search slide
search slide
pages bottom

Windows flaw enhances DNS hijacking

ESET experts have found a new version of the DNS Unlocker Potentially Unwanted Application (PUA) equipped with a unique capability to re-configure DNS settings on a victim’s computer, while hiding those configuration changes. Through use of this new sleight-of-hand, DNS Unlocker can be tricky to defang, as it can continue to act in the shadow of a victim’s computer and do more damage than expected.

DNS Unlocker’s purpose is to display advertisements to the victim, embedded in webpages. It does this by redirecting normally legitimate requests for ads from Google’s ad servers to servers run by the folk behind DSN Unlocker. Typically, a computer user affected by DNS Unlocker will see advertisements with a note at the bottom like “Ads by DNS Unlocker”, and multiple variations of “support scam” pop-ups.

ESET experts have found that what sets DNS Unlocker apart is its use of a trick whereby Windows will display a different DNS configuration from what is actually set and in use.

ESET experts analysed the trick and identified the underlying issue with how Windows handled these DNS addresses and sent the details to Microsoft on May 10th 2016. The Microsoft Security Response Center (MSRC) acknowledged the problem, but, unfortunately, did not classify it as a security vulnerability. “As modifying the registry requires administrative privileges, we do not consider this to meet the bar for security servicing through MSRC”, the reasoning reads.

“Within the graphical interface, it appears that you are using an automatically assigned DNS server address when in fact you are using the static ones supplied by DNS Unlocker. In short, this is a DNS hijack which forces the use of hidden DNS servers. This makes the issue quite difficult to solve for typical users,” says James Rodewald, ESET Malware Removal Support Supervisor.

“Hopefully, Microsoft will address this issue in future versions of Windows. Until then, users should be aware of the possibility of DNS hijacking,” comments Marc-Etienne Léveillé, an ESET Malware Researcher who participated in the research.

Leave a Reply

Captcha image