silversurfer

Level 50
Verified
Trusted
Content Creator
Malware Hunter
A recently observed DNS-changer Trojan is being used in an adware campaign to prevent users from accessing security-related websites, Malwarebytes reveals.

While the tactic isn’t new, this threat features some additional tricks and the actors behind this attack have been known to use aggressive techniques in the past. In this instance, they simply attempt to prevent users from removing their adware from the compromised systems.

Dubbed Extenbro, the Trojan is delivered via a bundler. Once on the compromised device, the malware changes the DNS settings to prevent the system from accessing the websites of security vendors. Users can only notice the addition of four DNS servers by heading to the Advanced DNS tab in Windows.

To ensure that the DNS changes live past computer reboots, the malware creates a randomly-named Scheduled Task that points to a fixed-location folder, Malwarebytes reveals.