ZLob/DNSChanger Trojan now can modify DNS Servers in your SOHO Router

[David H. Lipman]

A variant of the ZLob Trojan known as DNSChanger has been known to modify the DNS servers on
your PC. Thus you get directed to malicious web sites instead of the web site you are
trying to get to.

Now there is a variant of the DNSChanger, installer ~300KB, that can use TCP port 80 and a
dictionary of passwords to modify the DNS Server list on SOHO Routers.

http://www.trustedsource.org/blog/42...s-into-routers
http://blog.washingtonpost.com/secur..._wirele_1.html

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Andrew McGovern]

I always update my anti-virus software regularly so I should be OK.

Thanks for the news anyway.

--
PC Slowing Down? Hardware Problems?
http://andrewmcgovernonline.com/pcrepair/


"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:uiB4k.19$TL6.16@trnddc01...
>A variant of the ZLob Trojan known as DNSChanger has been known to modify
>the DNS servers on
> your PC. Thus you get directed to malicious web sites instead of the web
> site you are
> trying to get to.
>
> Now there is a variant of the DNSChanger, installer ~300KB, that can use
> TCP port 80 and a
> dictionary of passwords to modify the DNS Server list on SOHO Routers.
>
> http://www.trustedsource.org/blog/42...s-into-routers
> http://blog.washingtonpost.com/secur..._wirele_1.html
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>

[Kerry Brown]

There are other exploits that do this as well. The best protection against
this is to use a strong password on your router.

--
Kerry Brown



"Andrew McGovern" <a.mcgovern@blueyonder.co.uk> wrote in message
news:5lB4k.78830$cL6.22385@newsfe27.ams2...
>I always update my anti-virus software regularly so I should be OK.
>
> Thanks for the news anyway.
>
> --
> PC Slowing Down? Hardware Problems?
> http://andrewmcgovernonline.com/pcrepair/
>
>
> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
> news:uiB4k.19$TL6.16@trnddc01...
>>A variant of the ZLob Trojan known as DNSChanger has been known to modify
>>the DNS servers on
>> your PC. Thus you get directed to malicious web sites instead of the web
>> site you are
>> trying to get to.
>>
>> Now there is a variant of the DNSChanger, installer ~300KB, that can use
>> TCP port 80 and a
>> dictionary of passwords to modify the DNS Server list on SOHO Routers.
>>
>> http://www.trustedsource.org/blog/42...s-into-routers
>> http://blog.washingtonpost.com/secur..._wirele_1.html
>>
>> --
>> Dave
>> http://www.claymania.com/removal-trojan-adware.html
>> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>>
>>
>
>

[David H. Lipman]

From: "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m>

| There are other exploits that do this as well. The best protection against
| this is to use a strong password on your router.
|

Yes. There have been discussions about SOAP in conjunction with uPnP. However using uPnP
you may be able to bypass the TCP port 80 authentication.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Kerry Brown]

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:x3E4k.13213$8q2.5746@trnddc02...
> From: "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m>
>
> | There are other exploits that do this as well. The best protection
> against
> | this is to use a strong password on your router.
> |
>
> Yes. There have been discussions about SOAP in conjunction with uPnP.
> However using uPnP
> you may be able to bypass the TCP port 80 authentication.
>


And turn off uPnP. I forgot about that. It's the first thing I do with
anything I set up that may have it enabled. If you can believe this
Microsoft wants uPnP turned on so they can automagically configure the
router with the still in beta SBS 2008. Trustworthy computing :-)

--
Kerry Brown

[a.qarta]

On Jun 14, 7:06*am, "Kerry Brown" <ke...@kdbNOSPAMsys-tems.c*a*m>
wrote:
> "David H. Lipman" <DLipman~nosp...@Verizon.Net> wrote in messagenews:x3E4k.13213$8q2.5746@trnddc02...
>
> > From: "Kerry Brown" <ke...@kdbNOSPAMsys-tems.c*a*m>
>
> > | There are other exploits that do this as well. The best protection
> > against
> > | this is to use a strong password on your router.
> > |
>
> > Yes. *There have been discussions about SOAP in conjunction with uPnP..
> > However using uPnP
> > you may be able to bypass the TCP port 80 authentication.
>
> And turn off uPnP. I forgot about that. It's the first thing I do with
> anything I set up that may have it enabled. If you can believe this
> Microsoft wants uPnP turned on so they can automagically configure the
> router with the still in beta SBS 2008. Trustworthy computing :-)
>
> --
> Kerry Brown

I've compiled a checklist to follow

http://extremesecurity.blogspot.com/...-hijacked.html

[David H. Lipman]

From: "a.qarta" <A.Qarta@gmail.com>


|
| I've compiled a checklist to follow
|
| http://extremesecurity.blogspot.com/...-hijacked.html

Very good Aa'ed !

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Kerry Brown]

"a.qarta" <A.Qarta@gmail.com> wrote in message
news:9c65a7cb-70e7-4b2b-9306-73b1df57f2b7@l64g2000hse.googlegroups.com...
On Jun 14, 7:06 am, "Kerry Brown" <ke...@kdbNOSPAMsys-tems.c*a*m>
wrote:
> "David H. Lipman" <DLipman~nosp...@Verizon.Net> wrote in
> messagenews:x3E4k.13213$8q2.5746@trnddc02...
>
> > From: "Kerry Brown" <ke...@kdbNOSPAMsys-tems.c*a*m>
>
> > | There are other exploits that do this as well. The best protection
> > against
> > | this is to use a strong password on your router.
> > |
>
> > Yes. There have been discussions about SOAP in conjunction with uPnP.
> > However using uPnP
> > you may be able to bypass the TCP port 80 authentication.
>
> And turn off uPnP. I forgot about that. It's the first thing I do with
> anything I set up that may have it enabled. If you can believe this
> Microsoft wants uPnP turned on so they can automagically configure the
> router with the still in beta SBS 2008. Trustworthy computing :-)
>
>
>I've compiled a checklist to follow
>
>http://extremesecurity.blogspot.com/...-hijacked.html
>

Looks good.

--
Kerry Brown