Researchers have discovered a new DNS-changer trojan named Extenbro that comes with an adware bundle. The main purpose of the trojan is to block the victims from visiting and installing security software.
How does it operate?
Discovered by researchers from Malwarebytes, Extenbro is delivered to systems by a bundler called Trojan.IStartSurf. Once installed, the trojan changes the DNS settings of the infected system in order to prevent the users from visiting any security vendor’s sites.
The changes made in the DNS settings are partially visible when the user clicks on the ‘Advanced DNS’ tab.
“New for this one is that you have to access the Advanced DNS tab to find out that it has added four DNS servers rather than the usual two. Where people might be inclined to change the two that are visible, use the Advanced button and look at the DNS tab: It would cause them to leave the additional two behind,” explained Malwarebytes’ researchers.
The changes made in DNS settings re-appear even after the victims correct the DNS settings and reboot the systems.
“Should you manage to correct the offending DNS servers and reboot the system before taking further measures, you will find that the DNS settings re-appear after a reboot. This is because of a randomly-named Scheduled Task. The location of the folder and the switches for the command seem to be fixed, but the folder name and file name are random,” the researchers added.
Characteristics of Extenbro
The trojan disables IPV6 to force the system to use the new DNS servers. Apart from this the malware also makes changes in the Firefox user.js file and security.enterprise_roots.enabled settings to configure the Firefox. This enables the malware to use the Windows Certificate Store where Extenbro’s newly-added root certificate is added.