Monday, September 25, 2017
Home / Security / Breaches / Compromised DNS Servers Redirects sites to Malware

Compromised DNS Servers Redirects sites to Malware

Cyber criminals always attempt to use DNS servers to redirect users that trying to visit a legitimate domain are hijacked to a malicious server.  These domain name servers deal with thousands of legitimate domains which entails that compromising them allows the attackers access to an impressive quantity of requests directed to them serving malware from any domain that uses the DNS service.

August 5th Dutch web hosting companies suffered cyber attacks, their name servers were changed by attackers that seem to have accessed an account at the Dutch national domain registrar, SIDN, altering the details of the company’s name servers to malevolent hosts controlled by the attackers.

Three hosting companies were affected by the DNS server compromise:

  • Digitalus
  • VDX
  • Webstekker

Then, a large Dutch online electronics retail merchant, Conrad.nl was reportedly detected to be distributing malware, and was pulled down instantly after the discovery. In the following image the source code found on the page where visitors where redirected:

DNS impairment conrad_iframe

 

A blog post by Cisco described the additional content downloaded with the following statements:

“This file is actually an executable (.exe) file that installs a Tor client on the visitor’s machine, then connects over an encrypted channel to the IP address 154.35.32.5 and downloads content. Subsequently, the malware connects to 194.109.206.212, exchanges further content over an encrypted channel before connecting to Tor entrance nodes.”

About FastFlux

Owner of ZeroSecurity, interested in programming, malware analysis and penetration testing. If you would like to write for the ZeroSecurity team, please use the contact form above.

Check Also

Silent OS 3.0 for Blackphone Completely revamped

Version 3.0 migrates Silent OS to Android Marshmallow 6.0.1 and delivers the Android safety patch …