• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Spain awarded €12.3 million in contracts to Huawei

 | 

Patch immediately: CVE-2025-25257 PoC enables remote code execution on Fortinet FortiWeb

 | 

Wing FTP Server flaw actively exploited shortly after technical details were made public

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 53

 | 

Security Affairs newsletter Round 532 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

McDonald’s job app exposes data of 64 Million applicants

 | 

Athlete or Hacker? Russian basketball player accused in U.S. ransomware case

 | 

U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

 | 

UK NCA arrested four people over M&S, Co-op cyberattacks

 | 

PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

 | 

Qantas data breach impacted 5.7 million individuals

 | 

DoNot APT is expanding scope targeting European foreign ministries

 | 

Nippon Steel Solutions suffered a data breach following a zero-day attack

 | 

Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates

 | 

Hackers weaponize Shellter red teaming tool to spread infostealers

 | 

Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day

 | 

Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant

 | 

U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

 | 

IT Worker arrested for selling access in $100M PIX cyber heist

 | 

New Batavia spyware targets Russian industrial enterprises

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Cyber Crime
  • Hacking
  • Malware
  • DNS impairment redirects thousands of websites to malware

DNS impairment redirects thousands of websites to malware

Pierluigi Paganini August 11, 2013

Cybercriminals are exploiting the possibility of DNS impairment to redirects visitors of thousands legitimate websites to compromised domains used to serve malware.

DNS impairment or rather compromising DNS to distribute malicious code, cyber criminals are very attracted by the possibility to use DNS servers to redirect users that trying to visit a legitimate domain are hijacked to a malicious server. DNS servers manage  thousand of legitimate domains this means that compromising them the attackers could control an impressive amount of requests directed to them serving malware from any domain that uses the DNS service.

On 5th August 3 Dutch web hosting companies suffered cyber attacks, their name servers were altered by attackers that appear to have accessed an account at the Dutch national domain registrar, SIDN, changing the details of the company’s name servers to malicious servers controlled by criminals.

Three web hosting companies were affected by the DNS server compromise:

  • Digitalus
  • VDX
  • Webstekker

The website of large Dutch online electronics retailer Conrad.nl was reportedly found to be spreading malware, and was taken down immediately after the discovery. In the following image the source code found on the page where visitors where redirected:

DNS impairment conrad_iframe

According to several news reports, hackers managed to access the DRS (domain registration system) of SIDN, despite DNS records were altered for 5 hours the attackers set the Time to Live value for their malicious DNS entries to 24 hours, in this way any ISP that cached the DNS response for one of the affected domains would redirected users to malicious servers for up to 24 hours after the initial malicious DNS change had been resolved.

The effect of the attack was that each DNS request for the domains managed by the hosting companies were redirected to a web site (IP address 178.33.22.5) showed an ‘under construction’ message that contains a hidden iframe that pointed users’ browsers to an exploit kit hosted at:

hxxp://cona.com/removal/stops-followed-forces.php

According to Dutch security firm Fox-IT, who investigated the incident, the hack affected thousands of domains, the malware detected was the Black Hole exploit kit.

This exploit kit is designed to exploit two browser vulnerabilities, the PDF flaw CVE-2010-0188 and an unidentified Java exploit. Once infected the victims the exploits also download another malicious payload disguised as an image file:

hxxp://www.champagnekopen.nl/wp-content/uploads/2013/07/tr2.jpg

A Cisco blog post described the additional content downloaded with the following statements:

“This file is actually an executable (.exe) file that installs a Tor client on the visitor’s machine, then connects over an encrypted channel to the IP address 154.35.32.5 and downloads content. Subsequently, the malware connects to 194.109.206.212, exchanges further content over an encrypted channel before connecting to Tor entrance nodes.”

What is very concerning is that against this category of attack users are helpless, cybercriminals use to compromise websites with high reputation to deceive victims and spread malware, also malicious code used are usually very difficult to detect, the exploits could be based on zero-day vulnerability making impossible their detection.

In the specific case the company could monitor/block Tor traffic on their networks despite is it no easy due the encrypted communications, the detection and the stopping of Tor traffic would block the communication of malicious code with the command and control servers.

Pierluigi Paganini

(Security Affairs –DNS impairment, Hacking)


facebook linkedin twitter

Black Hole exploit kit Cybercrime DNS DNS impairment Hacking malware security

you might also like

Pierluigi Paganini July 13, 2025
Patch immediately: CVE-2025-25257 PoC enables remote code execution on Fortinet FortiWeb
Read more
Pierluigi Paganini July 13, 2025
Wing FTP Server flaw actively exploited shortly after technical details were made public
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Spain awarded €12.3 million in contracts to Huawei

    Intelligence / July 14, 2025

    Patch immediately: CVE-2025-25257 PoC enables remote code execution on Fortinet FortiWeb

    Security / July 13, 2025

    Wing FTP Server flaw actively exploited shortly after technical details were made public

    Hacking / July 13, 2025

    SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 53

    Breaking News / July 13, 2025

    Security Affairs newsletter Round 532 by Pierluigi Paganini – INTERNATIONAL EDITION

    Breaking News / July 13, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT