====== DNSChanger ======
===== Behavior =====
* Can compromise Windows, Mac, and some routers and modems.
* Modifies the DNS server entries to point to IP's in the Ukraine.
* Redirects certain lookups. This prevents updating of anti-malware.
===== Removal and Recommendations =====
From everything I've gathered, most up-to-date anti-virus and anti-spyware should detect this. The problem is that the DNSChanger redirects away from anti-malware update sites. I personally recommend either scanning from a bootable CD/DVD (BartPE, UBCD4Windows, etc.) or pulling the drive to scan it from a clean, updated system.
Apple has an antivirus tool out that is supposed to remove it from their OS.
http://www.apple.com/downloads/macosx/networking_security/iantivirus.html
Block and/or monitor all traffic to and from 85.255.112.0 – 85.255.127.255 (85.255.112.0/20).
===== References =====
http://isc.sans.org/diary.html?storyid''5434
http://www.symantec.com/security_response/writeup.jsp?docid''2008-120318-5914-99&tabid''2
http://asert.arbornetworks.com/2008/11/rogue-dns-servers-on-the-move/
-- Main.FredPettis - 03 Apr 2009