Is it the end of the DNSChanger Trojan?

=== Not really, especially in Latin America. Every
day we register lots of similar attacks, each abusing local DNS
settings. Actually these attacks are a bit different because they
modify the local HOST file but the principle is the same –
redirecting the victim to a malicious host via malicious DNS

Latin American cybercriminals are used to recycling old techniques
used elsewhere in the past and what is happening right now is a
growth of attacks abusing local DNS settings. The latest social
engineering-based malware attack in Mexico – which imitated the
Mexican tax office – is a recent example of this.

By clicking on the link the victim downloads and installs a Trojan
which is related to Ngrbot and modifies the local HOST file. It
steals money from two Mexican banks by redirecting the infected
victims to fake banking websites.

There is interesting information contained inside the code – the
source of the Trojan before the compilation.


After browsing some underground Spanish-language forums, I found
that the author of this malware has been operating since at least
2004 and apparently lives in Peru.

Most of the victims are, of course, from Mexico. The main means of
spreading the malware is email and the most widely-targeted email
provider is Yahoo mail.

There are at least 11,540 downloads of this malware and the overall
it has been detected by 9 out of 31 antivirus engines. That
basically means there are some 8,000 infections out there.

The fact that a fairly experienced cybercriminal (operating from
2004) still uses malicious techniques to abuse local DNS settings
and can still net a large number of victims (8,000) once again
confirms that the DNSChanger trend won’t change in the near feature.
We will keep seeing new pieces of malware using and refining the
same technique. This story is set to continue…

<img src=""

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *