{"id":6343,"date":"2017-01-23T15:50:28","date_gmt":"2017-01-23T23:50:28","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/01\/23\/news-181\/"},"modified":"2017-01-23T15:50:28","modified_gmt":"2017-01-23T23:50:28","slug":"news-181","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/01\/23\/news-181\/","title":{"rendered":"MSRT December 2016 addresses Clodaconas, which serves unsolicited ads through DNS hijacking"},"content":{"rendered":"

In this month\u2019s <\/span>Microsoft Malicious Software Removal Tool<\/span><\/span><\/a><\/span> (MSRT) release, we continue taking down unwanted software, the pesky threats that force onto our computers things that we neither want nor need.<\/span><\/p>\n

BrowserModifier:Win32\/Clodaconas<\/span><\/a>, for instance, displays ads when you\u2019re browsing the internet. It modifies search results pages so that you see unsolicited ads related to your searches.<\/span><\/span><\/p>\n

For example, if you were looking for a gift to give a loved one this holiday season and are searching for \u201cfitness tracker\u201d, your search results page might contain an ad like this:<\/span><\/span><\/p>\n

\"Screenshot<\/p>\n

Figure 1. Ads injected by Clodaconas to search results for \u201cfitness tracker\u201d<\/span><\/span><\/i><\/p>\n

It can also add pop-up ads when you\u2019re visiting online retailer websites. For example, if you previously searched for \u201cTV\u201d, and then visited an online shop, the threat may display the following ad: <\/span><\/span><\/p>\n

\"Screenshot<\/p>\n

Figure 2. Pop-up ad injected by Clodaconas to online retailer pages<\/span><\/span><\/i><\/p>\n

\u00a0<\/span><\/p>\n

BrowserModifier:Win32\/Clodaconas<\/span><\/a> does this by hijacking your domain name server (DNS) settings.<\/span><\/span><\/p>\n

Injecting ads through DNS hijacking <\/span><\/span><\/h1>\n

When you browse the Internet, your PC contacts a DNS server to resolve the domain of the website you\u2019d like to access. The DNS server returns the IP address of the website, which your PC then accesses to get the content to display.<\/span><\/span><\/p>\n

\"Diagram<\/span><\/p>\n

Figure 3. Normal domain name resolution by legitimate DNS servers <\/span><\/span><\/i><\/p>\n

BrowserModifier:Win32\/Clodaconas<\/span><\/a> compromises this process to inject ads. It modifies DNS settings in your registry so that they point to a rogue DNS server. All DNS queries are therefore redirected to this DNS server, which resolves specific domains to the IP address of another attacker-controlled server.<\/span><\/span><\/p>\n

This results in a man-in-the-middle (MITM) attack. Instead of getting content directly from the server of the website you\u2019re accessing, your PC gets content from the MITM server. It contacts legitimate websites to get the actual content you\u2019re looking for, but modifies it before it is displayed on your browser. This is how the unwanted ads are displayed on your search results pages or on online retail websites.<\/span><\/span><\/p>\n

\"Diagram\u00a0<\/span><\/span><\/span><\/p>\n

Figure 4. In DNS hijacking, DNS requests are redirected to a rogue DNS server<\/span><\/span><\/i><\/p>\n

This method of injecting ads meets the <\/span>evaluation criteria<\/span><\/a> that Microsoft Malware Protection Center (MMPC) uses for identifying unwanted software. This threat modifies webpage content without your consent. It also does this without using the browser’s <\/span>supported extensibility models<\/span><\/a>, hence our classification of this program as unwanted software.<\/span><\/span><\/p>\n

Using rogue root certificate<\/span><\/span><\/h2>\n

Many websites use SSL encryption to protect transactions. This mechanism also prevents the modification of content served by websites. Browsers check the validity of a website\u2019s SSL certificate against trusted root certification authorities\u2019 certificates stored on your PC. Browsers show a warning page or icon if a website\u2019s certificate is not trusted.<\/span><\/span><\/p>\n

To avoid triggering this alert, <\/span>BrowserModifier:Win32\/Clodaconas<\/span><\/a> installs a root certificate as a trusted root certification authority. With the rogue root certificate installed, ads can be injected into encrypted content and still appear valid to the browser.<\/span><\/span><\/p>\n

MSRT removes <\/span>Clodaconas<\/span><\/a><\/span><\/h2>\n

This month, we\u2019re adding detections for <\/span>BrowserModifier:Win32\/Clodaconas<\/span><\/a> to <\/span>Microsoft Malicious Software Removal Tool<\/span><\/span><\/a><\/span> (MSRT). If your PC is infected with this threat, run MSRT to remove all related files and restore all system modifications on your PC. <\/span><\/p>\n

You may need to clear your browser cache after the threat is removed. The browser might still hold cache of a website you recently visited, so you might still see the ads.<\/span><\/span><\/p>\n

Prevention, detection, and recovery<\/span><\/span><\/h2>\n

Stay protected from <\/span>BrowserModifier:Win32\/Clodaconas<\/span><\/span><\/a><\/span> and other threats:<\/span><\/p>\n