Using the Registry Editor for DNS Hijacking

Date: September 5, 2008

HIJACK.jpg

DNS hijacking is the illegitimate modification of an individuals DNS server, through the manipulation of the corespondence between the DNS names to IP addresses with the use of Rogue DNS servers. Users usually use the DNS server automatically allocated to them by their Internet Service Providers. Computers under the control of botnets use DNS-changing Trojans to surreptitiously change the automatic DNS server commands by the ISP to manual DNS server commands from rogue DNS servers. By doing this it is easy for scammers to redirect users to their malicious duplicated websites and trick users into revealing sensitive details.

The Windows registry is a directory which stores settings and options for the operating systems of Microsoft Windows. The registry can be edited manually, however, if you do not have much knowledge on registry editing it is best to leave it to the experts as careless registry editing can cause irreversible damage to your PC. Therefore, it is wise to make back-ups of the registry before editing it. The Registry Editor is used to perform a number of tasks such as:

  • Create, manipulate, rename and delete registry keys, subkeys, values and value data
  • Remotely edit the registry on another networked computer
  • Find particular strings in key names, value names and value data

Scammers use the registry editor to hijack your DNS in the following manner. If you use Windows XP, go to the "run" option on your Start Menu, if you use Vista go to the "run box" on your start menu where the words " start search" are written. Type in 'regedit' .  Once the Registry Editor is open double click on the following files; 

  1. HKEY_LOCAL_MACHINE
  2. \SYSTEM
  3. \CurrentControlSet
  4. \Services
  5. \Tcpip
  6. \Parameters
  7. \Interfaces
  8. \{ random_CLSID} it will look something like this; 48B64B72-C34D-2435-3FDD-4598C557FF7B.

8edit2.jpg

Then go to 'NameServer'. The NameServer will reveal your PC's primary and secondary DNS. The spoofer can then double click on the NameServer and easily alter the the IP addresses to point to their malicious DNS servers, from which they can control which websites a user goes to.  Scammers can use the DNS logs on their malicious DNS server to monitor your browsing habits, by so doing they can identify your top internet sites and redirect them. This is a simple method but can have disasterous effects when used for criminal motives.

Home Identity Theft Online Using the Registry Editor for DNS Hijacking

2 Comments

  • me says:

    You totally skipped over the one that overrides them all and what is actually used by virii. \Parameters\nameserver
    The one you point out is the OBVIOUS one which is simply fixed by going to the properties of your local network adapter, aka no need to go into the registry.

  • hake says:

    If your router provides IP filtering, only allow outgoing traffic to destination port 53 for the DNS server IP addresses you choose to resolve through.

    Use PC Tools Threatfire's Advanced Tools -> Custom Rules Settings and prevent HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp\ or HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ from being modified except by approved programs.

Leave a Reply

What is 6 + 10 ?
Please leave these two fields as-is:
IMPORTANT! To be able to proceed, you need to solve the following simple math.