Extenbro is a domain name system (DNS) changer trojan that is delivered with an adware bundle and used to block access to security-related sites, preventing victims from installing software that could get rid of the adware. The trojan changes the DNS settings of the infected machine and uses the “Advanced” button to locate the additional DNS servers it has inputted. If the victim changes the DNS servers and reboots the system before taking additional action, the DNS settings appear again because of a Scheduled Task. Extenbro also disables IPv6 to force the system to use the new DNS servers. Impacted users are advised to change the DNS servers to known safe settings and check the Advanced DNS settings to remove any additional servers. Once this is done, navigate to a security site to download software to remove the adware. Your browser may need to restart but do not reboot your system until the adware has been removed.
Indicators of Compromise (IOCs)
Reporting and Technical Details
Malwarebytes provides technical analysis of Extenbro on their blog.