DNS switch as anti-forensics feature in Malware


Recent malware sample, that was grabbed by me (and few other’s, I am certain), perform very interesting thing:

Have a look at code:



It literally change main DNS server on victim machine, and then – perform look-up for it C&C, based on pseudo-random domain.

Interesting, I say 🙂 especially, if You do DNS cache review/passive DNS monitor for living 🙂

As I see, in this particular case, even if malware not succeeded  to switch DNS server, it continue to run.

So, our purpose is to prevent it from doing this.

How? … Group Policy!

Create new, go to User Configuration\Administrative Templates\Network\Network Connections and on “Prohibit access to properties of a LAN connection” policy do Enable

Actually, it prevent any user on computer, even Local Admin, from changing network configuration manually.

In addition – its Recommended to have internal DNS server for LAN and on border router block outgoing DNS traffic from IP’s that different from IP’s of Your internal DNS server.

Additional info about this piece of malware:

Size: 890 Kb

SHA: 72d25f65ba822eb314a43321546ccf698a4b30e51f37406c27846671543e621f

VT: [18/45]https://www.virustotal.com/file/72d25f65ba822eb314a43321546ccf698a4b30e51f37406c27846671543e621f/analysis/

Must see in comments to this file – analysis of binary done by @unixfreaxjp

Similar sample analysis by Conrad Longmore at Dynamoo’s Blog here

Stay Safe




one comment

  1. Thaks for info. Interesting read and devolopment!

    Prohest, 24/12/2012

Leave a comment