On the heals of Allysa’s Crimeware comes to OS X post, I thought it’d be a good time to revisit some earlier research on DNS changing trojans; in particular trojans authored by the same group behind this Mac malware.

A quick overview on how DNS (Domain Name System) works.  When your computer wants to navigate to a domain on the Web, it needs to translate that domain name to a number.  It may first check a local cache, or hosts file, but the next step is to query your machine’s specified DNS server.  That looks something like this:

Request: Hey SERVER, how do I get to domain.com
Response: Hey CLIENT, go here - 123.123.12.3

DNS changer trojans reconfigure your system’s specified SERVER such that your requests go through a server controlled by the attackers.

Request: Hey BAD_SERVER, how do I get to domain.com
Response: Hey CLIENT, go here - 111.222.3.4

Now the expectation is that the attackers who control the rogue DNS server would redirect requests to popular financial sites and other heavily phished sites.  Like ebay, Paypal, banks, etc.  Well, I ran a few thousand requests through rogue DNS servers; focusing on the top websites.  To my surprise only 1 domain was resolving to the wrong address.

adultfriendfinder.com

Adult FriendFinder (and associated FriendFinder.com, which is also rerouted) claims to have the largest affiliate program on the net, with over 150 million registered users.  They pay out for account creations, membership orders, and affiliate referals.  But this statement on FriendFinder’s affiliate page seems more relevant:

The more traffic you send, the more you earn with our percentage program. You receive a percentage of initial orders and reorders. With the free member sign up bonus, you could be earning more than we do!

Testing a few thousands domain out of millions on the web barely scratches the surface, but this does highlight that top tier, typically phished, sites are not the target by the authors.  Targeting what I call secondardy targets (instead of say financial institutions) is a growing trend.  In general, there is less risk of being prosecuted.

It’s worth mentioning that other behavior was observed by these trojans.  Typically they install a rootkit (such as DNSChanger.f), which redirects search results.  Other domains can get redirected by the rootkit (irrespective of DNS).  Also, non-existed domains (think typo-squatting) may get redirected to domain landing pages by the rootkit or DNS.  While I missed the conference, I just noticed that further research on this topic was presented at Virus Bulletin last month.