DNS impairment redirects thousands of websites to malware

Cybercriminals are exploiting the possibility of DNS impairment to redirects visitors of thousands legitimate websites to compromised domains used to serve malware.

DNS impairment or rather compromising DNS to distribute malicious code, cyber criminals are very attracted by the possibility to use DNS servers to redirect users that trying to visit a legitimate domain are hijacked to a malicious server. DNS servers manage  thousand of legitimate domains this means that compromising them the attackers could control an impressive amount of requests directed to them serving malware from any domain that uses the DNS service.

On 5th August 3 Dutch web hosting companies suffered cyber attacks, their name servers were altered by attackers that appear to have accessed an account at the Dutch national domain registrar, SIDN, changing the details of the company’s name servers to malicious servers controlled by criminals.

Three web hosting companies were affected by the DNS server compromise:

• Digitalus
• VDX
• Webstekker

The website of large Dutch online electronics retailer Conrad.nl was reportedly found to be spreading malware, and was taken down immediately after the discovery. In the following image the source code found on the page where visitors where redirected:

According to several news reports, hackers managed to access the DRS (domain registration system) of SIDN, despite DNS records were altered for 5 hours the attackers set the Time to Live value for their malicious DNS entries to 24 hours, in this way any ISP that cached the DNS response for one of the affected domains would redirected users to malicious servers for up to 24 hours after the initial malicious DNS change had been resolved.

The effect of the attack was that each DNS request for the domains managed by the hosting companies were redirected to a web site (IP address 178.33.22.5) showed an ‘under construction’ message that contains a hidden iframe that pointed users’ browsers to an exploit kit hosted at:

hxxp://cona.com/removal/stops-followed-forces.php

According to Dutch security firm Fox-IT, who investigated the incident, the hack affected thousands of domains, the malware detected was the Black Hole exploit kit.

This exploit kit is designed to exploit two browser vulnerabilities, the PDF flaw CVE-2010-0188 and an unidentified Java exploit. Once infected the victims the exploits also download another malicious payload disguised as an image file:

hxxp://www.champagnekopen.nl/wp-content/uploads/2013/07/tr2.jpg

A Cisco blog post described the additional content downloaded with the following statements:

“This file is actually an executable (.exe) file that installs a Tor client on the visitor’s machine, then connects over an encrypted channel to the IP address 154.35.32.5 and downloads content. Subsequently, the malware connects to 194.109.206.212, exchanges further content over an encrypted channel before connecting to Tor entrance nodes.”

What is very concerning is that against this category of attack users are helpless, cybercriminals use to compromise websites with high reputation to deceive victims and spread malware, also malicious code used are usually very difficult to detect, the exploits could be based on zero-day vulnerability making impossible their detection.

In the specific case the company could monitor/block Tor traffic on their networks despite is it no easy due the encrypted communications, the detection and the stopping of Tor traffic would block the communication of malicious code with the command and control servers.

Pierluigi Paganini

(Security Affairs –DNS impairment, Hacking)