A newly discovered DNS-changer Trojan dubbed Extenbro has been observed while blocking access to websites of security software vendors to prevent its victims from getting rid of the adware it dumps on their computers.
“These DNS-changers block access to security-related sites, so the adware victims can’t download and install security software to get rid of the pests,” as detailed by Malwarebytes Labs’ security researchers who unearthed this new malware.
As a side effect, Extenbro will also expose the machines it manages to compromise to all sorts of other threats given that it leaves them defenseless by denying them access to an anti-malware solution.
“What do they care if they open up your machine to all kinds of threats by disallowing you access to security sites and blocking any existing security software from getting updates? They just want to serve you adware,” add the researchers.
This type of behavior was seen in the past in the case of the Vonteera adware family that adopted the use of system certificate to disable anti-malware software on the computers it infected.
Bundler used to infect the targets
The Extenbro Trojan will infect its targets after they download an adware bundler, a software bundle usually served together with adware or spyware components which get downloaded on the victim’s computer with the help of a downloader module.
Malwarebytes detects the bundler used to distributed this DNS-changer malware as Trojan.IStartSurf, a monicker the company uses to tag a family of hijackers and adware bundlers.
“Unwanted advertising not originating from the sites they are visiting or their browser opening with a startpage that they did not set themselves” are among the symptoms that the victims will start noticing after being infected.
After successfully landing on its victims’ computers, Extenbro will change the DNS settings so that no security vendors’ websites are reachable, thus effectively preventing them from downloading and installing security software capable of detecting and blocking it
“New for this one is that you have to access the Advanced DNS tab to find out that it has added four DNS servers rather than the usual two,” adds the Malwarebytes Labs research team.
“Where people might be inclined to change the two that are visible, use the Advanced button and look at the DNS tab: It would cause them to leave the additional two behind.”
Even after successfully finding and removing all the rogue DNS servers added to their network’s settings, the malware will re-add them after a system restart since it also adds a randomly named scheduled task for this specific purpose during the infection stage.
The Extenbro DNS-changer Trojan will also disable IPv6 on all compromised machines to make sure that the victims do not circumvent the attacker-controlled DNS servers and manage to get their computer protected.
It will also add a root certificate to the Windows Root certificates and “makes a change in the Firefox user.js file and sets the security.enterprise_roots.enabled setting to true, which Configures Firefox to use the Windows Certificate Store where the newly-added root certificate was added.
Just last week, UK’s National Cyber Security Centre (NCSC) released an advisory regarding ongoing Domain Name Systems (DNS) hijacking attacks used by threat actors to alter their targets’ DNS settings for malicious purposes.
This precedes various types of malicious attacks, from phishing and traffic sniffing for regular users to a host of serious assaults against organizations which could eventually lead to control loss over their domains and servers.
A full list of indicators of compromise (IOCs) including IPs of DNS servers used by the DNS-changer malware, the root certificate used by the Trojan, and SHA256 malware sample hashes are available at the end of the Malwarebytes Labs Extenbro report.