Even the most simple, ordinary application may become a tool for an attacker. ESET researchers have identified one such example just recently, when a popular and harmless looking Birthday Reminder app was abused to hook up domain name resolution and serve up advertising. Detected by ESET’s telemetry as DNSBirthday, this adwareis evenly distributed around the globe with spikes in the US, Spain, Japan and Italy. The infected Birthday Reminder works properly and runs in the background as programmed, except it has „additional“ non-marketable components that enable it to tie up DNS functions inside web browser applications in order to inject ads into webpages. Analyzing this threat, ESET researchers have found that all related communications are tied to RQZTech. The attackers working under this project have built a hook that is able to link to alternate DNS servers whenever it finds the domain name is present in the „block list“ of the configuration file. “The authors have put a lot of effort into avoiding being detected,“ explains Marc-Étienne M. Leveillé, Senior Malware Reseracher at ESET. “The modular architecture of their malware allows updates and the addition of more features or malware, which suggests that we may not have witnessed all the capabilities yet. It’s also interesting to note that the communication to the C&C server is secured by a pinned public key, which prevents eavesdropping of what is happening.“ ESET reserachers already reached out to OVH – the hosting company on which the C&C server and the rogue DNS server communication was made, both have been taken down.To avoid these types of threats, investing in a good security solution is recommended, and if possible, one that includes a tool for monitoring the security of your router. If you want to know how a DNS attack works in detail, read our awareness article.
The entire analysis Birthday Reminder looks benign, but the devil’s in the details: hooks DNS, serves dodgy ads is now available on welivesecurity.com.
About ESET
Since 1987, ESET® has been developing record award-winning security software that now helps over 100 million users to Enjoy Safer Technology. Its broad security product portfolio covers all popular platforms and provides businesses and consumers around the world with the perfect balance of performance and proactive protection. The company has a global sales network covering 200 countries, and regional offices in Bratislava, San Diego, Singapore and Buenos Aires. For more information visit www.eset.com or follow us on LinkedIn, Facebook and Twitter.
The Company has global headquarters in Bratislava (Slovakia), with regional distribution centers in San Diego (U.S.), Buenos Aires (Argentina), and Singapore. ESET has malware research centers in Bratislava, San Diego, Buenos Aires, Singapore, Prague, Košice (Slovakia), Krakow (Poland), Montreal (Canada), Moscow (Russia). ESET Middle East has its regional office in Dubai Internet City and manages an extensive partner network in 11 countries: United Arab Emirates, Saudi Arabia, Kuwait, Qatar, Oman, Bahrain, Yemen, Lebanon, Jordan Egypt and Libya. More information is available via www.eset.com/me