Website Hijacking Uses Old IP

Wednesday, August 3, 2016 @ 09:08 AM gHale


There is an attack campaign abusing the FreeDNS service to hijack legitimate sites, researchers said.

An investigation started after Sucuri researchers saw hacked websites redirecting their own traffic to one of their subdomains.

RELATED STORIES
Ancient SAP Hole Affects More Than Thought
SAP Mfg Industry Hole Patched
Security: Ease the Pain …
Unsupported ICS: Not an Easy Upgrade

The issue was that, despite showing a near-perfect copy of the original site, this subdomain ended up hosted on another server, with the 213.184.126.163 IP address.

Sucuri learned these websites had been registered through NameCheap, a domain name registrar, and were using the company’s FreeDNS service to redirect their domain name queries to the server IP address.

https://blog.sucuri.net/2016/07/fake-freedns-used-to-redirect-traffic-to-malicious-sites.html

The investigators discovered that hidden through the FreeDNS DNS servers associated with each domain were some mysterious-looking entries, such as “freedns4.registrar-serversjr5115ey.biz,” with other random variations for the URL’s ending.

Upon further investigation, Sucuri found these servers were indeed registered and managed by NameCheap, and there was nothing suspicious.

But remaining vigilant, Sucuri eventually found something was amiss. Taking advantage of the undecipherable DNS server URLs, someone managed to contaminate the FreeDNS entries with one entry that wasn’t an official FreeDNS DNS server.

This was “freedns1.registrar-serversv67eds0q[.]biz”, a domain name registered just a few days before by someone from Shanghai, China, which linked back to the 213.184.126.163, which hosted the cloned websites.

Searching historical records about this IP, researchers found it had been used in the past to host C&C servers for the Conficker malware.

This was one of the most aggressive Windows worms, which spread like wildfire in 2007-2008. A team of Microsoft, law enforcement, and ISPs managed to sinkhole the original Conficker botnet and its C&C servers back in 2009, by taking over the domain names used for the C&C servers and pointing them to dead-end IP addresses.

The malware made a comeback in the following years, on a new infrastructure, and is one of today’s most active botnets.

Sucuri’s learned someone is recycling that original IP address used from the first Conficker outbreak to run other cyber-crime activities.