Website Hijacking Uses Old IP
Wednesday, August 3, 2016 @ 09:08 AM gHale
There is an attack campaign abusing the FreeDNS service to hijack legitimate sites, researchers said.
An investigation started after Sucuri researchers saw hacked websites redirecting their own traffic to one of their subdomains.
The issue was that, despite showing a near-perfect copy of the original site, this subdomain ended up hosted on another server, with the 220.127.116.11 IP address.
Sucuri learned these websites had been registered through NameCheap, a domain name registrar, and were using the company’s FreeDNS service to redirect their domain name queries to the server IP address.
The investigators discovered that hidden through the FreeDNS DNS servers associated with each domain were some mysterious-looking entries, such as “freedns4.registrar-serversjr5115ey.biz,” with other random variations for the URL’s ending.
Upon further investigation, Sucuri found these servers were indeed registered and managed by NameCheap, and there was nothing suspicious.
But remaining vigilant, Sucuri eventually found something was amiss. Taking advantage of the undecipherable DNS server URLs, someone managed to contaminate the FreeDNS entries with one entry that wasn’t an official FreeDNS DNS server.
This was “freedns1.registrar-serversv67eds0q[.]biz”, a domain name registered just a few days before by someone from Shanghai, China, which linked back to the 18.104.22.168, which hosted the cloned websites.
Searching historical records about this IP, researchers found it had been used in the past to host C&C servers for the Conficker malware.
This was one of the most aggressive Windows worms, which spread like wildfire in 2007-2008. A team of Microsoft, law enforcement, and ISPs managed to sinkhole the original Conficker botnet and its C&C servers back in 2009, by taking over the domain names used for the C&C servers and pointing them to dead-end IP addresses.
The malware made a comeback in the following years, on a new infrastructure, and is one of today’s most active botnets.
Sucuri’s learned someone is recycling that original IP address used from the first Conficker outbreak to run other cyber-crime activities.