Our analyst Eric Kumar found this interesting and malicious little mechanism.
The hosts file on a machine under investigation was modified to redirect the victim’s browser to a well known legitimate site (in this case google.com) whenever he attempted to contact a list of nearly 400 sites. The list was a “Who’s Who” of the anti-malware world – most places where someone with an infected machine would go to get help.
The altered hosts file he found contained many lines beginning with ‘#’ followed by gibberish. These would be seen as comments by any browser and ignored. Concealed among the commented lines are lines containing the domain name redirections. When the commented lines are stripped, we find all the listed security related websites being redirected to “126.96.36.199” which is the IP address for google.com.
Some of the sites were:
Sunbelt URLs figure prominently in the list as well:
The “hosts” file is in the Windowssystem32driversetc directory in Win XP, Win7 and Win08 Server – and probably all incarnations of Windows, since browsers are going to look there.
Nice work Eric.
Thanks for the help Henry.