We’ve previously discussed how difficult it is to safely connect to networks when on the go. This is particularly true on vacations and holidays, where the availability of Internet access is one of the most important factors when looking for a place to stay. In fact, many holiday lodges and hotels today have made Wi-Fi access an integral part of their offered amenities. With all the fun and relaxation set before you, it is easy to take secure Internet access for granted.
The story below took place in exactly such a situation. While I was on vacation, using the provided Internet access, the Facebook app on my smartphone refused to connect. Other apps and websites worked fine, however.
Trying to access Youtube using the mobile browser resulted in this:
Figure 1. Fake Youtube alert
Obviously, the above warning made no sense on an Android device. What would happen if I tried to access Facebook on a PC, then? The same issue occurred – and an off-guard user might not find it suspicious at all:
Figures 2-3. Fake Facebook alerts
If the user actually clicked the OK button on either of the two messages the following pages would appear:
Figures 4. Fake Internet Explorer update
Figures 5. Fake Adobe Flash Player update
In both pages, there is fine print that says that the sites are not official download pages. However, because of the professional look of these pages, one could be forgiven for being misled.
Clicking on any part of the site results in a malicious file, detected as TSPY_FAREIT.VAOV, being downloaded and run on the affected system. FAREIT malware is typically used to download other threats onto an affected system.
So, how was this done? A little investigation found that the DNS settings had been modified so that DNS queries went to a malicious server, that redirected users trying to visit the facebook.com and youtube.com domains to malicious sites:
Figure 6. DNS replies and settings
The IP address of the malicious DNS server is known to be involved in distributing fake Adobe Flash updates. The IP addresses involved in this attack are hosted across multiple ISPs located in France, Canada, and the United States.
The router of the network was a TP-Link TD-W8951ND all-in one modem/router, which combined a DSL modem and a wireless router in just one device. However, this router contains a fairly serious vulnerability: an external user can access the page where the router’s firmware can be upgraded or backed up. However, this firmware file can be easily decoded; once decoded it contains the root password in the very first line.
This particular vulnerability has not received much media attention, although it is very similar to “The Moon” attack that hit Linksys routers earlier this year. It appears to have been disclosed publicly at least twice: once in January and a second time several days later. However, DNS poisoning attacks are not new. In fact have been around for many years.
I was able to verify that the settings of the device were modified by the attackers. Google’s free DNS server at 220.127.116.11 was also set as the secondary address, explaining why the requests for non-targeted websites worked.
Figure 7. Router DNS settings
The list of targeted sites was fairly extensive, with more than 600 domains being targeted. Some of the sites targeted (aside from Facebook and Yahoo) include Ask, Bing, Google, Linkedin, Pinterest, and SlideShare. All of these sites used the .com top-level domain. There were also aimed at users visiting local sites with specific TLDs, such as:
How do you prevent yourself from becoming a victim of this attack? One suggestion is to explicitly use public DNS servers, such as those of Google (18.104.22.168 and 22.214.171.124). (This can usually be done in the operating system’s network settings, and is applicable to both mobile and non-mobile systems.) One can also consider the advice we provided earlier about using open wi-fi networks, which include the usage of VPNs.
What about the likely targets of attacks like these? The most likely targets of these attacks are either homeowners or small businesses that use consumer-grade routers. In such cases, we highly recommend that consumers keep the firmware of their devices up to date. (For this particular router, for example, updated firmware is available for some versions.)
Two settings can also help in reducing the risks from these attacks: first, port 80 should be forwarded to a non-existent IP address. In addition, the web management interface of the router should not be accessible from the WAN side of the network.
Update as of May 26, 2014, 02:25 A.M. PDT
Based on our further analysis, we found out that TSPY_FAREIT.VAOV downloads BKDR_NECURS.BGSJ, which drops RTKT_NECURS.B. NECURS is known for disabling security features on affected systems. In this case, BKDR_NECURS.BGSJ disables the Windows firewall, and RTKT_NECURS.B also disables other security-related services.
Aside from the function aforementioned, since starting of 2014, we have seen that NECURS malware is associated with banking trojans such as ZBOT.
We detect the malicious files that are part of this attack.