DNS Hijacking – a trend carried by Adware
Adware have always known to be the most annoying group of malware since the beginning. Disrupting user’s browsing experience by showing countless advertising banners and redirecting them to websites without their consent. If that isn’t troublesome enough, getting rid of them is another big challenge in several cases. Gone are those days when you could remove such irritating adware by simply resetting or re-installing the browsers. Now we see adware that do not leave you even if you re-install the entire Operating System.
DNS Hijacking
DNS is a service that translates all the website names we enter into our browsers into their respective IP addresses. DNS is configured on your router settings and in your PC’s network settings accordingly. In one of the DNS hijacking methods, a hacker exploits a server’s or a router’s vulnerability to access it and changes the DNS settings to malicious ones. The system which is having its network configurations as DHCP or Automatic, will obtain these malicious DNSs from the router and assign it to the PC’s network configuration.
This allows an attacker to perform malicious activities such as:
- Directing users to phishing pages that look like a well-known website but are actually designed to trick users into sharing sensitive information like login ID and passwords, bank account details, etc.
- To show ads on legitimate websites
- Listening to, controlling, and redirecting network traffic
As this infection is not in the browser or PC, no matter how many times the user resets the browser or reinstalls the OS, the issue is going to keep occurring again and again.
DNS hijacking mainly occurs due to the following reasons:
- Router/modem is set to a default/weak/factory password
- Vulnerable devices/router models which are not patched and updated
- PUAs getting installed on a system while installing legitimate software
- Visiting potentially dangerous sites like torrents and clicking on pop-up ads
Recent DNS hijacking incidents
Recently, we have observed multiple cases where we suspect the routers were compromised with suspicious DNS which caused website redirection. These DNS infection scenarios can be primarily categorized into the following 2 cases.
- Security error warnings in browsers
- Websites getting redirected to unwanted websites
Security error warnings in browsers
In this scenario, when the user opens any website, they get a security alert asking them to install a security plugin.
Fig 1
Clicking on ‘INSTALL NOW’ will download the ‘plugin_install.exe’ file. In this case, the downloaded file is not the installer for any security plugin but the installer for a DNSChanger malware along with additional components to perform activities like bitcoin mining.
Websites getting redirected to unwanted websites
In this scenario, while users are browsing they get redirected to a website where they are informed that their browser’s Flash player is outdated and must be updated in order to use the services of the website like watching videos, etc.
However, the plugin/extension that the website installs is not related to Flash but a third-party PUA (potentially unwanted application) extension.
Fig 2
Indicators of infection
Below are a few suspicious IP addresses (DNS) which we have observed on affected systems:
- 185.166.239.90
- 82.211.31.126
- 35.165.139.186
Tips to stay away from DNS hijacking
- Change the router’s username and password to a strong, unique password (consult the router manual for instructions)
- Upgrade your router with the latest firmware or replace it completely if it cannot be updated. Also, while purchasing a new router/modem, prefer a more secure model to a less secure one
- If your system has suffered any such an attack, you can try resetting your router settings or change your DNS to Google Public DNS i.e. 8.8.8.8
Acknowledgment
Subject Matter Expert
Minali Jadhav
– Threat Research and Response Team
No Comments, Be The First!