Extenbro

Extenbro is a domain name system (DNS) changer trojan that is delivered with an adware bundle and used to block access to security-related sites, preventing victims from installing software that could get rid of the adware. The trojan changes the DNS settings of the infected machine and uses the “Advanced” button to locate the additional DNS servers it has inputted. If the victim changes the DNS servers and reboots the system before taking additional action, the DNS settings appear again because of a Scheduled Task. Extenbro also disables IPv6 to force the system to use the new DNS servers. Impacted users are advised to change the DNS servers to known safe settings and check the Advanced DNS settings to remove any additional servers. Once this is done, navigate to a security site to download software to remove the adware. Your browser may need to restart but do not reboot your system until the adware has been removed.

Indicators of Compromise (IOCs)

DNS servers:

  • 45.86.180.227

  • 185.162.93.213

  • 116.203.6.218

  • 185.130.104.222

Installer:

  • SHA256 b2a28e9abb04a5926d53850623b1f3c6738169b27847e90c55119f2836c17006

Root certificate:

  • 36509B8F624CE280E0C797F42F4A8F552A280313

Reporting and Technical Details

Malwarebytes provides technical analysis of Extenbro on their blog.

NJCCIC