Shopperz adware takes local DNS hijacking to the next level

The program uses multiple ad injection mechanisms to prevent clean-up efforts

New versions of a highly persistent adware program called Shopperz use a cunning technique to make DNS (Domain Name System) hijacking harder to detect and fix.

Shopperz, also known as Groover, injects ads into users' Web traffic through methods researchers consider malicious and deceptive.

In addition to installing extensions in Internet Explorer and Firefox, the program creates Windows services to make it harder for users to remove those add-ons. One service is configured to run even in Safe Mode, a Windows boot option often used to clean malware.

Moreover, Shopperz creates a rogue Layered Service Provider (LSP) in Windows's network stack that allows it to inject ads into Web traffic regardless of the browser used.

Therefore, removing the adware extensions installed in IE or Firefox won't prevent the ad injection, Malwarebytes security researchers said in a blog post Tuesday.

The adware program also uses DNS hijacking, which involves tricking computers to access servers controlled by attackers when users try to access legitimate websites.

The Domain Name System, the Internet's phone book, is used to translate domain names that humans can easily remember into numerical IP (Internet Protocol) addresses that computers use to communicate with each other.

Computers typically query DNS servers operated by ISPs to resolve host names. However, before doing this, Windows first checks a list of static DNS entries stored in a file called hosts.

If the DNS is a phone book, the Windows hosts file is the equivalent of speed dial, the Malwarebytes researchers said.

Many malicious programs add rogue entries to the hosts file to hijack requests for legitimate websites, so the file is commonly inspected by users or security tools when dealing with malware infections.

To avoid their DNS hijacking activity from being discovered, the Shopperz creators have come up with a cunning technique.

The program leaves intact the real hosts file from the system32\drivers\etc\ folder and creates a copy under a different name inside a directory whose path has the same length in characters as that of the original file.

It then replaces all instances of a system file called dnsapi.dll that's used by Windows to parse the hosts file with one that has been modified to use the rogue copy.

Because the only thing that gets changed in dnsapi.dll is the path to the hosts file, and because both the legitimate path and the new one have the same length, the modified dnsapi.dll file will have the same size as the original one. This is done to trick some security tools that check the size of known system files.

The rogue hosts file contains DNS entries for www.google-analytics.com, google-analytics.com and connect.facebook.com. These are legitimate Google and Facebook domain names for services used by many websites, but due to the rogue DNS entries, the browsers on infected computers are directed to attacker-controlled servers instead. The hijacking gives creators many opportunities to inject ads into Web pages opened by users.

The Malwarebytes researchers advise users dealing with a Shopperz infection to use the Windows System File Checker (SFC) tool which can identify and repair modified system files. The tool must be run from the command line with administrator privileges by following instructions in this Microsoft knowledge base article.

Join the CSO newsletter!

Error: Please check your email address.

More about FacebookGoogleMalwarebytesMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place