DNS takeover redirects thousands of websites to malware

FanJ · Aug 8, 2013

From the Fox-IT blog:

http://blog.fox-it.com/2013/08/05/dns-takeover-redirects-thousands-of-websites-to-malware/

DNS takeover redirects thousands of websites to malware
Posted on August 5, 2013 by ydklijnsma

Starting on Mon, 5 august 2013, 06:57:30 Fox-IT’s monitoring service detected a redirect occurring initially on conrad.nl but later on many other websites. The way the site was compromised means thousands of websites are redirecting, in total 3 web hosters seem to have been affected by the DNS server compromise:

•Digitalus
•VDX
•Webstekker
All sites using the DNS servers from these companies will have been affected. The official response given by Digitalus was that someone modified the DRS from SIDN with external name servers. This means that any DNS requests made to them would end up at the malicious DNS servers. The only problem now is that the DNS zones have a TTL (Time to live) of 24 hours. This means that most ISP would have this incorrect data in their caches for at least this length of time. After being contacted they fixed the issue and most public name servers now respond with the correct data. How the intruders got access to the DRS remains unknown until Digitalus or SIDN disclose more information, they are is still investigating the issue (source).

Every website that was being requested responded with a blank “Under construction” page with an iframe on it. The iframe was a host running the Blackhole Exploit Kit. While initially we assumed conrad.nl was compromised we found out that the DNS servers were giving back responses with the same IP every time:~Link removed~
Click to expand...

Read more at above link.

Note by me:
I don't know at the moment whether it were only websites in The Netherlands.

NormanF · Aug 6, 2013

I have Blue Coat K9 to block all spyware/malware sites from even loading. Its good protection from malware DNS re-direct.

gerardwil · Aug 6, 2013

Some extra info (autotranslated) by tweakers:

According to security firm Fox-IT, a sample of the malware analyzed, were a PDF and a Java exploit served to visitors. The malware in question, the Andromeda backdoor, communicating via the Tor network to retrieve a command-and-control server commands. Possibly there was a bitcoin miner-installed, so said Mark Loman of security SurfRight against Tweakers. Also, the browser hijacked, though Chrome therefore not vulnerable.

Fox-IT has published instructions to remove the malware; therefore must include a registry key and an executable be removed. Also, remove with Hitman Pro, the malware as promises security researcher Loman, whose company develops security software. Administrators can block port 52300: probable thus prevent the command-and-control server instructions to infected PCs send.
Click to expand...

FanJ · Aug 8, 2013

Thanks Gerard for that link

=====

I noticed that Fox-IT has changed their Cleanup instructions:
http://blog.fox-it.com/2013/08/05/dns-takeover-redirects-thousands-of-websites-to-malware/

The old instructions previously stated in this post might not work for updated versions of the malware, we are advising HitmanPro.Kickstart to clean up your PC.
Click to expand...

Note by me:
I post that as it is posted there. Other antimalware programs may or may not be able to do the trick too.

ronjor · Aug 8, 2013

by Mark Hofman (Version: 1)

According to the notification by the provider (http://noc.digitalus.nl/dashboard/136/Storing-DNS-servers) requests were being forwarded to external name servers. The issue was picked up relatively quickly. According to Digitalus and other reports SIDN, the Foundation for Internet Domain Registration in the Netherlands suffered a breach which affected the domain name registration systems. The change was made at 0330 and the zone fully recovered by 0800, but that did mean that those who had already erroneously resolved the malicious domains would retain those records for a typical 24 hours. Whilst the provider is still investigating, at the moment there is no additional information available. It is not yet clear how the initial change was made. the result however is still being felt by a number of their customers.
Click to expand...

https://isc.sans.edu/diary/DNS servers hijacked in the Netherlands/16324

makethink · Aug 9, 2013

Yeah, there are malicious toolbars and DNS malware attacking lots of computers and browsers.

Rasheed187 · Aug 18, 2013

Personally I think it´s strange that these things can happen to such companies.

What kind of crappy security software are they using? That´s what I would like to know.

Baserk · Aug 19, 2013

Rasheed187 said:

What kind of crappy security software are they using? That´s what I would like to know.
Click to expand...

Google translate dutch Foodlog.nl --http://www.foodlog.nl/short-news/detail/hoe-zat-het-met-hack-van-digitalus/--
'The study of Digital Investigation shows that through an e-mail with an almost identical-to-pdf-like malicious attachment, passwords and login data were stolen'.
"Opening this email attachement could have happened to me. The email arrrived at a department that receives numerous types of such emails daily. The file was not immediately apparent as a non-regular pdf.
A versed IT employee might have recognized this though, according to Sebastiaan de Koning, CEO of IT-Ernity." (my translation)
As is written in the press statement, the attachement was opened on a work station in the 'office' section, not in the 'production' section.

Edit; Could be something as 'innocent' as not unchecking 'hide file extensions' or more nefarious like MiniDuke link on unpatched office workstation.

Rasheed187 · Aug 31, 2013

@ Baserk

I suppose they were using some crappy security suite without HIPS.

Log in or Sign up

DNS takeover redirects thousands of websites to malware

FanJ Updates Team

NormanF Registered Member

gerardwil Registered Member

FanJ Updates Team

ronjor Global Moderator

makethink Registered Member

Rasheed187 Registered Member

Baserk Registered Member

Rasheed187 Registered Member

Log in or Sign up

DNS takeover redirects thousands of websites to malware

FanJ Updates Team

NormanF Registered Member

gerardwil Registered Member

FanJ Updates Team

ronjor Global Moderator

makethink Registered Member

Rasheed187 Registered Member

Baserk Registered Member

Rasheed187 Registered Member

Useful Searches