Birthday Reminder Hooks Up DNS and Displays Ads, reports ESET
Created: 2017-06-22 07:55:04
Even the most simple, ordinary application may become a tool for an attacker. ESET researchers have identified one such example just recently, when a popular and harmless looking Birthday Reminder app was abused to hook up domain name resolution and serve up advertising.
Detected by ESET’s telemetry as DNSBirthday, this adware is evenly distributed around the globe with spikes in the US, Spain, Japan and Italy. The infected Birthday Reminder works properly and runs in the background as programmed, except it has „additional“ non-marketable components that enable it to tie up DNS functions inside web browser applications in order to inject ads into webpages.
Analyzing this threat, ESET researchers have found that all related communications are tied to RQZTech. The attackers working under this project have built a hook that is able to link to alternate DNS servers whenever it finds the domain name is present in the „block list“ of the configuration file.
“The authors have put a lot of effort into avoiding being detected,“ explains Marc-Étienne M. Leveillé, Senior Malware Reseracher at ESET. “The modular architecture of their malware allows updates and the addition of more features or malware, which suggests that we may not have witnessed all the capabilities yet. It’s also interesting to note that the communication to the C&C server is secured by a pinned public key, which prevents eavesdropping of what is happening.“
ESET reserachers already reached out to OVH – the hosting company on which the C&C server and the rogue DNS server communication was made, both have been taken down.
To avoid these types of threats, investing in a good security solution is recommended, and if possible, one that includes a tool for monitoring the security of your router. If you want to know how a DNS attack works in detail, read our awareness article.
The entire analysis Birthday Reminder looks benign, but the devil’s in the details: hooks DNS, serves dodgy ads is now available on welivesecurity.com.
About ESET
ESET®, the pioneer of proactive protection and the maker of the award-winning ESET NOD32® technology, is a global provider of security solutions for businesses and consumers. For over 26 years, the Company continues to lead the industry in proactive threat detection. By obtaining the 80th VB100 award in June 2013, ESET NOD32 technology holds the record number of Virus Bulletin "VB100” Awards, and has never missed a single “In-the-Wild” worm or virus since the inception of testing in 1998. In addition, ESET NOD32 technology holds the longest consecutive string of the VB100 awards of any AV vendor. ESET has also received a number of accolades from AV-Comparatives, AV-TEST and other testing organisations and reviews. ESET NOD32® Antivirus, ESET Smart Security®, ESET Cyber Security® (solution for Mac), ESET® Mobile Security and IT Security for Business are trusted by millions of global users and are among the most recommended security solutions in the world.
ESET recently updated its two-factor authentication (2FA) application, adding a secure validation to weak and static user passwords. This updated version of ESET’s 2FA application provides flexibility and deeper integration of 2FA into bespoke applications, making it the best cost-effective solutions for SMBs everywhere.
The Company has global headquarters in Bratislava (Slovakia), with regional distribution centers in San Diego (U.S.), Buenos Aires (Argentina), and Singapore; with offices in Jena (Germany), Prague (Czech Republic) and Sao Paulo (Brazil). ESET has malware research centers in Bratislava, San Diego, Buenos Aires, Singapore, Prague, Košice (Slovakia), Krakow (Poland), Montreal (Canada), Moscow (Russia) and an extensive partner network for more than 180 countries. For more information visit https://eset.version-2.sg/ or follow us on Facebook.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. Headquartered in Hong Kong, the Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
For more information, please visit www.version-2.com.sg or call (65) 6296-4268.