dns Trojans detected after switching to CloudFlare DNS

[Katze]

I decided to switch from Googles DNS to CloudFlare after watching Linus's new video on Floatplane, and with 10 minutes my computer detected and stopped a Trojan.
I also did a scan with Malwarebytes and found a bitcoin miner... (Note: I did a scan with Malwarebytes about a week ago and found nothing.)

I was only browsing Youtube.

 

Random coincidence?

[Windows7ge]

Switching from one legitimate DNS provider to another legitimate DNS provider does not open you to those types of attacks unless the provider themselves have been compromised. Even then all they can do is route you to a site that looks like the real site but it's much easier to intercept a client request (MITM) than to overtake a DNS provider (has still happened though).

 

Those miners can often go undiscovered for quite some time depending on how aware the user is. Chances are you got it from clicking a sketchy ad, visiting a sketchy site, or downloading something you shouldn't have.

[Katze]

I monitor my computer resourses constantly as they are on my second minitor, after the Trojan was detected, I noticed CPU ramp up.

[Windows7ge]

1 minute ago, Katze said:

I monitor my computer resourses constantly as they are on my second minitor, after the Trojan was detected, I noticed CPU ramp up.

Changing DNS providers does not give system permissions to download and install applications (infectious or not). Worst case scenario you got sent to a website that looked like the real site but was full of viruses. Even then though CloudFlare as a service would have had to have its security jeopardized and although possible it's not a common issue.

 

It's something you clicked or downloaded. Unless you aren't the only user of this computer then it's something THEY clicked or downloaded.

[Katze]

I just find it odd it happened after swiching DNS and while I was only one Youtube.

[xs0ck3t]

When the alert was generated did it provide a location for where it caught the Trojan / bit coin miner running from?

 

As Windows7ge mentioned switching DNS providers would have no effect on this so Its probably nothing more than mere coincidence. (Unless switching DNS providers caused the trojan / bitcoinminer to make a callout / perform some type of action that triggered the AV). It's most likely someone using the machine downloaded and ran a suspicious file / when visiting a site ads or JS on a web page automatically tried to download the file and malware bytes caught it hitting disk / only caught it after new signature updates (so from a site previously visited).  

[Mark Kaine]

11 hours ago, Katze said:

I just find it odd it happened after swiching DNS and while I was only one Youtube.

I agree it's odd, but as others have mentioned, the only thing that could have plausible happened in regards to changing the DNS would be getting directed to "fake" sites, which I find really kinda unlikely in the case of YouTube. 

 

 

Is anyone else besides you using this computer or has access to it? 

[Tzomb1e]

It may be worth checking other computers/devices in your network to make sure there is not another infected host that is spreading the trojan/miner.  Assuming you did not go to a malicious site (or in the unlikely event that cloudflare redirected you to a malicious website with a poisoned record), depending on the malware it can spread to different hosts on your LAN.  It may be that the origin point of infection is on another computer.  I supposed there is also the possibility that you could have picked up the trojan prior to you detection and its payload was time based...that is also a bit unlikely for the situation but you never know!  Do you know the name of the trojan/miner that was detected?  It should be in the logs on Malwarebytes.  Malwarebytes labs normally has pretty detailed write ups for what the malware does and how it spreads.  Are you sure it was not a false positive?