DNSChanger is malicious software (malware) that changes a user’s Domain Name System (DNS) settings, in order to divert traffic to unsolicited and potentially illegal sites.
Beginning in 2007, the cyber ring responsible for DNSChanger operated under the company name “Rove Digital” and used the malware to manipulate users’ Web activity by redirecting unsuspecting users to rogue DNS servers hosted in Estonia, New York, and Chicago. In some cases, the malware had the additional effect of preventing users’ anti-virus software and operating systems from updating, thereby exposing infected machines to even more malicious software.
FBI has since seized the rogue DNS servers and the botnet’s command-and-control (C&C) servers as part of “Operation Ghost Click” and the servers are now under their control. To assist victims affected by the DNSChanger, the FBI obtained a court order authorising the Internet Systems Consortium (ISC) to deploy and maintain temporary legitimate DNS servers, replacing the Rove Digital malicious network. As mentioned earlier, this is by no means a permanent solution and does not remove malware from infected systems; it just provides additional time for victims to clean affected computers and restore their normal DNS settings. According to the court order-which expired on 9 July 2012-the clean DNS servers will be turned off and computers still infected by DNSChanger malware may lose Internet connectivity.
To put this into perspective, DNS is an Internet service that converts user-friendly domain names into the numerical IP addresses that computers use to talk to each other. When you enter a domain name into your Web browser address bar, your computer contacts DNS servers to determine the IP address for the website you are intending to visit. Your computer then uses this IP address to locate and connect to the website. DNS servers are operated by your Internet service provider (ISP) and are included in your computer’s network configuration.
With the ability to change a computer’s DNS settings, malware authors can control what websites a computer connects to on the Internet and can force a compromised computer to connect to a fraudulent website or redirect the computer away from an intended website. To do that, a malware author needs to compromise a computer with malicious code, which in this case is DNSChanger. Once the computer is compromised, the malware modifies the DNS settings from the ISP’s legitimate DNS server’s address to the rogue DNS server’s address, in this case, advertisement websites.
A task force has been created, called the DNSChanger Working Group (DCWG), to help people determine if their computers have been compromised by this threat and to also help them remove the threat.
A team of security researchers have demonstrated how a security flaw in Android 4.0.4 can be exploited by a clickjacking rootkit.
The research team is lead by North Carolina State University professor Xuxian Jiang, who succeeded in developing a proof-of-concept rootkit that attacks the Android framework as opposed to the underlying operating system kernel. The researchers contend that such a rootkit could potentially be downloaded with an infected app and be used to manipulate the smartphone.
In the video, the demonstrator was able to hide applications on the device, as well as get them to launch when icons for other applications are clicked. If downloaded with an infected application, the rootkit could for example hide the smartphone’s browser and replace it with a browser that looks exactly the same but actually steals all of the user’s information.
An unpatched Windows vulnerability considered a critical threat by security experts is being exploited by cybercriminals.
Microsoft disclosed the flaw in XML Core Services (MSXML) 3.0, 4.0 and 6.0 June 12 during its monthly release of patches. The security advisory, which was separate from the patch release, offered a workaround for vulnerability CVE-2012-1889, but no fix.
Vulnerability CVE-2012-1889 is simple to exploit in all known versions of Internet Explorer. An attacker can make a CLSID-identification request by calling MSXML library methods and create an object identifier in order to try to access a non-existent object. Proof of Concept code for causing a crash looks like this:
This code looks simple, but generates memory corruption and crashes Internet Explorer. The exploitation code tries to request a non-initialized object, but reference to memory region already exists. Memory corruption takes place in the helper function _dispatchImpl :: InvokeHelper() in the MSXML library.
Currently, this vulnerability has no patch available but Microsoft has released a Fix it solution. We strongly suggest that you consider this workaround – for now.
Hackers are using QR codes to distribute malware to smartphone owners, says AVG.
According to the security firm’s AVG Community Powered Threat Report – Q4 2011, QR codes are becoming more popular with mobile users when it comes to accessing web pages or information without the need for typing in text or a URL, as the codes can simply be scanned by a handset and then automatically direct the user to the information. However, hackers are beginning to exploit this popularity as the user does not know what lurks behind the QR code until the malware is already installed and running on their device.
“In Q4 we clearly saw the convergence between computers and mobile phones applies to malware too. As phones become more like computers, so do the risks,” said Yuval Ben-Itzhak, Chief Technology Officer, AVG Technologies.
“Many sophisticated tricks of the trade from computers are now being repurposed for phones. However, as phones are often tied into billing systems the gains can be far greater.”
AVG also revealed 2011 saw a surge in the number of Android malware samples detected as well as the number of smartphones running Google’s operating system. Furthermore, stolen digital certificates, which are used to trick a user into believing the application is genuine, are also being used to target mobile device owners along with Rootkits, which AVG said are “evolving to be much more sophisticated”.
The security firm said the Blackhole toolkit is currently the most active threat on the web, accounting for half of all detected instances and over 80 percent of all toolkits found this quarter. The USA remains the largest source of spam, but is now followed by the UK, which jumped from fourth to second place overtaking India and Brazil this quarter.
Much has been written about the Ramnit worm and its transformation into a financial malware. And now, Seculert’s research lab has discovered that Ramnit recently started targeting Facebook accounts with considerable success, stealing over 45,000 Facebook login credentials worldwide, mostly from people in the UK and France.
Discovered in April 2010, the Microsoft Malware Protection Center (MMPC) described Ramnit as “a multi-component malware family which infects Windows executable as well as HTML files”, “stealing sensitive information such as stored FTP credentials and browser cookies”. In July 2011 a Symantec report estimated that Ramnit worm variants accounted for 17.3 percent of all new malicious software infections.
In August 2011, Trusteer reported that Ramnit went ‘financial’. Following the leakage of the ZeuS source-code in May, it has been suggested that the hackers behind Ramnit merged several financial-fraud spreading capabilities to create a “Hybrid creature” which was empowered by both the scale of the Ramnit infection and the ZeuS financial data-sniffing capabilities.
With the recent ZeuS Facebook worm and this latest Ramnit variant, it appears that sophisticated hackers are now experimenting with replacing the old-school email worms with more up-to-date social network worms. As demonstrated by the 45,000 compromised Facebook subscribers, the viral power of social networks can be manipulated to cause considerable damage to individuals and institutions when it is in the wrong hands.
Seculert has provided Facebook with all of the stolen credentials that were found on the Ramnit servers.