NBC.com hacked, serving up Citadel malware

February 21, 2013

A few hours ago Ronald Prins of Fox-IT (@cryptoron) was tweeting about NBC.com infecting its visitors with malicious software (malware). We were investigating this as well and found the following interesting facts.

Update: Fox-IT has also posted a blog item on the incident.

There were two exploits links on the NBC website. The first one was on the main default (entry) page. And the second one was located on hxxp://www.nbc.com/assets/core/js/s_wrapper.js


It serves both Java (CVE-2013-0422) and PDF exploits. The exploit drops the Citadel Trojan which is used for banking fraud and cyber-espionage. The Citadel malware communicates with the following server, which is already sinkholed:


We’ve seen at least two different Citadel Trojans. MD5 hashes of the droppers:

An hour later the attack pages were swapped, which means the cyber criminals still have access to NBC’s pages. We’ve seen them linking to e.g.:


RedKit Exploit Kit

The attacks were carried out by the Redkit Exploit Kit. One of RedKit’s noticeable features is that it can generate and rotate attack URLs every hour.

RedKit was also used last year during the Telegraaf attack in The Netherlands which served the Citadel Trojan from the Pobelka botnet (Dutch). The Pobelka botnet stole highly sensitive information (including usernames, passwords, certificates, documents and other data), 750GB in size, from over 150.000 computers located in networks from the Dutch government, hospitals, vital infrastructures like water and power plants, airlines, multinationals and other companies.

Just a coincidence
Did you know that the Citadel Trojan responsible for the Dorifel outbreak in The Netherlands last year had the NBC logo as file icon?dorifel-citadel

On-Demand Detection and Timeline
HitmanPro’s behavioral scan detects zero-day Citadel malware quite easily as can be seen in the below screenshot.

The new forensic cluster feature of HitmanPro establish a pretty timeline – post infection. So even if you got infected a few days ago, HitmanPro provides evidence on how that happened.

Citadel infection


Some of the victims have also been infected with the ZeroAccess malware after visiting NBC.com:



The ZeroAccess malware moderates an affected user’s Internet experience by modifying search results, and generates pay-per-click advertising revenue for its controllers, the cybercriminals. ZeroAccess is a dangerous threat that uses stealth techniques in order to hinder its detection and removal.

Unknown malware
The attack also served an unknown malware binary, connecting to various websites:


Some antivirus vendors identify this malware as Zbot or a rootkit (MD5: 1fa5afe1ddcd083d40b5b330fd9b3613), but it is most definitely not Zbot and it’s not a rootkit either. The malware binary has a curious filename (3S4H3S.exe) and an interesting string at the end “SadokBdi”. If you Google Sadok or Kodas, you come across some interesting webpages.


While the attack is ongoing, Facebook.com is preventing posts to NBC.com, as can be seen from this screenshot:


Perform Second Opinion Scan
If you’ve visited NBC.com today, you should perform a FREE second opinion scan to see if your computer got infected. You can download HitmanPro from here: get.hitmanpro.com

Late Night Show Jimmy Fallon

4 hours after the initial detection, the webpages of NBC.com still contained iframes opening exploit sites. In addition, we have seen other webpages like hxxp://www.latenightwithjimmyfallon.com and hxxp://www.jaylenosgarage.com serving some of the same links as NBC.com. This is also confirmed by the guys at Securi Blog.

Dorifel, Pobelka and a Chinese connection

February 1, 2013

It has been a while since we wrote our last blog. Sorry for this but we were busy with a lot of projects. Two noteworthy projects were the release of our unique solution against ransomware (e.g. FBI Reveton and BKA/GVU trojans) and of course the disclosure of the Pobelka Citadel botnet that haunted 150.000 Dutch (mostly government and business) computers for 8 months last year. The latter hasn’t been discussed much internationally because we released our extensive research in the Dutch language only (which is available here). Regarding this research, we reveal some additional but striking insights now the entire world is talking about Chinese hackers attacking media networks of the New York Times, Wall Street Journal and Bloomberg.

Perhaps you still remember September last year, when cybercriminals were able to launch attacks on Dutch computers by using a compromised marketing server used by ‘De Telegraaf’, a widely read newspaper and the #11 website in The Netherlands. This was the umptiest Dutch incident, after others like NU.nl, weeronline.nl, and of course the Dorifel outbreak which brought operations of many Dutch municipalities, government and large multinational companies to a standstill (for days).

Pobelka botcount

Illustration 1: Bots connecting with Pobelka command and control server

Of course we were curious why the Dutch were hit again and at that time decided to find out what was behind these incidents and if there was a common denominator.

We began investigating the malware dropper used in the Telegraaf incident and discovered (thanks to our HitmanPro cloud data) that it was spreading 4 different malware families during this particular incident: FakeAV, ZeroAccess, Medfos (we omitted Medfos in our earlier blog on the incident) and of course the Pobelka Citadel malware.

In this investigation we noticed an interesting fact: the Citadel server used in the Telegraaf incident was registered with the EXACT same credentials as a domain used by the gang responsible for spreading the Dorifel trojan. So they are somehow related or perhaps even the same criminals:


Illustration 2: Pobelka.com domain used by the Citadel server

ipo90.com domain used by Dorifel.3

Illustration 3: ipo90.com domain used by Dorifel-3 to distribute ransomware, that hit mostly non-Dutch systems

Even though we believe that eastern European criminals are behind the attack operations, you obviously have noticed the Chinese registration of the domains as well…

Responsible Disclosure
Remembering their investigative work on the Citadel server responsible for spreading Dorifel, we asked Dutch forensic firm Digital Investigation to work with us and to investigate our early research data. It didn’t took them long to bypass the different proxies that were hiding the server from plain view. In cooperation with law enforcement they seized this Citadel command and control server and discovered over 750 Gigabytes of sensitive information, which included login credentials (passwords), client certificates (remember DigiNotar) and even detailed overviews of internal networks that weren’t directly connected to the internet.

Citadel looking for other systems

Illustration 4: Citadel searching for information about other systems

So all this data was gathered and stolen by the Pobelka Citadel malware from inside Dutch government networks, hospitals, aviation industry and even networks controlling critical infrastructure, including industrial control systems (ICS). We did responsible disclosure e.g. by giving government time to handle the situation internally and by not revealing names of the many, many affected institutions, companies and public authorities. But because government officials did not deem the findings interesting enough to call for a nationwide check (many roaming business and home computers were affected as well), our extensive research didn’t even reach national news, let alone internationally.

Advanced Persistent Threat
It’s also worth noting that the Citadel malware (which is based on source code of the notorious Zeus banking trojan) is not considered to be an advanced persistent threat (APT), even though it also manages to stay under the radar for months (like the malware used in the New York Times breach). Last year we devoted a blog post on the prevalence of banking trojans (like Citadel) which revealed that this type of malware stays undetected for 25 days, on average, on computers actively protected by up-to-date antivirus software: Antivirus shortens the lifetime of financial malware

In our Dutch research paper on the Pobelka botnet we also explain how the Citadel malware easily bypasses these renowned antivirus programs and why it remains undetected for such a long time. And the Pobelka botnet, which was specifically setup to target Dutch and German computers, was not the only botnet operational in The Netherlands last year. We estimate that hundreds of similar (and larger) botnets are still operational right now, not only in The Netherlands. If you think the country of the Dutch is small, insignificant and seemingly unexciting, consider the operations going on in bigger countries, like France, Germany or the United States.

Check Now
If you are Dutch or German and you want to know if your company, network or sensitive data was compromised by the Pobelka botnet, simply go to this website by Digital Investigation to find out:


There you can also download HitmanPro, our free second opinion anti-malware, which uses behavioral analysis instead of virus signatures to hunt down zero-day threats, including all variants of malware based on Zeus, like Citadel.

Read here for our blog posting regarding the Dorifel outbreak and our role in rescuing hundreds of millions of documents on government networks and multinationals.

Update: Kaspersky posted an article about McAfee’s research on the Citadel trojan in Europe, spying on government and business computers: Citadel Trojan: It’s Not Just Banking Fraud Anymore

Antivirus shortens the life-time of financial malware

October 23, 2012

This title breaths a certain amount of obviousness, but most financial malware or banking Trojans are actually designed by cyber-criminals to avoid detection and hide for antivirus programs. The main goal of these digital bank robbers is clearly to steal your money by manipulating online bank transactions.

Research by SurfRight shows that the average life-time of a banking Trojan on a computer is 81 days for computers that do not have an up-to-date antivirus program. And the average life-time of a banking Trojan on a fully protected computer, that has an up-to-date antivirus program, is 25 days.

New users
These statistics are based on scan results from new users that run HitmanPro for the first time. And since it is based on a user’s decision to find a second opinion and download HitmanPro, these numbers should not be taken as exact science. Nonetheless, it is a clear indication that using an up-to-date antivirus program dramatically reduces the life-time of a banking Trojan.

Long time
Many people will now ask “why didn’t the antivirus program catch the banking Trojan right away? 25 days is still a long time.”

That is a valid question. If the banking Trojan is stopped right away, HitmanPro will not detect one on that computer because it has never been there. Antivirus programs are the last line of defense and will stop the vast majority of malware attacks, but not 100%.

  • Does the police prevent all robberies? They should, but they don’t.
  • Does the coast guard stop all drug transports before entering the country? They should, but they don’t.
  • Is a doctor’s diagnosis correct every time? It should, but it isn’t.

In other words: Using an antivirus program on your computer will stop most malware attacks, and will reduce the life-time of malware that has slipped the defenses and silently installed itself on the computer.

BBC Click: How banking Trojans go undetected and steal your money

How did we measure?
2,465,497 users scanned their computer with HitmanPro between October 2011 and October 2012 (1 year). The above mentioned statistics are not based on a laboratory research but are derived from real-world computers. The HitmanPro agent reported back the date the banking Trojan was installed on the computer, including which antivirus program the user was using (including its status) before HitmanPro removed the banking Trojan. The specific banking Trojans we counted for this statistic were Zeus, Citadel, SpyEye and Tinba.

Last August, our HitmanPro agent discovered Citadel Trojans within the Dutch government during the Dorifel outbreak. We also discovered that these Trojans were active on fully protected computers for roughly three to four weeks, without being detected. This period – shocking for most people – was clearly not an incident but is in line with our research results.

New TDL4 strain very successful in hiding from AV

October 7, 2012

Last month Damballa stirred up the security community with the discovery of a new iteration of the notorious TDL4 rootkit. This rootkit is known for infecting the Master Boot Record (MBR) to gain control over everything that runs on the computer, making itself invisible for antivirus products and pretty hard to remove. The malware is also known as the ‘indestructible’ botnet and Damballa reported that this new variant already infected 46 of the Fortune 500 companies as well as government agencies and ISP networks.

Damballa stumbled upon it thanks to their network behavioral analysis software, which detected the generated domain names that this new TDL4 variant apparently uses for command-and-control communication. Since Damballa could only determine the existence of the new malware by looking for domain fluxing, they concluded that no binary samples of the new malware have been identified and categorized by commercial antivirus products operating at the host or network levels. But HitmanPro is not your average antivirus.

With all the new stuff we are working on in our office we haven’t really got around to generate our monthly Malware Prevalence Top 25, a list of malware families that HitmanPro encounters on computers protected by up-to-date commercial antivirus products.

As you can see from the August and September lists we posted a few hours ago, Sst – also known as Maxss, a modification of the TDL4 strain – is indeed on the rise, big time.

In just 2 months it reached #2 position! This means that commercial antivirus products are unable to detect, let alone, remove this malware.

Volume Boot Record (VBR)
This new variant is known as Sst.c. It is capable of infecting the Volume Boot Record (VBR) – which is even more challenging for commercial antivirus programs.

So we can confirm that Sst.c is most prevalent and gained a new trick: it infects the Volume Boot Record.

We will post more information on Sst.c when it becomes available.

Banking Trojan keeps hitting the Dutch hard

September 8, 2012

Two days ago, Thursday September 6th, the website of the popular Dutch newspaper Telegraaf.nl was treating its visitors on zero-day malware. Telegraaf.nl is ranked #10 on the list of most popular websites in The Netherlands. Even though the media kept using Telegraaf.nl as the origin of the attack, technically it was caused by a compromised website of a Dutch online marketing company that handles newsletters and email marketing activities for Telegraaf.nl. This online marketing company handles online activities for other well-known Dutch companies too, including some non-profit organizations.

More Dutch websites compromised
To not discredit this relatively small company, their name was deliberately kept under wraps and everybody used Telegraaf.nl when referring to the Thursday outbreak. But according to our research, it wasn’t just this small marketing company that was involved in this specific attack-vector that day. We’ve seen other Dutch compromised websites (that were running on vulnerable versions of the Joomla CMS) with an iframe pointing to the exact same attack site. This attack site was located in Denmark and was hosted on a .com domain registered to a Dutch citizen (this legitimate website was compromised by the attackers and turned into an attack site).

Since the site is hosted in Denmark, you can imagine that it takes a bit more time to take down an attack site hosted in a country other than The Netherlands – it requires international cooperation. Thanks to efforts of others, like the Dutch National Cyber Security Centre (NCSC), the attack page in Denmark was suspended on Friday afternoon.

RedKit Exploit Kit
The attack site was hosting a counter.php which was actually the RedKit exploit kit. One of RedKit’s noticeable features is that it can generate and rotate attack URLs every hour. These URLs point to other compromised websites which makes it difficult to reliably block RedKit’s URLs. The exploit kit uses HTTP response status code 302 to redirect the browser to immediately open the actual attack URL.

To defend itself against malware researchers RedKit is equipped with new anti-forensic features.

Another important feature of this exploit kit is that it allows the attackers to upload an executable (malware) and test it against 37 different antivirus solutions to optimize attacks and ensure results:

Image by SpiderLabs

To infect computers, this exploit kit abuses a recently discovered vulnerability in Java, registered under CVE-2012-4681. This vulnerability affects Java 7 Update 6 (or older) and Java 6 Update 34 (or older). Since this vulnerability was patched by Oracle just days ago, and knowing that the cybercriminals using RedKit optimized their malware to bypass AV protection, not many computers could withstand this attack.

Below an overview of the malware that HitmanPro encountered on systems that were infected by this attack (the detection ratio was determined using VirusTotal at time of the initial attack):

45% of the affected computers by this attack were infected with the Citadel malware. And the other malware are also designed to steal and generate money.

We were able to identify this initially unknown malware by correlating the timestamp of the infection with that of the initial downloader on the victim machines (the downloader installed the unknown malware within 3 minutes). SHA-256 hashes:




Live Security Platinum

Note: The Citadel malware is a descendant of the Zeus banking Trojan and re-encrypts itself each time it infects a victim, making each infection unique.

The Dutch government issued an initial warning about the fake antivirus. But after a few hours we could see that it was not the fake antivirus people should’ve been worried about: it’s the Citadel banking Trojan that affected most systems. Contrary to the fake antivirus, which is very visible and popping up on people’s screens, the Citadel banking Trojan is specifically designed to be invisible, for both users and antivirus programs.

HitmanPro detects these malware either through behavioral analysis and/or signature detection. It will also thoroughly remove these infections and repair the (for most AV difficult to fix) services.exe. More about that in our blog ZeroAccess – From Rootkit to Nasty Infection.

Image: HitmanPro detecting Live Security Platinum, ZeroAccess and Citadel malware

Citadel leading the Dutch Malware Prevalence Top 25
I’d also like to refer to July’s top 25 of prevalent malware where, in The Netherlands, the Citadel banking Trojan ranks #1. FakeAV and ZeroAccess rank #2 and #5 respectively. World-wide, the Zeus family (where Citadel is part of) ranks #6.

Thank You
I would like to thank the Dutch National Cyber Security Centre (NCSC) for providing us information during the initial research.

Win 8 Security System and its Rootkit

August 31, 2012

Rogue security software (aka FakeAV or Fake Antivirus) is a form of Internet fraud using malicious software (malware) that deceives or misleads users into paying money for fake or simulated removal of malware. Typically these programs do not have a virus definition database nor a virus scan engine. All of the processes of a security program are imitated to scare victims into believing that their computers are infected with critical risk malware and viruses.

Since 2008 FakeAV is one of the most common malware families that HitmanPro finds on computers protected by an up-to-date antivirus program. The reason for this is that security vendors have a hard time keeping up with the cybercriminals who obfuscate and release new versions and variants of their annoying creations almost every day. Each iteration also has a deceiving name like Security Shield and Live Security Platinum. And to further lure victims into paying money, most rogue security software protect themselves by preventing legitimate programs from starting – this includes productivity software, internet security software and rescue tools. So you can imagine why FakeAV still takes the #1 position on our Malware Prevalence Top 25 month after month.

The reason for writing this article is that we found a new FakeAV which takes a different approach of deceiving and frustrating its victims. This new FakeAV is called Win 8 Security System:

Unlike its predecessors this FakeAV comes with a special rootkit driver which monitors and manipulates the operating system, taking control of every other process and program on the computer. One of the main purposes of the rootkit is to repair the FakeAV program (make it stick to the machine) and to make removal complicated.

The recognition of the rootkit driver is currently very low, only 1 out of 42 renowned anti-virus programs are capable of identifying this rootkit:

The rootkit driver is installed in the Windows drivers folder and has a random name, e.g. C:\Windows\system32\drivers\51991c15f7a6834.sys

64-bit Driver
The malware installs a different driver on computers running 64-bit Windows and disables 64-bit kernel-mode driver signing on these machines. Nonetheless, the cybercriminals went an extra mile by self-signing it with a certificate. Note the validity period, which starts on August 30 (yesterday):

Fake Action Center
The malware shows a fake Action Center, telling the victim the computer is not properly protected against viruses and spyware. When you want to open the real Action Center from the Control Panel, the malware will open the fake one instead:

Browser Hijacker
FakeAV often configures the proxy settings of your computer to intercept web browsing. This malware is different and uses its rootkit to hijack Internet Explorer and Google Chrome to display fake security warning messages when you try to browse the Internet:

Interestingly, shortcuts that belong to the malware (created on the Start Menu and on the Desktop) all link to the Windows command-line registry editior reg.exe. When the victim clicks on, for example, the Buy Win 8 Security System shortcut, a harmless registry entry is created, which is monitored by the rootkit.

  • Target: C:\WINDOWS\system32\reg.exe add “HKCU\SOFTWARE\Microsoft\Windows NT” /v FrameworkBuild /t REG_DWORD /d 0 /f

When this registry value is accessed (when you click on the shortcut), the rootkit is triggered and opens the shopping cart:

As you can see, for security software this FakeAV is pretty expensive. And if you pay, you have not only paid 100 bucks for fake software, you also submitted your credit card details to the cybercriminals.

When you look at the web traffic when the shopping cart opens, you can see some other interesting things:

The first site that is accessed is win8sec.com; the malware added this domain as a trusted domain to your computer upon installation. Next it communicates with the http://www.superantispyware.com domain, which belongs to a known legitimate anti-spyware program. If you compare the two websites you can see that win8sec.com is a partial copy of superantispyware.com:

When you lookup the win8sec.com domain record you can discover that it was registered not too long ago, on August 18, 2012 (the registrant details are fake):

The win8sec.com domain currently points to IP address This address currently resides in the United Arab Emirates.

At time of this blog post, there is currently no anti-virus, anti-spyware or anti-malware tool that we know of that is capable of removing this malware completely. So some security forums are offering a comprehensive step-by-step tutorial, involving the use of multiple tools, to handle this infection. But many forget the rootkit component.

In the meantime, you can use HitmanPro (and the free license that comes with it) to thoroughly and conveniently remove the FakeAV program and its rootkit component. A screenshot of HitmanPro detecting this malware on a 64-bit computer:

Also, if you are affected by this malware, it is very likely that another malicious program was responsible for installing this FakeAV on your machine and is currently still hiding. You can also use HitmanPro to reveal and remove this hidden malware.

Joint Strike Force against Dorifel

August 11, 2012

The computer virus Dorifel became the past three days a very prominent news item as it was on a rampage, infecting as many computers as possible on both government and private networks. IT personnel were stressed out since there were next to no virus signatures to detect the malware.

The inconvenience felt by the general public grew fast as many town’s civil services, like the issuing of passports, had to be taken offline for damage control: Dorifel had encrypted most Excel and Word documents and converted them into executable files.

The result was that many government staff had to blow the dust of the old fashioned typewriters again as they were asked to leave their computers switched off in an attempt to stop the outbreak in its tracks.

Photo by Marcel van Hoorn (ANP)

The creativity of cybercriminals is endless and they do their utmost to stay hidden, bypass antivirus protection, slow down malware research and do something new. Knowing that most antivirus products will first focus on malware blocking only, we figured at the start of the outbreak that there will be no readily available solution soon to recover the millions of affected documents (which prolongs the exposure of sensitive data to the cybercriminals).

Teaming Up with Emsisoft
While we were investigating the outbreak, we also spoke with Fabian Wosar of Emsisoft who was immediately keen to help. He recently created tooling to combat the ACCDFISA and Reveton ransomware families and conveniently had a few boiler plate functions laying around to speed up development of a dedicated remediation tool.

We immediately setup an extra examination environment in our office in Hengelo for Fabian to remotely work on with us, gathered malicious objects and affected documents and started to analyze the malware’s code and behaviors. The task was to find out how the seized documents were encrypted, if there was a way to recover them and, if possible, create a special tool that people can use to recover their documents.

Working Around The Clock
After working from Wednesday evening into Thursday morning on August 9th, Fabian was ready to offer everybody a free to use decryption tool which is available from our special support page: http://www.surfright.com/support/dorifel-decrypter

From this spot we would again like to thank Fabian Wosar for working with us on such short notice and helping everybody, especially the Dutch people, in limiting the effects of this attack.

To continue, we would like to share some interesting details that we encountered using the images below.

Image: Word, Excel and application files are automatically altered and renamed by the Dorifel malware. Notice the ? which is in fact unicode character 202E (aka RTLO right-to-left-override character) which causes the infected file to show up in Windows as ‘Contractrcs.doc’ to fool users the file is still a document.

Image: The encrypted ‘documents’ contains movie phrases and references to TV shows.

Image: The +++scarface+++ marker indicating the start of the encrypted data, which represents the original document.

Image: The pseudo code of the encryption/decryption loop.

Image: The assembly code of the encryption/decryption loop.

Image: Dorifel communicating on the network. Notice it queries for a local machine named KASPERSKY. More important, notice the internet traffic with the pin= parameter, where Dorifel tries get additional payload. Since it first tries to connect to Microsoft’s Update Service (which is hardcoded in the malware) we think that the attackers were also planning to redirect Windows update traffic. The domain reslove-dns.com is currently sinkholed.

Image: Dorifel connecting to the forum.4game.com website for Command & Control information.

Image: Every 1500 seconds Dorifel is retrieving a seemingly harmless ‘Breaking Bad’ season 5 poster (jpeg).

Image: The ‘Breaking Bad’ jpeg image contains hidden encoded Command & Control data. Dorifel stores it in a .dat file in its own folder under &appdata%, e.g. C:\Documents and Settings\User\Application Data\S4428M\G9D8Z3.exe.dat

Image: Small extract from our database where our HitmanPro software was used to rescue AV protected computers that were infected by Dorifel. The table shows that many machines also had Zeus/Zbot/Citadel Trojans, for weeks! Note: user 4624107 had an expired license of our software, which is why the same malware was detected twice.

The Dorifel outbreak was only a symptom. But what is the real problem?

August 10, 2012

Earlier this week, government, public sector and networks of private companies were hit hard by a new wave of crypto malware named Trojan-Dropper.Win32.Dorifel. Computers were shut down and the old-fashioned type writers that were gathering dust in the basement reappeared in the work place. For a moment I even thought this was funny.

The Dorifel Trojan scans network shares, local drives and USB connected drives for executables and Microsoft Office (Word and Excel) documents. Documents and programs were replaced with a new executable file that has the .scr file extension. Currently, most affected users will not notice anything since the ‘documents’ open as usual. It looks like the malware is currently only interested in propagating itself to as many machines as possible. But it is not unlikely that the attackers will later start blocking the ‘documents’ and requesting a ransom fee for unblocking them.

This is bad news for the organizations that were hit. But what’s even worse is that the Trojan entered the networks through a variant of the Zeus/Zbot banking Trojan called Citadel. This means that this Trojan was already present on one or more computers inside the network for days, may-be weeks. In other words: the malware could already be snooping all electronic communication inside the organization, including stealing passwords of critical infrastructure, copying confidential documents, social security numbers, passport details, etc. without anyone (or anything) noticing (!)

Not being able to use your computer for a while, while system administrators are shutting them down, cleaning them and bringing them back into the network is very inconvenient. But it is even more worrysome that computers and networks have been infected for a much longer period without anyone noticing.

Parental Controls affect DNSChanger Check-Up Sites

June 29, 2012

The DNSChanger test that Google, Facebook and the many DNS-OK sites perform do not give the correct results when the computer uses a remote web-filter (or web-proxy) from e.g. their Internet access provider.

In order to explain what causes this, we first need to recap a little of what we wrote earlier this week.

In November 2011, after a two-year FBI probe called Operation Ghost Click, six Estonian nationals were arrested on charges of fraud. They infected computers worldwide with malware called DNSChanger. In conjunction with the Estonian police, the FBI seized the servers used by the cybercriminals but were kept online so as to not disrupt the Web activities of those infected. If the FBI had merely shut down the rogue servers, many of those infected wouldn’t have been able to access the Web at all. That means no websites, no e-mail, and no Facebook.

The DNS Changer Working Group (DCWG), that’s been maintaining the FBI servers since their seizure, has created a website http://www.dns-ok.us that allows you to check if your computer is infected. People are encouraged to check their devices by visiting this website to see if their computer is infected. If infected, they’re then directed to information on how to remove the malware.

It is estimated that over half of the users with an infected computer are not English speaking, so Computer Emergency Response Teams (CERTs, aka CSIRTs) active in many countries setup a localized version of the DNS-OK site. Using articles in local newspapers, people were encouraged to check their systems. To reach even more people, Google and Facebook also started notifying victims of the DNSChanger malware.

Millions of Internet users checked their devices using one of the many DNS-OK websites or through Google or Facebook. And with good results: a tremendous amount of devices have been cleaned till date. But still, despite great efforts, around 300,000 devices are still not cleaned. How come? Don’t these people use Google or Facebook?

False sense of security
The DNS test that Google, Facebook and the many DNS-OK sites perform do not give the correct results when the computer uses a remote web-filter (or web-proxy) from e.g. their Internet access provider. While users expect their own DNS settings to be checked, a remote web-filter will cause the DNS-OK website to check the DNS settings of the filter instead. This means that the DNS-OK site will show green even though the user’s computer could still be infected, giving him or her a false sense of security.

Security as a Service
For example, many ADSL Internet contracts include network-based web-filtering services. These remote web-filters act as an intermediary and retrieves and evaluates webpages and downloads before sending it to the computer of the user. This service, also known as Security as a Service (or SaaS), doesn’t involve any software setup or action from the end-user. It limits children from accessing inappropriate content (parental control), controls the download of certain files (e.g. spyware, pirated software) and optionally filters unwanted web advertising from web content. All good news. But on the other hand this filter prevents accurate DNS testing on any of the DNS-OK websites and affects the check performed by Google and Facebook as well.

Figure 1: The DNSChanger Check-Up Site (www.dns-ok.us) says the infected computer is not affected, while in fact it is.

Figure 2: A name lookup reveals the problem. The remote web-filter returns the wrong IP address.

Figure 3: The same infected computer on a connection without remote web-filtering: correct response.

Because the DCWG is unable to count the infected computers that use a network-based security service, the actual amount of infected computers is very likely higher than the current 300,000.

What to do: check again, manually
The Internet provider cannot be blamed for offering Security as a Service. So if you use an “in-the-cloud” remote web-filter, web or DNS-proxy or safe gateway from e.g. your Internet access provider, and you got a green OK on e.g. www.dns-ok.us: your computer might still be infected. So you might want to check out the Fix page over at DCWG again. Because to prevent losing web and/or e-mail access on July 9, you should follow these two steps:

  1. Check your DNS settings manually, because www.dns-ok.us (and other test sites) cannot perform a reliable test in your situation.
  2. Use a second opinion antivirus program to scan your computer for the Alureon rootkit (aka TDSS, Olmarik, TDL4) that distributed the DNSChanger malware. Currently, Alureon ranks #4 on our May 2012 malware prevalence list since it successfully hides from antivirus software since 2009. So checking your computer with your regular antivirus software will not be sufficient.

About the DNSChanger malware
The DNSChanger Trojan changed the DNS settings on the computer, redirecting websites entered by the user to other unsolicited, and potentially illegal sites. If personal information was entered on these websites, it could’ve lead to identity theft.

275,000 computers lose Internet access on July 9

June 27, 2012

On many computers deemed safe and protected by up-to-date antivirus software, the Alureon rootkit is still one of the most prevalent infections that HitmanPro encounters. And over the last few years the Alureon rootkit (aka TDSS, TDL and Olmarik) has evolved and been used for all kinds of different attacks. From drive-by downloads to targeted attacks that aim only a specific group of persons. One of its lesser known jobs was to distribute the DNSChanger Trojan.

Beginning 2007, the DNSChanger Trojan seizes web traffic by changing the DNS (Domain Name System) settings on an infected computer. As a result, victims are diverted to malicious websites instead of the requested website. In other words, once the Trojan has altered the DNS settings, DNS queries will be redirected to the attacker-controlled DNS servers, which forces the user to visit malicious websites where scammers often earned millions of dollars in affiliate and referral fees as well.

On November 8, 2011 the FBI arrested six Estonian nationals who were operating over a hundred malicious DNS servers in data centers in Estonia, New York and Chicago. Along with these arrests, the servers involved with the DNSChanger malware were seized. Since machines with modified DNS settings would be unable to access the Internet once the malicious DNS servers went offline, the FBI obtained a court order that allowed the non-profit Internet Systems Consortium (ISC) to set up alternate DNS servers to temporarily replace the malicious servers. These servers were intended to give people time to clean up the infection. The court order was originally set to expire March 8 this year, but prosecutors filed for an extension because over 400,000 computers still remained infected. The new deadline for getting cleaned up and averting the Internet blackout is now July 9, 2012.

DCWG, Google, Facebook, CloudFlare
To remediate users and help the FBI with the alternate DNS servers, the DNS Changer Working Group (DCWG) was created. The DCWG is an ad hoc group of subject matter experts, and includes members from organizations such as Georgia Tech, Internet Systems Consortium, Mandiant, National Cyber-Forensics and Training Alliance, Neustar, Spamhaus, Team Cymru, Trend Micro, and the University of Alabama at Birmingham.

To aid the slow remediation rate, Google started notifying affected users in May 2012, showing warnings via a special message that appears at the top of the Google search results page for users with affected devices. Also, 11,000 websites enabled the CloudFlare Visitor DNSChanger Detector which shows infected visitors a warning banner to help them remove the malware and remain online. And this month, Facebook joined Google in warning victims among its 900 million users.

Recover from a DNSChanger infection

The past few months, HitmanPro has helped tens of thousands of people restoring their DNS settings and remove the DNSChanger Trojan and the TDSS rootkit from their computers. As shown in the graph below, the campaigns by Google and Facebook played a significant role in informing users that were infected and pointing them to a solution:

Below, the latest Top 5 DNSChanger Infections by Country (June 11, 2012). Many computers in Italy are still affected by DNSChanger:

Head over to http://www.dns-ok.us and check your Windows and Mac computers for the DNSChanger Trojan. Given that on July 9 you might not get the chance to do this, you should check your computers as soon as possible.