As the DNS infrastructure is well defended against attacks, cyber-crooks often try to mess with the local DNS settings. This is the case of the infections with Worm.Rorpian.E that, once it successfully infects a computer on the network, starts acting as a DHCP server (an application that manages the connectivity of the network computers) and tampers with the local DNS servers to resolve all the requests to a rogue IP in Romania.
Once this fake DHCP server (in fact, the infected PC on the network) “convinces” your PC that it should resolve the names you enter in the address bar to the rogue IP in Romania, your legit requests will end up hijacked to a page that looks like that:
If you give in to the demand and “update your browser”, you’ll get infected with the same Worm.Rorpian.E, and your PC will start acting like a rogue DHCP server for the other clients connected to your network.
Once the user clicks the “browser update” button, a php script fetches the malware from the server and names it as updbrowser[date].exe, where date is the current year, month and day.
Of course, since we’re talking about cybercrime, the infection wasn’t only designed for fun. Once your PC has been infected with the “browser patch”, the worm starts bringing its friends to the party, cloaked by the infamous TDSS rootkit.
Rorpian also has secondary spreading mechanisms: it “jumps” via network shares, exploits a couple of old, critical vulnerabilities such asthe .LNK (MS10046) and the one in the Windows DNS RPC Interface (MS07-029) to download and execute further malware onto the infected PCs.
Read more