We’ve just received reports that the website of DaHua High School (hxxp://www.thsh.tyc.edu.tw/), a private high school in Taiwan, has been compromised.
It seems that an errant IFRAME tag has made its way into the website’s initial page (default.asp) and eventually loads a malicious web page (hxxp://www.832821.cn/rrr.htm) that is completely unaffiliated with the high school.

The malicious web page that is loaded by the IFRAME downloads several files, namely a bitmap file, a couple of javascript files and a pair of HTML files. The bitmap is actually an ANICMOO exploit, which is detected by Trend as EXPL_ANICMOO.GEN. These files in turn download a malicious executable file, SYSDOWN.EXE, which is detected by Trend as TSPY_DELF.GMN. Because of the malicious content being downloaded, even Google has already issued a warning for this website.

Credits go to Nick Lee (China Regional TrendLabs) for informing us of the incident.

Note that this entry was first posted last March 27, 2007.

We’ve received a very interesting write-up from our associates, Feike Hacquebord and Chenghuai Lu, regarding rogue DNS servers. I’m sure you’ll find the report below quite informative.

Rogue DNS Servers

Researchers of Trend Micro have identified a network of more than 115 rogue DNS servers, which are used by DNS-changing Trojans. This article describes threats imposed by these rogue DNS servers.

DNS

Domain Name System servers resolve human readable domain names to IP addresses that are assigned to computer servers on the Internet. Normally, when an Internet user types a web address in the address bar of his Internet browser, www.google.com for example, a DNS server resolves that domain name to an IP address that is hosting the Google webpage. In this way, his computer knows where to fetch www.google.com. If a user mistypes the domain, e.g. wwe.google.com, the DNS server fails to resolve the domain and the user gets an error message.

Most Internet users automatically use the DNS servers of their ISP. DNS-changing Trojans silently modify computer settings to use foreign DNS servers. These DNS servers are set up by malicious third parties and translate certain domains to fallacious IP addresses. As a result, victims are redirected to possibly malicious websites without them noticing it. For example, if a user wants to view www.google.com, a rogue DNS server may resolve www.google.com to an IP address controlled by an unknown third party. If that third party creates pages that look exactly like those of Google, the user might think that he is browsing Google indeed, without noticing that he is actually visiting a website controlled by somebody else than Google. This may cause the user to leak sensitive information to third parties.

Network of 115+ rogue DNS servers

Researchers of Trend Micro have identified a network of more than 115 rogue DNS servers that are used by a certain variant of TROJ_DNSCHANG [1]. These DNS servers exhibit interesting behavior. We found that the DNS servers resolve most existing domains correctly at the times we queried them. However, for non-existing domain names, the rogue DNS servers do not return the usual error message but they instead resolve the domain name to a malicious IP address.

See Figure 1 for an example.

(1) The DNS query result on wwe.google.com from legitimate DNS server

(2) The DNS query result on wwe.google.com from a rogue DNS server

Figure 1. DNS queries on wwe.google.com

We entered “wwe.google.com” in the address bar of an Internet browser that is using one of the rogue DNS servers to resolve domain names. We found that instead of displaying the usual error message “page not found”, it redirected us to a website that hosts a rogue adult search engine. See Figure 2.

Figure 2. Result of visiting a non-existent webpage before and after Trojan infection

Another interesting thing we found is that the rogue DNS servers hijack some known bad domain names that hosted malware or C&C servers. For example, www.toolbarpartner.com is an old infamous bad domain of such kind, which is currently parked. The rogue DNS servers resolve www.toolbarpartner.com to different IP addresses than the authoritative nameservers do. See Figure 3.

Figure 3. DNS queries on www.toolbarpartner.com from infected hosts

Resolving bad domain names differently has the result that other malware, which might be present on the victim�¢??s computer, may work in another way than they were originally designed. In particular, a built-in update function that polls a website for updates of malware may now generate automated clicks on adult webpages (clickfraud) . In our example, attempts to fetch malware updates from www.toolbarpartner.com on a computer infected with the DNS-changing Trojan we are discussing in this article, result in clicks on adult webpages indeed.

Apparently, the rogue DNS servers are used for click-fraud. The fact that there are more than 115 rogue DNS servers that are all identical suggests that there are a lot of victims infected with this particular kind of DNS -changing malware. The infected computers together form a large network that can generate a lot of traffic to any website.

The rogue DNS servers include, but are not limited to these addresses:

References:

TROJ_DNSCHANG.BM

A multi-component malware currently detected by Trend Micro as TROJ_DROPPER.CIY drops and executes svchost.exe, detected as TSPY_ONLINEG.DRX, in the folder %Programfiles%Common Files. It also drops setup.exe in the same directory mentioned that is a WinPcap package consisting of npf.sys, wanpacket.dll, packet.dll , and wpcap.dll that are all essential in communicating with an affected user�s NIC card.

So where’s the catch? Putting all the pieces together, what we have is an infostealer and files capable of meddling with network devices. This can cause quite a stir since the dropped malware makes use of ARP poisoning by redirecting network traffic to the compromised system as a means to collect sensitive information such as user names and passwords.

Actual capture from infected network

It can also insert a looooong string of B’s on an HTML file thus making some visited sites experience minor defacement.

Reports of a phishing scam that impersonates the official Web site of Shinsei Bank in Japan surfaced last July 12 but several reports of this scam were received again last July 25. The 25th of July, of course, coincides with the payday of many companies in Japan, making this scam look like a planned and carefully executed attack.

The screenshot below is an example of the email message that invites target users to click on a link that is going to direct them to the said phishing site:

It is puzzling however why the content is written in English when the target recipients are presumably Japanese people who have accounts in Shinsei Bank.

Confirmed subject titles of the phishing email so far are the following:

• Lock your Shinsei Bank Online Access!
  
• Suspend your account!
  
• We regret to inform you!

The given link looks exactly like a legitimate URL of Shinsei Bank. The phisher, however, manipulated the HTML tag where the displayed URL connects to so as to direct the recipient to the malicious site.

Spammers have just turned up their creative meters a notch. Just recently, they’ve resorted to using DOC and XLS attachments to spread stock spam samples, obviously not content with just using text and image spam anymore.

Now they’ve added the FDF format to their list of preferred attachments. See screenshots below:

FYI: FDF stands for “Forms Data Format” and is used for representing form data and annotations that are contained in a PDF form. The format was invented by Adobe Systems Incorporated, and it is based on the PDF format. The said format can be opened using Adobe’s free Acrobat Reader. Opening the attachment reveals the usual stock spam, as shown in the following images:

Using a previously unknown format such as FDF may be a spammer�s idea of getting around normal antispam filters, which have been obviously updated to block any spam hidden in text, images, DOC and XLS files. The variety of formats used to spread spam are now growing, which only brings one question to mind: what will these spammers think of next?