Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Fernando Mercês (Senior Threat Researcher)

    Home routers can be used to steal user credentials, and most people just don’t know it yet. Bad guys have found ways to use Domain Name System (DNS) changer malware to turn the most inconspicuous network router into a vital tool for their schemes.

    We already know that routers sometimes ship with malicious DNS server settings. In this scenario, the malware is used to tamper with the router and its DNS settings. In the event that users try to visit legitimate banking websites or other pages defined by the bad guys, the malware would redirect users to malicious versions of the said pages. This would allow cybercriminals to steal users’ account credentials, PIN numbers, passwords, etc.

    We’ve seen a growing number of related malicious sites in Brazil (nearly 88% of all infections), the United States, and Japan. These sites run a browser script that performs a brute-force attack against the victim’s router, from the internal network. With access to the administration interface through the right credentials, the script sends a single HTTP request to the router with a malicious DNS server IP address. Once the malicious version replaces the current IP address, the infection is done. Except for the navigation temporary files, no files are created in the victim machine, no persistent technique is needed and nothing changes.

    Modified DNS settings mean users do not know they are navigating to clones of trusted sites. Users that don’t change the default credentials are highly vulnerable to this kind of attack.

    Brute-force attacks possible with DNS router malware

    DNS is the Internet standard for assigning IP addresses to domain names. It acts like a phone book that translates human-friendly host names to PC-friendly IP addresses. Cybercriminals create DNS changer malware to modify the DNS settings of a system. We had previously discussed DNS changer malware back in 2011, when the said malware infected more than 4,000,000 computers used as Esthost bots. We took part in the said botnet’s takedown in Operation Ghost Click.

    Internet users commonly take DNS for granted because they are usually assigned by their ISPs. And since the DNS usually works as expected, there would be no reason to suspect otherwise.

    DNS settings work like signposts that direct your browser where to go. In the case of a DNS changer malware infection, the “signs” can be switched without you noticing. Now even if the you observe proper security practices—like typing in the correct URL of your bank’s website, logging in using your super-secure password, and even logging out after you’re done—if the malware was successful in making the subtle redirection before your transaction, chances are your data would get stolen.

    While this type of malware is not new, we’ve been seeing a growing number of links in phishing attacks in Brazil. These are used as entry points for a script, which we detect as HTML_DNSCHA, that performs a brute-force attack against the router from the internal network. This means that when user’s browser executes the malicious script, from the network point of view, an admin would see this DNS changing request from the user machine to the router, so internal traffic is seen. Therefore, admins looking for external attacks in firewall/router logs won’t find anything.

    Brute-force attacks can still succeed because router owners are still notorious for not creating router passwords or using default passwords for popular brands of routers, all of which are available online.

    Upon acquiring access to the router’s administration interface, the script sends a single HTTP request to the router with a malicious DNS server IP address to replace the current one—this is all that’s required for the cybercriminal to completely own the router from this point forward. Apart from the temporary navigation files, no other files are created in the victim machine, no persistent technique is needed, and as far as the user is concerned, there is no single clue that anything has changed.

    In fact the victim will be able to navigate to any website of his choice as he normally would. However, when a victim tries to access a website of interest to cybercriminals, let’s use our earlier example of a banking website, the victim actually sees a clone of the original website, and this clone has been carefully designed to harvest the victim’s user credentials.

    Needless to say, users that do not change the default credentials to their routers are highly vulnerable to this kind of attack.

    One of the samples we studied captures the victim external IP address. The part of source code that does this is shown in the screenshot below:

    Figure 1. The source code above shows how victims’ IPs are captured

    The script tries to guess both the router IP address and administration credentials. Different device models are supported by a single script. The same sample targets D-Link and TPLINK ADSL routers, which are both very common in Brazil. The following image shows the source code responsible for the brute force part:

    Figure 2. The source code above shows brute force routines

    The script tries to connect to the router using class A and C IP addresses and the external (public) IP as well. It is easy to see that this type of attack takes advantage of router default settings.

    Victim profiles

    As previously mentioned, majority of the affected routers by this threat are centered in Brazil. The data shown below is the number of hits to the redirected URLs by DNS servers.

    Figure 3. Majority of affected routers are from Brazil

    Some of the redirected sites we noted are mobile-ready. This means that once a router gets its DNS settings changed, all devices in the router network are exposed to this attack, including mobile devices.

    The attack may not only be limited to online banking fraud. This kind of attack becomes especially dangerous for Internet of Things (IoT) or smart devices as cybercriminals can easily poison DNS names of authentication/feedback websites used by those devices and steal users’ credentials.

    Best Practices

    To prevent this attack and other router-centric ones, we strongly recommend that users configure routers to:

    • Use strong passwords all user accounts.
    • Use a different IP address than the default.
    • Disable remote administration features.

    It is a good idea to periodically audit the router DNS settings and pay attention to the visited websites that require credentials like e-mail providers, online banking, etc. They must all show a valid SSL certificate. Another useful preventive action is to install browser extensions that can block scripts before they get executed in the user’s browser, like NoScript.

    For investigators and network administrators, I wrote a simple UNIX shell script that can be configured with a list of well-known domains (from email providers, online banking, etc.) and must receive a suspicious DNS server address as input, or use the default system DNS server. The script makes a DNS query request to a public DNS server (owned by Google) and another one to the suspicious DNS server and then compares the answers. If they are the different, that can be an indicator that the suspicious DNS server checked is indeed malicious.

    Related hashes (HTML_DNSCHA.SM):

    • b7f2d91a1206b9325463e7970da32a0006a3ead5
    • 92b62f4a5bcf39e2b164fb5088b5868f54fa37b0
    • 48dbea87e50215504d3f5b49f29ecc4f284c6799
    • af6398ea2ade1ec6d3b3f45667f774008593a59f
    • 07a97f34b73c4525c65dabe1de15340e31d3353a
    • 86363fcf087c5d5a6830b7c398a73ea3fa4ee961
    • 62a2f5f5c6dd075c2dc3c744273fc8689e2e1e5f
    • 321f4ba49d978c7d2af97b2dc7aab8b40c40d36e

    Malicious DNS servers:


    Updated May 30, 2015, 4:32 AM PST

    We updated due to technical accuracy.


    In our monitoring of the global threat landscape, we tend to notice that countries sometimes are affiliated with a particular cybercriminal activity. One classic example is Brazil, which is known for its association with banking malware. As we noted in a previous blog entry, “[0]nline banking theft is especially rampant in the country, whose history of hyperinflation has once led to an early adoption of online financial systems and a large online banking community.” However, we felt like something was missing. What would explain the growth of these activities in Brazil?

    Several factors may have contributed to this growth. For example, Brazil has a lack of concrete laws and limited law enforcement agency resources that address cybercrime in the country. Additionally, the technological and consumer landscape in Brazil, which has a 50% Internet penetration rate, and a 69% credit card penetration rate, has made the country all too appealing for cybercriminals.

    However, another factor may have also contributed to Brazilian cybercrime: the existence of a flexible underground market with different offerings, ranging from banking Trojan development to online fraud training. The latter is highly notable as this is the most unique item in the market, which may not be found in other underground markets.

    In Brazil, it’s possible to start a new career in cybercrime armed with only US$500. Would-be cybercriminals are supported and helped by tools, forums, and experts from the dark side of the Internet. These bad guys do not fear the authorities and their groups get bigger in a short span of time.

    These criminals use a wide array of tools and services for their communication. These include IRC channels, Deep Web forums, and private servers. Social networks and encrypted text chat software, including those for mobile, are also heavily used by the bad guys. In short, cybercrime communication is made easy, which makes law enforcement efforts more difficult.

    Figure 1. A sample post in an underground forum, translates to “Can anyone help me with credit card stealing? I’d like to start working on this.”

    Our paper, “The Brazilian Underground Market: The Market for Cybercriminal Wannabes?,” discusses at length the tools and services sold in the Brazilian black market. The paper also talks about the characteristics that set it apart from other underground markets. For example, Russian and Chinese cybercriminals hide in the deep recesses of the Web and use tools that ordinary users do not such as Internet Relay Chat (IRC) channels. Meanwhile, Brazilian cybercrooks use more popular means like Facebook, YouTube, Twitter, Skype, and WhatsApp for organizing and advertising.

    Another key feature of Brazilian online threats is that they mostly target local victims. These threats are developed locally, sold to local criminals, and used to target fellow Brazilians. Because of this ‘localization’ there is no good way to get threat intelligence unless we immerse ourselves in the Brazilian landscape.

    By providing information on the kinds of threats or attacks offered by the Brazilian underground, we hope to help companies and users to defend themselves. We also aim to help law enforcement agencies and researchers get intelligence on cybercrime operations.

    This is part of the Cybercrime Underground Economy Series of papers, which take a comprehensive view of various cybercrime markets from around the world.

    Posted in Malware | Comments Off on Localized Tools and Services, Prominent in the Brazilian Underground

    Earlier this year we discussed how Gizmodo’s Brazilian site was compromised and used to spread online banking malware to approximately 7,000 victims in a two-hour span. The site was compromised via WordPress plugin vulnerabilities that allowed the attacker to add a script that redirected users to a second compromised site, which eventually led users to download the malware.

    These types of attacks are unfortunately common, but the underlying details may not be clear to all.  Attacks like these are quite capable of delivering different payloads to users, depending on the system configuration of the target.

    For example, in this attack, Firefox and Internet Explorer users were hit with a proxy auto-configuration (PAC) script that redirects some of the user’s Internet traffic through a malicious proxy. Chrome users get a malicious extension that is actually a copy of BOLWARE detected as BKDR_QULKONWI.GHR; this particular family targets certain features of Brazilian payment systems in order to carry out fraudulent schemes.

    The video below describes how the attack was carried out. It shows how the site was compromised, the details of the attack, as well as a demonstration the capabilities of the payloads (particularly BOLWARE). This will hopefully let users become more aware of these threats and learn how to avoid them accordingly.

    Our previous entries dealing with this topic are:

    The SHA1 hash of BOLWARE mentioned in this post is:

    • cd9efd3652b69be841c2929ec87f3108571bf285
    Posted in Bad Sites | Comments Off on Anatomy of a Compromised Site: 7,000 Victims in Two Hours

    Months ago, Google published a blog post informing users of Google Chrome that they cannot install browser extensions from third parties. The reason: security. By only permitting extensions from official Chrome Web Store, Google claims they would be able to police these extensions in order to prevent malicious ones.

    Unfortunately, such tactics aren’t enough to deter cybercriminals. We have previously reported about a malware that manages to bypass this feature and install a malicious browser extension. We recently found that cybercriminals are also placing their malicious extensions in the official Web Store.

    Spammed Facebook Messages

    The first step of this particular attack begins on social media. A spammed message circulated on Facebook, with a link to a video related to drunk girls. Should the recipient click the link, he will be redirected to a site mimicking YouTube. A notification will appear stating that a particular Chrome extension must be installed so that the video can be viewed.

    Figure 1. Fake YouTube site that requires installation of browser extension

    Should the user proceed, he will be redirected to the official Chrome Web Store to download the said extension. After installing the extension, the user is redirected to a real YouTube video of drunk girls.

    Figure 2. Browser extension is hosted in official Chrome Web Store

    Read the rest of this entry »

    Posted in Malware | Comments Off on Uncovering Malicious Browser Extensions in Chrome Web Store

    At the tail end of July, we wrote about Gizmodo Brazil being compromised by cybercriminals in order to lead visitors into downloading backdoor malware into their machine. This is of course a very big deal, since it is a rather large and noteworthy website being hacked into – but it’s par for the course for the region, seeing as the modus operandi of criminals that target Brazilian users typically resort to compromised websites and hosts in order to host malware and phishing pages.

    Knowing this, we dug deeper into this incident, and as such, we discovered a bit more about the attack itself and how website administrators may be able to help prevent their own websites from falling victim.

    So, what did we find out? First, we discovered that the attacker used a WordPress vulnerability to access the second compromised website’s Swedish server (the website that Gizmodo Brazil would lead to) and upload a webshell file known as WSO. This file is a single PHP file that sports many functions that could be used maliciously (such as uploading files, running commands, executing post-exploitation features and so on).

    The attackers using a WordPress vulnerability should come as no surprise to anyone by now, seeing as it is currently the most popular CMS in circulation globally (used by 22% of the top 10 million websites, according to w3tech). Therefore it is easy enough to see how the parties responsible used the attack method they did here.

    We also found a publicly-available text file named “contador” – Portuguese for “counter” – indicating the current number of users that had downloaded BKDR_QULKONWI.GHR, the backdoor related to the Gizmodo Brazil attack. As of this writing, the text file states that approximately 7000 users have downloaded the backdoor malware.

    Do note that we have already notified Gizmodo Brazil about the vulnerable WordPress plugins that the attackers may have used in order to compromise their main website and place a malicious script code in its index.php file.

    In light of this ruinous attack, we announce that all malware, URLs and IP domains used and/or related to this attack have been blocked. Trend Micro security offerings protect our customers and their websites from this threat.

    Additionally, we advise web portal administrators to always keep their WordPress installations current and updated! Paying attention especially to the new releases of plugins that they utilize for their web portals (and the vulnerabilities that go with those new versions) can help make cybercriminals’ lives difficult.

    We also recommend the following:

    • Use strong passwords for your WordPress users as usernames can easily be guessed or stolen by attackers.
    • Pick your theme source codes carefully as attackers usually put webshells there.
    • Consider disabling PHP functions that are not being used, or will not be in the future.
    • Watch out for recently created files, especially the ones created by the same user as the webserver is running (normally www-data in LAMP stacks). This could be a sign of an attack-in-progress.

    We also found another hash involved in this attack:

    • 7d8875aeecf47b959ebd611ddc10076453d4f552
    Posted in Bad Sites, Exploits, Vulnerabilities | Comments Off on More Details Regarding the Gizmodo Brazil Compromise


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice