A new set of clever malware and adware have been observed, and they are capable of making changes so as not to be detected by the DNS settings of an infected device. This is according to researchers from the security firm, ESET.
The DNS Unlocker malware has been ever present for some time now, and there are various articles available on the world wide web which indicate all the various ways you can use to remove the malware. An example is a Microsoft help article which was published back in August 2015, and the user was advised to reconfigure the IPv4, which is present in the Windows control panel tab. This way, the DNS server will be activated automatically. But ESET claims that this method might not bring the desired results anymore because users who attempt to access the IPv4 settings in the Windows Control panel tab will notice that the DNS servers are already being searched for automatically.
The researchers discovered that the malware was clever in that it hid its changes because it made corrections in the registry, a place where every network adapter have a NameServer. This is where users can see the value of the DNS and set a static DNS. When users put the DNS controls manually, they are stored in the file registry as lists, and each of them is separated by a comma. If the static addresses are put manually, they can be modified, and the changes will not be shown if the comma is replaced with space. This way if adding DNS addresses manually and leaving a space between the lists is one of the ways which gives hackers the chance to hijack the DNS settings and not leave any trace behind. This is one of the major problems that companies and individuals with remote setup will face.
Another way to remove the unwanted and rogue DNS addresses is also available. After clicking on the IPv4 tab in the control panel, if you go to the advanced settings tab, you can see the DNS server addresses as they are separated by space just like in the registry. In normal instances, they should be listed one under another. From here users can remove the rogue addresses, and their computers will be functioning well again.
ESET reported the flaw on May 10, after discovering it to Microsoft. The tech giant replied that they understood it was an issue, and they would try to cover it up with upcoming updates to the new operating software, but unfortunately they won’t treat it as a security threat. ESET discovered that the DNS Unlocker malware has been active since December 2015. The researchers said that the flaw was apparently on all versions of the Windows operating software and also said that the flaw would still work even if the comma was replaced with a semicolon instead of space.