DNS switch as anti-forensics feature in Malware
Recent malware sample, that was grabbed by me (and few other’s, I am certain), perform very interesting thing:
Have a look at code:
It literally change main DNS server on victim machine, and then – perform look-up for it C&C, based on pseudo-random domain.
Interesting, I say 
especially, if You do DNS cache review/passive DNS monitor for living
As I see, in this particular case, even if malware not succeeded to switch DNS server, it continue to run.
So, our purpose is to prevent it from doing this.
How? … Group Policy!
Create new, go to User Configuration\Administrative Templates\Network\Network Connections and on “Prohibit access to properties of a LAN connection” policy do Enable
Actually, it prevent any user on computer, even Local Admin, from changing network configuration manually.
In addition – its Recommended to have internal DNS server for LAN and on border router block outgoing DNS traffic from IP’s that different from IP’s of Your internal DNS server.
Additional info about this piece of malware:
Size: 890 Kb
SHA: 72d25f65ba822eb314a43321546ccf698a4b30e51f37406c27846671543e621f
VT: [18/45]: https://www.virustotal.com/file/72d25f65ba822eb314a43321546ccf698a4b30e51f37406c27846671543e621f/analysis/
Must see in comments to this file – analysis of binary done by @unixfreaxjp
Similar sample analysis by Conrad Longmore at Dynamoo’s Blog here
Stay Safe
D.L.
Thaks for info. Interesting read and devolopment!