New versions of a highly persistent adware program called Shopperz use a cunning technique to make DNS (Domain Name System) hijacking harder to detect and fix.
Shopperz, also known as Groover, injects ads into users’ Web traffic through methods researchers consider malicious and deceptive.
In addition to installing extensions in Internet Explorer and Firefox, the program creates Windows services to make it harder for users to remove those add-ons. One service is configured to run even in Safe Mode, a Windows boot option often used to clean malware.
Moreover, Shopperz creates a rogue Layered Service Provider (LSP) in Windows’s network stack that allows it to inject ads into Web traffic regardless of the browser used.
Therefore, removing the adware extensions installed in IE or Firefox won’t prevent the ad injection, Malwarebytes security researchers said in a blog post Tuesday.
The adware program also uses DNS hijacking, which involves tricking computers to access servers controlled by attackers when users try to access legitimate websites.
The Domain Name System, the Internet’s phone book, is used to translate domain names that humans can easily remember into numerical IP (Internet Protocol) addresses that computers use to communicate with each other.
Computers typically query DNS servers operated by ISPs to resolve host names. However, before doing this, Windows first checks a list of static DNS entries stored in a file called hosts.
If the DNS is a phone book, the Windows hosts file is the equivalent of speed dial, the Malwarebytes researchers said.
Many malicious programs add rogue entries to the hosts file to hijack requests for legitimate websites, so the file is commonly inspected by users or security tools when dealing with malware infections.
To avoid their DNS hijacking activity from being discovered, the Shopperz creators have come up with a cunning technique.
The program leaves intact the real hosts file from the system32\drivers\etc\ folder and creates a copy under a different name inside a directory whose path has the same length in characters as that of the original file.
It then replaces all instances of a system file called dnsapi.dll that’s used by Windows to parse the hosts file with one that has been modified to use the rogue copy.
Because the only thing that gets changed in dnsapi.dll is the path to the hosts file, and because both the legitimate path and the new one have the same length, the modified dnsapi.dll file will have the same size as the original one. This is done to trick some security tools that check the size of known system files.
The rogue hosts file contains DNS entries for www.google-analytics.com, google-analytics.com and connect.facebook.com. These are legitimate Google and Facebook domain names for services used by many websites, but due to the rogue DNS entries, the browsers on infected computers are directed to attacker-controlled servers instead. The hijacking gives creators many opportunities to inject ads into Web pages opened by users.
The Malwarebytes researchers advise users dealing with a Shopperz infection to use the Windows System File Checker (SFC) tool which can identify and repair modified system files. The tool must be run from the command line with administrator privileges by following instructions in this Microsoft knowledge base article.