successfully tested a blockchain trial that could end up being a welcome relief for video creators and the fight against video piracy.
IBM X-Force Red & Qualys introduce automated patching
IBM X-Force Red and Qualys are declaring a war on unpatched systems, and they believe automation is the answer.
Micro Focus acquires Interset to improve predictive analytics
Interset utilises user and entity behavioural analytics (UEBA) and machine learning to give security professionals what they need to execute threat detection analysis.
Raising the stakes: McAfee’s predictions for cybersecurity
Security teams and solutions will have to contend with synergistic threats, increasingly backed by artificial intelligence to avoid detection.
Exclusive: Ping Identity on security risk mitigation
“Effective security controls are measured and defined by the direct mitigation of inherent and residual risk.”
CylancePROTECT now available on AWS Marketplace
Customers now have access to CylancePROTECT for AI-driven protection across all Windows, Mac, and Linux (including Amazon Linux) instances.