Subscribe to DSC Newsletter

A potential new type of threat, incredibly difficult to detect, and absolutely vicious

You type in a domain name, say www.wellsfargo.com in your browser (say Chrome), and a website with broken links, broken images and badly formatted text, shows up. When you click on any link, it "redirects" you to what seems to be a true Wells Fargo page. You try with a different browser (say IE), and you experience the same problem. You visit finance.yahoo.com, and you get an 310 error message saying "recursive redirect found on the web page". You do a search on Google to find what the problem might be, and follow instructions to clean the mess, using various regsrv32 commands, but it does not work. When rebooting, the problem still persists, and on reboot, you get an error message saying "Genuine Windows Validation Not Available".

This has all the hallmarks of being infected with a virus, yet the Wells Fargo issue (which concerned me most) is, in my opinion, not a redirect to a Trojan site. Upon further checking, it's appeared to be a problem with web site certifications. Note that I also experienced some IP errors, probably arising because of a conflict between wireless and land line Internet connections.

Very interestingly, I've found that "someone" (a virus? my kids?) changed the date on my machine, from September 10, 2011, to October 10, 2011. After fixing this date issue, everything went back to (almost) normal, Wells Fargo and Yahoo Finance working perfectly fine. Note that earlier, I signed in onto Wells Fargo with fake login / passwords a few times, because I thought I was the victim of some new type of extremely sophisticated Internet fraud, trying to steal access to my account. Even when I entered the IP address of the Wells Fargo domain (http://151.151.88.144 rather than http://www.wellsfargo.com) on the browser, I had the same problem, until I (manually) fixed the mess.

Now that I've fixed the mess, I believe that it was possibly a virus, but that the (apparently bogus) Wells Fargo web site that I visited was actually entirely genuine, but not properly rendered by IE, Chrome etc, due to the date on my computer being wrong.

My big question, however, is: could a fraudster manage to install a virus so bad that even if you actually type in the domain name (or its IP address) in Chrome or IE, it redirects to a fake Wells Fargo account, yet the domain name showing up in your browser is still wellsfargo.com, rather than an obvious fake redirect (as is typically the case with current viruses)? That is, could the virus manage to fully hide the fraudulent redirect, by somehow rewriting some parameters in the core of the Windows system?

Views: 1087

Comment

You need to be a member of AnalyticBridge to add comments!

Join AnalyticBridge

Comment by Vincent Granville on September 15, 2011 at 11:51pm
Did you check the HTML code of the suspicious Wells Fargo (possible Trojan) web page? Did you find obfuscated JavaScript?
Comment by Davide Imperati on September 13, 2011 at 6:55am

In posix systems one can map a set of domain names to IP addresses using yellow pages.

This service is used to map domain names to the IPs of servers in the intranet where a proper DNS is not convenient.

E.g. the localhost is mapped to 127.0.0.1 the printer.secondfloor.com to the address 10.1.1.46 ans so on.

This service s used prior to the root dns service for domain name resolution.

I suppose that a similar service works on windows machines to, so adding an entry like

www.wellsfargo.com -> xx.xx.xx.xx

where xx.xx.xx.xx is the IP of the mock site.

To do the magic with the IP address one need to make a deeper action on the core. In posix systems there are a couple of places where one can operate, but it requires to go deep into the socket, rewrite the behavior for a set of addresses, compile, install and restart the service.

I think it is possible to poison Ip resolution on windows, but it requires to install modified services on the machine.

 

Follow Us

On Data Science Central

On DataViz

On Hadoop

© 2017   AnalyticBridge.com is a subsidiary and dedicated channel of Data Science Central LLC   Powered by

Badges  |  Report an Issue  |  Terms of Service