NEWS FROM THE LAB - Wednesday, March 4, 2015

Malicious DNS Servers Deliver Fareit Posted by FSLabs @ 16:04 GMT

Last year we wrote about Fareit being massively spammed.

A couple of months later, they added another means of infecting systems - via malicious DNS servers.

When the DNS server settings has been changed to point to a malicious server used by Fareit, the unsuspecting user visiting common websites gets an alert saying "WARNING! Your Flash Player may be out of date. Please update to continue".

_flash_update_chrome (2k image)

A "Flash Player Pro" download page will be shown pretending to be served from the website that the user is trying to visit.

_setupimg (90k image)

Downloading the "setup.exe" file does not really pull any binary from Google. Instead, the user will end up with a copy of Fareit from a malicious IP. Fareit is an information stealer and downloader.

_urls_1 (72k image)

The recent samples that we've encountered connect and download from:
� angryflo.ru
� reggpower.su

Fareit infections via malicious DNS servers that we have seen were mostly from Poland.

_map (91k image)

From the beginning of the year, we've observed that users were redirected to these IPs:

While here are some of the reported malicious DNS servers:

If you would like to know more about your current DNS server settings, you can try out our beta tool which is available here.

If you've determined that your DNS server settings are affected, we recommend that you try these steps:
� Disconnecting the router from the Internet and resetting it
� Changing the password on the router, especially if it is still the default password
� Disabling remote administration on the router
� Checking and updating the router to use the latest firmware
� Rebooting a desktop system to flush the DNS cache
� Scanning the desktop system using a trusted, up-to-date antivirus program