Recent malware sample, that was grabbed by me (and few other’s, I am certain), perform very interesting thing:
Have a look at code:
It literally change main DNS server on victim machine, and then – perform look-up for it C&C, based on pseudo-random domain.
Interesting, I say especially, if You do DNS cache review/passive DNS monitor for living
As I see, in this particular case, even if malware not succeeded to switch DNS server, it continue to run.
So, our purpose is to prevent it from doing this.
How? … Group Policy!
Create new, go to User Configuration\Administrative Templates\Network\Network Connections and on “Prohibit access to properties of a LAN connection” policy do Enable
Actually, it prevent any user on computer, even Local Admin, from changing network configuration manually.
In addition – its Recommended to have internal DNS server for LAN and on border router block outgoing DNS traffic from IP’s that different from IP’s of Your internal DNS server.
Additional info about this piece of malware:
Size: 890 Kb
Must see in comments to this file – analysis of binary done by @unixfreaxjp
Similar sample analysis by Conrad Longmore at Dynamoo’s Blog here