Adware have always known to be the most annoying group of malware since the beginning. Disrupting user’s browsing experience by showing countless advertising banners and redirecting them to websites without their consent. If that isn’t troublesome enough, getting rid of them is another big challenge in several cases. Gone are those days when you could remove such irritating adware by simply resetting or re-installing the browsers. Now we see adware that do not leave you even if you re-install the entire Operating System.
DNS is a service that translates all the website names we enter into our browsers into their respective IP addresses. DNS is configured on your router settings and in your PC’s network settings accordingly. In one of the DNS hijacking methods, a hacker exploits a server’s or a router’s vulnerability to access it and changes the DNS settings to malicious ones. The system which is having its network configurations as DHCP or Automatic, will obtain these malicious DNSs from the router and assign it to the PC’s network configuration.
This allows an attacker to perform malicious activities such as:
As this infection is not in the browser or PC, no matter how many times the user resets the browser or reinstalls the OS, the issue is going to keep occurring again and again.
DNS hijacking mainly occurs due to the following reasons:
Recent DNS hijacking incidents
Recently, we have observed multiple cases where we suspect the routers were compromised with suspicious DNS which caused website redirection. These DNS infection scenarios can be primarily categorized into the following 2 cases.
Security error warnings in browsers
In this scenario, when the user opens any website, they get a security alert asking them to install a security plugin.
Clicking on ‘INSTALL NOW’ will download the ‘plugin_install.exe’ file. In this case, the downloaded file is not the installer for any security plugin but the installer for a DNSChanger malware along with additional components to perform activities like bitcoin mining.
Websites getting redirected to unwanted websites
In this scenario, while users are browsing they get redirected to a website where they are informed that their browser’s Flash player is outdated and must be updated in order to use the services of the website like watching videos, etc.
However, the plugin/extension that the website installs is not related to Flash but a third-party PUA (potentially unwanted application) extension.
Indicators of infection
Below are a few suspicious IP addresses (DNS) which we have observed on affected systems:
Tips to stay away from DNS hijacking
Subject Matter Expert
– Threat Research and Response Team