Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    September 2014
    S M T W T F S
    « Aug    
     123456
    78910111213
    14151617181920
    21222324252627
    282930  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Trend Micro




    I write today on behalf of Bob McArdle, who just discovered a new twist in the Storm Trojan distribution email:

    There is a new wave of the now infamous Storm Worm doing the rounds. This time the mail attempts to convince users to download a program that is currently undergoing Beta Testing. In return the helpful victim receives their own Free Edition (lucky them) and from 5 years to a lifetime of free updates.

    Oh, and their computer joins a massive P2P Botnet, and starts generating massive amounts of SPAM to help spread the worm…still no BETA software comes without the odd bug.

    Here are 2 samples of the mail:

    From:
    [REMOVED]
    To:
    [REMOVED]
    Subject:
    We need you
    Please give us a hand with our new software development Investment
    Developer

    This beta testing will help prepare us for market release. For helping
    out, you will receive a free edition and 5 years of updates.

    Simply download the software. Try it out for one week. Email us what you
    think of it. If you want to participate, just follow the link to our
    download site: http://71.233.[REMOVED].[REMOVED]/setup.exe

    From:
    [REMOVED]
    To:
    [REMOVED]
    Subject:
    Can you help us out?
    Would you consider helping us with your opinion of our new program
    Investment Developer

    This beta testing will enable us to fine tune the software for public
    release. All beta testers will receive a free copy of the final version
    and free updates for life.

    Just download the program, Check it out, and let us know your opinion.
    Ready to be a beta tester? Just follow the link to our easy download
    center: http://61.73.[REMOVED].[REMOVED]/setup.exe

    The keywords to look out for to avoid this threat are “Beta Testing” and “setup.exe”. Interestingly, if you visit the actual URL that setup.exe is being hosted on, it still displays the last generation of YouTube-related attacks. Looks like the Storm crew are getting sloppy.

     


    Sep3
    12:01 pm (UTC-7)   |    by

    Written by Feike Hacquebord and Chenghuai Lu



    Recently we discussed in some detail a collection of rogue DNS servers, which are related to Zlob Trojans [1]. Here we present additional evidence that these rogue DNS servers are used for fraud with pay-per-click services and for unauthorized personal and confidential information disclosure.

    DNS

    Domain Name System servers resolve human readable domain names to IP addresses that are assigned to computer servers on the Internet. Normally, when an Internet user types a Web address in the address bar of his Internet browser, “www.google.com” for example, a DNS server resolves that domain name to an IP address that is hosting the Google Web page. In this way, his computer knows where to fetch www.google.com. If a user mistypes the domain, e.g. “wwe.google.com”, the DNS server fails to resolve the domain and the user gets an error message.

    Most Internet users automatically use the DNS servers of their ISP. DNS-changing Trojans silently modify computer settings to use foreign DNS servers. These DNS servers are set up by malicious third parties and they translate certain domains to fallacious IP addresses. As a result, victims are redirected to possibly malicious Web sites without them noticing it.

    Rogue DNS servers can silently monitor the browsing habits of infected users for a long time because modified DNS server settings on victims’ computers may remain unnoticed when the rogue DNS servers work properly and do not drop requests. Apart from click fraud and personal information theft, controllers of rogue DNS servers can therefore launch very specific targeted attacks by giving different DNS replies to different infected users at different times.

    Network of 600+ rogue DNS servers

    Here we focus on a network of more than 600 (apparently) identical rogue DNS servers, which IP addresses are hardcoded in DNS-changing malware. As far as we know, all of these DNS servers get their Internet connectivity from US-based hosting companies Intercage and Pilosoft. It has been reported that the spread of the corresponding DNS-changing Trojans shows remarkable advanced technical and social engineering tricks [4,2].

    The rogue DNS servers exhibit interesting behavior. We found that the DNS servers resolve most domains correctly at the times we queried them. However, they show deviating behavior as well, such as:


    1. Domains with typos (non-existent domain names) are resolved to IP addresses by the rogue DNS servers, where a normal DNS server gives back an error message.
    2. Some domain names known for hosting malware and C&C servers are resolved differently.
    3. A number of parked domain names are resolved differently.
    4. Some sub domain names used by advertising companies for registering clicks are resolved to foreign servers. This makes click fraud possible.
    5. Sub domains of some popular dating sites are resolved differently. This may lead to leaking of confidential information.



    Typos

    For non-existent domain names, the 600+ rogue DNS servers do not return the usual error message but they instead resolve the domain names to a malicious IP address. Whenever an infected user mistypes a domain name in his browser, he is shown adult Web sites. See [1] for details.

    Clicks generated by other malware

    Another interesting thing we found is that the 600 rogue DNS servers hijack some known bad domain names that host malware or C&C servers. Resolving bad domain names differently has the result that other malware, which might be present on the victim’s computer, may work in another way than they were originally designed. In particular, a built-in update function of a Trojan that polls a Web site for updates may now generate automated clicks on adult Web pages. See [1] for more details.

    Parked domain names

    Parked domain names are inactive Web sites with no real content except for advertisements. Specialized companies have thousands of these parked domain names. Because of the large volume, parked domains may get substantial traffic from Internet users who attempt to visit an old and no longer existing Web page or who mistype domain names.

    The network of 600+ rogue DNS servers appear to resolve a number of parked domains names differently so that infected users can not load advertisements of the companies who own the parked domains. Instead the infected users are shown advertisements from a foreign Web site.

    We have seen that parked domains owned by Sedoparking, Hitfarm, Domainsupport and Fastpark get resolved to foreign IP addresses by the 600+ rogue DNS servers.

    Click fraud through a sub domain vulnerability

    Some advertising companies use several sub domains to register clicks that get generated by Web sites, which show advertisements to their visitors. Whenever a user loads an advertisement, the click gets registered by e.g.

    http://[subdomain1].foo.com/click.php?affiliate=[website A]

    or

    http://[subdomain2].foo.com/click.php?affiliate=[website A]

    In both cases, the owner of Web site A gets paid for the click by the advertising company.

    The controller of a rogue DNS server can take advantage of the use of multiple sub domains by resolving one of the domains to a foreign IP address. The foreign server changes the affiliate tag and redirects the victim to another sub domain, which gets resolved normally. The end result is that the click is registered as if it was generated by another Web site.

    We have seen this kind of click fraud targeting advertising companies like Ccbill Inc, ValueClick Media (Fastclick.net), WP Associates (Webpower.com), Alexa, Penthouse Media Group Inc. and a number of pornography distributors. See the table presented below.


    table1.gif

    Table 1: Whenever a user infected with a Zlob-related DNS changer Trojan loads an advertising link pointing to, for example, refer.ccbill.com, he gets directed to foreign IP address 216.255.180.182. The foreign server changes tracking tags and then lets the user load an advertising link at ref.ccbill.com with the tracking tags changed

    More dangerous applications of rogue DNS servers

    So far we gave examples where rogue DNS servers are used for click fraud. Rogue DNS servers can be used for more harmful attacks like stealing personal information.

    We found that Internet users of a number of popular dating sites are vulnerable for leaking personal information to third parties when they are infected with DNS-changing malware. The popular dating site Friendfinder accepts login information on both friendfinder.com and www.friendfinder.com. The 600+ rogue DNS servers appear to make use of this by resolving friendfinder.com to a foreign IP address and www.friendfinder.com normally. An Internet user who wants to log in on the dating site usually sends his login information to http://friendfinder.com/p/login.cgi. When he is infected with a DNS-changing Trojan, his login information is sent to a foreign copy of friendfinder.com. The foreign server accepts the login information and redirects the user to www.friendfinder.com. This has the effect that personal login information of victims gets leaked to an unknown third party without the victims noticing it.

    The affected dating sites claim to have tens of millions of registered users. Login information of these registered users is probably valuable for social engineering and targeted attacks.


    dnsServer1.gif

    Figure 1. An Internet user infected with a DNS changer Trojan visits a Web site. Advertisements on the web site are fetched via a malicious foreign server instead of directly from an ad server. The foreign server changes ad tags so that the wrong party gets paid for showing the advertisement.


    dnsServer2.gif

    Figure 2. An Internet user infected with a DNS changer Trojan logs in on friendfinder.com. The login information is sent to a foreign server. This foreign server sends the login info to www.friendfinder.com, so that the infected user does not notice he has leaked his personal information to a third party.

    Conclusion

    Rogue DNS-changing Trojans and their corresponding rogue DNS servers are serious threats for Internet users. In this article, we gave concrete examples of how a collection of 600 rogue DNS servers is being used for click fraud and personal information theft. The fact that there is a large cluster of well-connected identical rogue DNS servers and the advanced methods to spread the DNS-changing malware strongly suggest that bad guys are making a lot of profit by deploying their rogue DNS servers.

    References:

     
    Posted in Bad Sites | Comments Off


    Aug17
    9:58 am (UTC-7)   |    by

    Note that this entry was first posted last March 27, 2007.

    We’ve received a very interesting write-up from our associates, Feike Hacquebord and Chenghuai Lu, regarding rogue DNS servers. I’m sure you’ll find the report below quite informative.

    Rogue DNS Servers

    Researchers of Trend Micro have identified a network of more than 115 rogue DNS servers, which are used by DNS-changing Trojans. This article describes threats imposed by these rogue DNS servers.

    DNS

    Domain Name System servers resolve human readable domain names to IP addresses that are assigned to computer servers on the Internet. Normally, when an Internet user types a web address in the address bar of his Internet browser, www.google.com for example, a DNS server resolves that domain name to an IP address that is hosting the Google webpage. In this way, his computer knows where to fetch www.google.com. If a user mistypes the domain, e.g. wwe.google.com, the DNS server fails to resolve the domain and the user gets an error message.

    Most Internet users automatically use the DNS servers of their ISP. DNS-changing Trojans silently modify computer settings to use foreign DNS servers. These DNS servers are set up by malicious third parties and translate certain domains to fallacious IP addresses. As a result, victims are redirected to possibly malicious websites without them noticing it. For example, if a user wants to view www.google.com, a rogue DNS server may resolve www.google.com to an IP address controlled by an unknown third party. If that third party creates pages that look exactly like those of Google, the user might think that he is browsing Google indeed, without noticing that he is actually visiting a website controlled by somebody else than Google. This may cause the user to leak sensitive information to third parties.

    Network of 115+ rogue DNS servers

    Researchers of Trend Micro have identified a network of more than 115 rogue DNS servers that are used by a certain variant of TROJ_DNSCHANG [1]. These DNS servers exhibit interesting behavior. We found that the DNS servers resolve most existing domains correctly at the times we queried them. However, for non-existing domain names, the rogue DNS servers do not return the usual error message but they instead resolve the domain name to a malicious IP address.

    See Figure 1 for an example.

    (1) The DNS query result on wwe.google.com from legitimate DNS server

    (2) The DNS query result on wwe.google.com from a rogue DNS server

    Figure 1. DNS queries on wwe.google.com

    We entered “wwe.google.com” in the address bar of an Internet browser that is using one of the rogue DNS servers to resolve domain names. We found that instead of displaying the usual error message “page not found”, it redirected us to a website that hosts a rogue adult search engine. See Figure 2.

    Figure 2. Result of visiting a non-existent webpage before and after Trojan infection

    Another interesting thing we found is that the rogue DNS servers hijack some known bad domain names that hosted malware or C&C servers. For example, www.toolbarpartner.com is an old infamous bad domain of such kind, which is currently parked. The rogue DNS servers resolve www.toolbarpartner.com to different IP addresses than the authoritative nameservers do. See Figure 3.

    Figure 3. DNS queries on www.toolbarpartner.com from infected hosts

    Resolving bad domain names differently has the result that other malware, which might be present on the victim�¢??s computer, may work in another way than they were originally designed. In particular, a built-in update function that polls a website for updates of malware may now generate automated clicks on adult webpages (clickfraud) . In our example, attempts to fetch malware updates from www.toolbarpartner.com on a computer infected with the DNS-changing Trojan we are discussing in this article, result in clicks on adult webpages indeed.

    Apparently, the rogue DNS servers are used for click-fraud. The fact that there are more than 115 rogue DNS servers that are all identical suggests that there are a lot of victims infected with this particular kind of DNS -changing malware. The infected computers together form a large network that can generate a lot of traffic to any website.

    The rogue DNS servers include, but are not limited to these addresses:

    References:

    TROJ_DNSCHANG.BM

     
    Posted in Bad Sites | Comments Off


    Aug17
    7:27 am (UTC-7)   |    by

    A multi-component malware currently detected by Trend Micro as TROJ_DROPPER.CIY drops and executes svchost.exe, detected as TSPY_ONLINEG.DRX, in the folder %Programfiles%Common Files. It also drops setup.exe in the same directory mentioned that is a WinPcap package consisting of npf.sys, wanpacket.dll, packet.dll , and wpcap.dll that are all essential in communicating with an affected user�s NIC card.



    So where’s the catch? Putting all the pieces together, what we have is an infostealer and files capable of meddling with network devices. This can cause quite a stir since the dropped malware makes use of ARP poisoning by redirecting network traffic to the compromised system as a means to collect sensitive information such as user names and passwords.





    Actual capture from infected network



    It can also insert a looooong string of B’s on an HTML file thus making some visited sites experience minor defacement.




     
    Posted in Bad Sites | Comments Off


    Sep20
    9:27 am (UTC-7)   |    by

    We’ve just received reports of several sites using the new IE zero-day exploit in conjunction with a Web Attacker kit. Previously, Web Attacker kits were more commonly used with known browser vulnerabilities, many of which were already patched by Microsoft. However, now that its being used with the new IE 0-day, alot more users may be vulnerable to this sort of attack.


    For those people who have never heard of Web attacker kits, it gained quite a bit of media attention earlier this year. It’s basically a user-friendly, do-it-yourself type of hacking kit. That particular kit was made available to the public via a russian-based website for a sinfully low price ranging from 15 to 20 US Dollars. Any script kiddie could easily purchase the kit off the internet and infect computers using the code provided with the kit. Then after that, all that’s left to be done is spam messages containing the link to the compromised website.


    This just serves as another heads up. We’re still trying to get more information on this. Hopefully more will be available soon. Stay tuned for updates!

     
    Posted in Bad Sites | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice