Even the most simple, ordinary application may become a tool for an attacker. ESET researchers have identified one such example just recently, when a popular and harmless looking Birthday Reminder app was abused to hook up domain name resolution and serve up advertising.
Detected by ESET’s telemetry as DNSBirthday, this adware is evenly distributed around the globe with spikes in the US, Spain, Japan and Italy. The infected Birthday Reminder works properly and runs in the background as programmed, except it has „additional“ non-marketable components that enable it to tie up DNS functions inside web browser applications in order to inject ads into webpages.
Analyzing this threat, ESET researchers have found that all related communications are tied to RQZTech. The attackers working under this project have built a hook that is able to link to alternate DNS servers whenever it finds the domain name is present in the „block list“ of the configuration file.
“The authors have put a lot of effort into avoiding being detected,“ explains Marc-Étienne M. Leveillé, Senior Malware Reseracher at ESET. “The modular architecture of their malware allows updates and the addition of more features or malware, which suggests that we may not have witnessed all the capabilities yet. It’s also interesting to note that the communication to the C&C server is secured by a pinned public key, which prevents eavesdropping of what is happening.“
ESET researchers already reached out to OVH – the hosting company on which the C&C server and the rogue DNS server communication was made, both have been taken down.
To avoid these types of threats, investing in a good security solution is recommended, and if possible, one that includes a tool for monitoring the security of your router. If you want to know how a DNS attack works in detail, read our awareness article.
The entire analysis Birthday Reminder looks benign, but the devil’s in the details: hooks DNS, serves dodgy ads is now available on welivesecurity.com.
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security, to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real-time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET becomes the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information visit www.eset.com or follow us on LinkedIn, Facebook and Twitter.