Threat Database Trojans Trojan.IStartSurf


By CagedTech in Trojans

The Extenbro Trojan, also detected as Trojan.IStartSurf, is a newly found DNS hijacking Trojan capable of swapping genuine DNS servers managed by a real ISP with rogue ones managed by malware actors. By doing so, Extenbro/Trojan.IStartSurf prevents targeted PC users from accessing AV software solutions, which may be needed for removing annoying adware tools planted by the DNS changer beforehand. The redirection from clean to compromised DNS servers is dependent upon successful neutralization of the IPv6 protocol.

DNS Changers have been in circulation since late-2011 when the FBI neutralized a slew of rogue DNS servers that communicated with PCs already taken hold of by a DNS Changer. When redirected to a rogue DNS changer, the PC user’s machine is bound to stay offline for good unless redirected to uncompromised DNS servers.

The goal pursued by malware actors using DNS-changing malware is to flood targeted users with endless streams of adware pop-ups and click baits, which could throw them into the deep end of greater malware threats potentially. The prospect of such an outcome is quite real for many pop-up advertisements that are designed to trick people into performing a series of page clicks, which may lead to one or more forms of threatening software landing on their machines. To achieve this malware escalation, the actors in charge need to block the PC user’s access to any anti-malware vendors. Since a DNS Changer is capable of locking anyone out of their Internet connection, the Extenbro/Trojan.IStartSurf can be used to do just that. Instead of blocking everything, however, Extenrbo’s usurpers have reduced their targets to four DNS servers, namely:


The servers mentioned above can only be seen in the Advanced TCP/IP Settings Tab. Even though an infected user can remove them one by one, they resurface upon system reboot thanks to a task scheduler planted deep into the User’s AppData directory. Last but not least, Extenbro embeds a root certificate right into the Windows Certificate Store. Infected users willing to overcome the DNS barrier put up by the Extenbro/Trojan.IStartSurf malware needs to search out the DNS servers used by their Internet Service Providers (ISPs) or seek specialized help.


Most Viewed