Malware attack via dns surpassed 18,000 domain names




Malware attack via dns surpassed 18,000 domain names

The attackers that the DNS settings of three webhosters hijacked to visitors by referring to malware, have affected 18,000 domain names, so treasure the National Cyber ​​Security Center. Millions of users can be infected with malware.

Malware Spokeswoman Mary-Jo van de Velde says the Cyber ​​Security Center, part of the Dutch government, received a sample of the malware and there has been able to deduce that 18,000 domain names are infected. The researchers from the center exactly come to that figure, Van de Velde not specify.

Monday was already known that all affected sites were hosted by webhosters Digitalus, VDX and Webstekker, part of the same parent company, IT Eternity. Include shop Conrad and the websites of trade union CNV and DJ Hardwell were in one of those three companies hosted and served malware. It is still possible that other web hosts are taken out. “We know that only when a company comes to us, and that is not required,” says Van de Velde.

How many Internet users fall victim to the malware, it is hard to say. “But it may be natural to millions of people go,” Van de Velde. The attackers used the logins of web hosts for the system of SIDN that. Manages nl zone, to adjust. The dns settings The DNS servers of the providers were replaced by DNS servers of the attackers, who referred to pages with malware. Furthermore, they suggested the time-to-live of the domain in 24 hours, causing incorrect reference for a long time in many DNS servers finds was cached.

Last month were systems SIDN cracked, where a file with login data is captured, or something that has to do with this attack is not yet clear. The compromised system is not the tool that is used to change. Dns settings by attackers

According to security firm Fox-IT, a sample of the malware has analyzed , were a PDF and a Java exploit served to visitors. The malware in question, the Andromeda backdoor, communicating via the Tor network to retrieve a command-and-control server commands. Possibly there was a bitcoin miner-installed, so said Mark Loman of security SurfRight against Tweakers. Also, the browser hijacked, though Chrome therefore not vulnerable.

Fox-IT has instructions published to remove the malware; therefore must include a registry key and an executable be removed. Also, remove with Hitman Pro, the malware as promises security researcher Loman, whose company develops security software. Administrators can block port 52300: probable thus prevent the command-and-control server instructions to infected PCs send.


Tags: ,

In: Technology & Gadgets Asked By: [15554 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »