Could someone please explain the purpose of the following beta update?
ßTCP/IP Settings plugin - !TCP/IP Settings plugin (65 KB) - 2007-06-06

hi,

some malware (for instance Zlob.DNSChanger) are able to change the computer's TCP/IP settings. In case of Zlob.DNSChanger bad DNS Servers are entered.
The TCP/IP settings plugin enables Spybot to use new rules which can detect IP addresses entered by malware and exchange them with non harmful entries.

Further plugins will enable Spybot to increase its set of rules and rule parameters without the need for a new main update. Thus the plugins make Spybot more flexible.

Yodama:

Thank you for the explanation.

Regards,
md usa spybot fan

Stickied.

Excellent addition: well done the Spybot team

hi all,

where do I download that update from? is it possible to download it without using integrated update? Is it included in the includes download from the site?

srxy1:

See the answer to your duplicate query ( http://forums.spybot.info/showpost.php?p=96016&postcount=6) in this thread:
TrojansC.Sbi
http://forums.spybot.info/showthread.php?t=14869

yodama,

would you happen to know how to use this update? I am trying to remove that Zlob.DNSChanger trojan and i have to restore it because it knocks down my internet.

@taco006: The problem were replacement DNS servers - some of those we chose seem to be not available everywhere. Todays update will replace Zlob DNS servers with two from OpenDNS (http://www.opendns.com/), which should be available everywhere.

@srxy1: separate installer is a good point, should be available soon.

hi,

some malware (for instance Zlob.DNSChanger) are able to change the computer's TCP/IP settings. In case of Zlob.DNSChanger bad DNS Servers are entered.
The TCP/IP settings plugin enables Spybot to use new rules which can detect IP addresses entered by malware and exchange them with non harmful entries.


maybe im not understanding properly - the malware is changing DNS entries on our machine and Spybot solution is to DNS entries to something else? shouldnt it just remove the malware and leave our setttings alone - or does it set the dns to a benign setting and then we have to change the settings back outrselves? otherwise that doesnt sound like a solution or am i completely misunderstanding whats happening here?

thanks! :)

If the malware replaces your "official" DNS settings with malicious entries, just removing those would leave you without any DNS servers at all - thus disconnected from the net (unless you want know and want to type in IPs for all sites you want to visit ;) ).

For Spybot, it is quite difficult to guess which your settings where; it could remember what they were during installation (which would make the removal ineffective if the malware already was in place when you install Spybot), or it could look it up in one of those backup copies of settings (which also would just restore the same bad settings if you had the malware long enough to get backed up by Windows).

Using benign settings inside our database might not result in as fast DNS servers as the ones from your provider might be, but they're safer than using machine backups that might have been compromised as well. Since the replacement takes only place when something bad was found, I think a better chance to have a clean DNS server is more important than to have the original one, but more danger of restoring a compromised setting.

shouldnt it just remove the malware and leave our setttings alone

If it left the setting alone, you would still be pointed to the compromised DNS for lookups. Meaning, you could fall victim to phishing and/or re-infection.


or does it set the dns to a benign setting and then we have to change the settings back outrselves?

Exactly. If DNS lookups were working with a compromised machine, then that machine must not be firewalled outbound to the internet - so using OpenDNS will work fine.

Alternatively, SB could set the DNS setting to automatic detection (if the IP address is also done via DHCP). This is probably what most people would want, but the solution they implemented is the only one that won't suddenly "break the internet" for a handful of users.