{"id":15785,"date":"2019-07-15T08:10:06","date_gmt":"2019-07-15T16:10:06","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/07\/15\/news-9532\/"},"modified":"2019-07-15T08:10:06","modified_gmt":"2019-07-15T16:10:06","slug":"news-9532","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/07\/15\/news-9532\/","title":{"rendered":"Meet Extenbro, a new DNS-changer Trojan protecting adware"},"content":{"rendered":"

Credit to Author: Pieter Arntz| Date: Mon, 15 Jul 2019 14:54:00 +0000<\/strong><\/p>\n

Recently, we uncovered a new DNS-changer called Extenbro that comes with an adware bundler. These DNS-changers block access to security-related sites, so the adware victims can\u2019t download and install security software to get rid of the pests. <\/p>\n

From our viewpoint, this might be like sending in an elephant to save the mosquito, but the threat actors behind this attack have been known to use aggressive tactics in the past. What do they care if they open up your machine to all kinds of threats by disallowing you access to security sites and blocking any existing security software from getting updates? They just want to serve you adware.<\/p>\n

Unfortunately, we have seen this kind of behavior before<\/a>. But since this one uses a few fancy tricks, we\u2019ll give you a quick overview of what it does and how you can get rid of it. For those just looking for a quick fix, there is a removal guide on our forums<\/a>. <\/p>\n

Infection vector<\/h3>\n

We have noticed the Extenbro Trojan is delivered on systems by a bundler<\/a> that is detected by Malwarebytes as Trojan.IStartSurf<\/a>.<\/p>\n

DNS-changer<\/h3>\n

First and foremost, the Trojan changes the DNS settings of the infected system so it won\u2019t be able to reach any security vendors\u2019 sites. <\/p>\n

\n
\"Advanced<\/figure>\n<\/div>\n

New for this one is that you have to access the Advanced DNS tab to find out that it has added four DNS servers rather than the usual two. Where people might be inclined to change the two that are visible, use the Advanced<\/strong> button and look at the DNS tab: It would cause them to leave the additional two behind.<\/p>\n

Task Scheduler<\/h3>\n

Should you manage to correct the offending DNS servers and reboot the system before taking further measures, you will find that the DNS settings re-appear after a reboot. This is because of a randomly-named Scheduled Task that looks similar to this:<\/p>\n

\"Scheduled<\/figure>\n

The location of the folder and the switches for the command seem to be fixed, but the folder name and file name are random.<\/p>\n

Root certificate<\/h3>\n

The Trojan also adds a certificate to the set of Windows Root certificates<\/a>.<\/p>\n

\"new<\/figure>\n

Using the method outlined in the blog post Learning PowerShell: some basic commands<\/a>, I established that the certificate has no \u201cFriendly Name\u201d and is supposedly registered to abose[at]reddit[dot]com.<\/p>\n

Disables IPV6<\/h3>\n

By changing the registry value DisabledComponents under the key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesTCPIP6Parameters and setting the value to \u201cFF\u201d, the Trojan disables IPV6<\/a> to force the system to use the new DNS servers.<\/p>\n

User.js<\/h3>\n

The malware also makes a change in the Firefox user.js file and sets the security.enterprise_roots.enabled setting to true, which Configures Firefox to use the Windows Certificate Store<\/a> where the newly-added root certificate was added. <\/p>\n

\"enterprise_roots\"<\/figure>\n

Removal instructions<\/h3>\n

Some of the changes that this malware makes could already be in place, if they are the user’s preferred settings. So feel free to skip the steps that you are not comfortable with.<\/p>\n

What really needs to be done so you can download a removal tool or update you existing security software is to restore the DNS servers to what they were\u2014or, if you don\u2019t know the previous settings, to something safe. Most ISPs have the preferred DNS servers listed in their installation instructions or on their website. That is the first place to look. If you can\u2019t find them there, you can use the DNS servers provided by OpenDNS. You can find instructions for many Operating Systems on their site<\/a>. <\/p>\n

An extra step needs to be taken when you are in this screen:<\/p>\n

\n
\"General<\/figure>\n<\/div>\n

Make sure to click on <\/em>Advanced\u2026<\/em><\/strong>and select the<\/em> DNS <\/em><\/strong>tab to find the extra two DNS servers that we mentioned earlier. Remove those before you change the two shown on the screen to your preferred ones.<\/em><\/p>\n

Now, you should be able to visit security sites again. Follow the remaining instructions below:<\/p>\n