Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    September 2014
    S M T W T F S
    « Aug    
     123456
    78910111213
    14151617181920
    21222324252627
    282930  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Feike Hacquebord (Senior Threat Researcher)




    Last Saturday, California-based Web hosting company Intercage dropped off the Internet because its upstream provider PIE decided to terminate its services. All servers became unreachable as IP addresses were no longer routed to the Internet. They found a new upstream provider last Monday, after being offline for more than 36 hours. Traffic to and from Intercage appears absent as of this writing, probably because of filtering by a large Internet carrier higher upstream.

    The Web hosting company got bad publicity from recent blog postings written by Washington Post reporter Brian Krebs. He cited a research article that dubbed Intercage as a major host of malware. The article criticized the Web host for selling services to Esthost, an Estonian Web hosting reseller and domain site registrar accused of helping cyber criminals by allowing them to register domain names anonymously.

    A well-known fact among security researchers is that Intercage IP space has had a remarkable concentration of cybercrime throughout the last four years. But Intercage is not alone; there are more Web hosting companies in the US and Europe that seem to have persistent problems with their customer base.

    On this blog, we have written a few times on the so-called rogue DNS (Domain Name System) network of ZLOB. We have shown that this network is using DNS tricks for a massive click fraud scheme targeting legitimate advertising companies and search engines. We also showed that the rogue DNS network can lead to leakage of personal information of ZLOB victims.

    We monitored the rogue DNS network of ZLOB after Intercage went offline. Last week, we counted 1178 live rogue DNS servers related to ZLOB. These rogue DNS servers resolved more than 14,000 domain names (including high-profile sites and major search engines) to 200+ malicious IP addresses. After Intercage disappeared from the Internet we looked again: since last Sunday, 655 rogue DNS servers are down. Many spoofed sites related to ZLOB also disappeared because they were all hosted by Intercage.

    Last Monday, we noticed a very slow recovering of the rogue DNS network. Some of the spoofed search engine Web sites became live again, but now in a data center operated by Cernel.net located in the east coast of the US.

    We expect that in the coming days more of the rogue DNS network of ZLOB will move elsewhere, simply because the bad guys do not want to miss their ill-gained revenues.

     



    More than a year ago, Trend Micro threat researchers uncovered a network of over 900 rogue DNS (Domain Name System) servers related to the ZLOB Trojan family. We gave examples showing that these rogue DNS servers are part of click fraud and leakage of personal information.

    Just recently, however, we discovered that this network is now targeting four of the most popular search engines. In a large scale click fraud scheme, the ZLOB gang appears to hijack search results and to replace sponsored links with DNS “tricks”.

    DNS is essential for the Internet to work. DNS servers translate domain names into IP addresses (and vice versa), which are assigned to computers connected to the Internet. This translation into IP addresses makes it possible for browsers to load Web sites from the correct computers. Most Internet users automatically use the DNS servers of their ISPs (Internet Service Providers), and implicitly trust that these DNS servers give back correct results. In the event that DNS settings get changed to point to a fraudulent or malicious server, the victim may be unknowingly redirected to any (potentially malicious) computer server at anytime while browsing the Internet.

    These ZLOB Trojans we found, silently change the local DNS settings of affected systems to use two out of the abovementioned 900+ rogue DNS servers. These Trojans spread by advanced social engineering tricks; an example would be professional-looking Web sites that promise Internet users access to pornographic movies after installing malware that pose as video codecs. The number of ZLOB-related infections is huge — for the last six months of 2007, Microsoft reported more than 14,000,000 infections.

    It now appears that the ZLOB gang has entered the multibillion-dollar search engine market. ZLOB’s rogue DNS servers resolve several domain names of the main engines to fraudulent IP addresses. Among others, this criminal operation has even set up rogue sites of the UK and Canadian versions of one of the largest search engines. Even searches performed via the installed browser toolbar (provided by the same company) are now being hijacked by ZLOB. Another popular search engine company has been hit even harder — most, if not all, domain names of the search engine that give back search results get resolved to fraudulent Web sites by the rogue DNS servers.

    The primary objective of ZLOB here appears to be stealing traffic and clicks from search engines, making money along the way. Affected users are immediately redirected to sites that are not at all related to their original search queries. All sponsored search hits of the two main search engines we analyzed were hijacked by ZLOB. Clicks on sponsored links then are not credited to big search engine companies, but to the ZLOB gang instead.

    Although Trend Micro sees incidents of spoofed Web sites (like those of banking companies) regularly, the scale of ZLOB’s click fraud with search engines looks unprecedented. As mentioned above, the number of the gang’s victims is believed to be huge. Unfortunately, the rogue DNS network of ZLOB is several years old, stable, and is still expanding.

    While much of the ZLOB malware is widely detected, there are occasionally new variants created to evade detection, which may temporarily slip through and victimize unwitting users. From the time this new malware is released by these criminals, until the time it is detected, however, these criminals are trying to exploit this window of opportunity.

    We have taken steps to get in touch with our security contacts at each of the affected search engine companies, but alas, there is not much that they can do about the problem, since the DNS “hijacking” is being done locally on computers which are victimized by a ZLOB Trojan.

    Meanwhile, Trend Micro customers are protected from being victimized by malware and malicious Web sites by the Smart Protection Network. Updates on this developing issue will be posted as soon as they are available.

     



    This week, hundreds of Web sites of the customers of Web hosting company iPowerWeb got compromised. This incident shows an interesting mix of hacking technology, Google index poisoning and social engineering.

    A malicious third party added extra directories to the hacked Web sites and seemingly installed scripts in these new directories that will redirect victims to traffloader.info. This latter site will further redirect to sites that attempt to lure Internet users into installing a codec Trojan, a Zlob Trojan or rogue antispyware.

    The redirection to the malicious sites with Trojans only happens when victims land on the hacked Web site via a Google search. To get actual traffic to the compromised sites, the hackers poisoned the Google index database with tens of thousands of hacked URLs. Yesterday, well-chosen queries into Google showed about 60,000 malicious URLs hosted on Web sites of iPowerWeb indeed.

    One of the tactics used in poisoning Google’s index is that the malicious URLs appear as “normal” SEO (search engine optimization) spam Web sites to the Googlebot that crawls the sites. Normal Internet users, however, are confronted with a malicious redirection instead (when they arrive at the site via a Google search). So, here, SEO spam techniques are combined with Trojan infection chains and social engineering.

    The mass compromise might be the result of a security breach of just a few servers of iPowerWeb. One possible scenario is that hackers got root permissions on shared webservers and were therefore able to modify webserver settings. Another scenario is that the hackers successfully installed a Trojan on an iPowerWeb server, that is able to change network traffic in a local area network. Once such malicious software gets installed, all Web sites hosted on different servers in the local area network may appear as compromised from the outside, while the contents of the Web sites were actually not changed at all on the physical hard drives. The attacker just injects his malicious code in the network traffic between the Web sites and Internet users.

    The danger of these attacks shows the need for continuous scanning of servers at hosting facilities for malicious content like Trojans and exploits.

     



    Yesterday, the infamous Russian Business Network (RBN) dropped out of the Internet at around 7 PM PST. Since then, IP addresses of RBN can no longer be reached because there is no routing for them any longer. It could be that the upstream providers who provided RBN with Internet connectivity may have terminated their services to their problematic customer temporarily or (hopefully) even permanently. Trend Micro will continue to closely monitor whether RBN remains down.

    The Russian Business Network is notorious for hosting lots of malware and Web browser exploits. These threats have been injected into thousands of legitimate Web sites. Customers of RBN abuse the latest exploits for their nefarious purposes. The most recent example is a security issue in Adobe’s Acrobat Reader that was fixed only a few weeks ago.

    That RBN, currently, has no Internet connectivity means that the Web is a somewhat safer place today. Unfortunately, this may not be for long. RBN may find new upstream providers. In recent weeks, moreover, Trend Micro has seen equivalents of RBN pop up in Turkey and Taiwan. These hosting providers seem to have the same kind of customer base as RBN. Thus, even if RBN drops off of the Internet permanently, its customers might find a new home soon. TrendLabs is also closely monitoring the activities in the mentioned new suspicious networks.

     


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice