<<<
NEWS FROM THE LAB - Wednesday, March 4, 2015
>>>
 

 
Malicious DNS Servers Deliver Fareit Posted by FSLabs @ 16:04 GMT

Last year we wrote about Fareit being massively spammed.

A couple of months later, they added another means of infecting systems - via malicious DNS servers.

When the DNS server settings has been changed to point to a malicious server used by Fareit, the unsuspecting user visiting common websites gets an alert saying "WARNING! Your Flash Player may be out of date. Please update to continue".

_flash_update_chrome (2k image)

A "Flash Player Pro" download page will be shown pretending to be served from the website that the user is trying to visit.

_setupimg (90k image)

Downloading the "setup.exe" file does not really pull any binary from Google. Instead, the user will end up with a copy of Fareit from a malicious IP. Fareit is an information stealer and downloader.

_urls_1 (72k image)

The recent samples that we've encountered connect and download from:
angryflo.ru
reggpower.su
192.163.227.127

Fareit infections via malicious DNS servers that we have seen were mostly from Poland.

_map (91k image)

From the beginning of the year, we've observed that users were redirected to these IPs:
31.192.211.50
85.25.213.208
109.235.51.213
108.62.115.162
188.138.41.85

While here are some of the reported malicious DNS servers:
184.107.242.162
184.107.232.162
168.144.134.129

If you would like to know more about your current DNS server settings, you can try out our beta tool which is available here.

If you've determined that your DNS server settings are affected, we recommend that you try these steps:
Disconnecting the router from the Internet and resetting it
Changing the password on the router, especially if it is still the default password
Disabling remote administration on the router
Checking and updating the router to use the latest firmware
Rebooting a desktop system to flush the DNS cache
Scanning the desktop system using a trusted, up-to-date antivirus program