The IP of the Long Gone Conficker Malware Spotted in Website Hijacking Campaign

After researchers from Sucuri Security decided to investigate a set of hacked websites, they discovered a campaign which was leveraging the FreeDNS service to abuse legitimate webpages. What was more surprising, though, was the fact that the campaign was somehow connected to the IP of old Conficker C&C servers which hasn’t been around since 2009.

The Sucuri firm decided to start the investigation after noticing hacked websites redirecting their own traffic to one of their subdomains (www.site.com —> ww2.site.com). Even though the website, the redirection led to, was almost perfectly imitating the original one, the questions rising issue was that the subdomain was hosted by a different server with the following IP address: 213.184.126.163.

As it turned out, all hijacked websites had been registered and managed by the domain name registrar NameCheap. They were using the company`s FreeDNS service to redirect their domain name queries to the server IP address on which the site was hosted.

Shortly after the researchers came across some very strange-looking entries like “freedns4.registrar-serversjr5115ey.biz” among the FreeDNS servers. Each of these entries had a very unusual URL`s endings. After confirming that the servers were actually managed by NameCheap, the only thing that caused suspicion was the usage of such a stochastic naming scheme.

Eventually, Sucuri team found something to justify their doubts. They discovered that someone had managed to infect the FreeDNS entries with one entry that wasn’t official FreeDNS server, by taking advantage of the unreadable URLs.

This non-official entry was “freedns1.registrar-serversv67eds0q[.]biz” and it was registered by a person from China just a few days ago. It was found to lead right back to the 213.184.126.163 IP address, where all websites` copies were also hosted.

After a deeper investigation on the IP, experts discovered that in the past it had hosted other C&C server, including acawarkfegq[.]info, ahpamj[.]org, amfcsbetu[.]info, for the Conficker malware campaign.

In 2007-2008 a lot of damage was caused by Conficker which was one of the most dangerous Windows worms at the time. Eventually it was stopped in 2009 by a conglomerate of Microsoft, law enforcement, and ISPs. They did that by pointing the domain names for the C&C servers to dead-end IPs.

Unfortunately, the malware has recently returned with an improved infrastructure and its being currently used for other cybercrimes.

At this point it’s not clear what happened. Either someone hacked into the domain name registrar accounts and changed the name servers or someone compromised FreeDNS service and replaced one of their name servers.” -Sucuri’s analyst Denis Sinegubko explains – “Our bet is on the first option since it’s more likely to happen. Users often use simple passwords or reuse them for their online accounts. Taking into account that there’s no worldwide epidemic of compromised FreeDNS websites, this looks like isolated hacks due to an improper password policy for domain name registrar profiles that allowed hackers to take over the account and modify the DNS servers with their malicious entry.”

All web admins are strongly advised to check their DNS on regular bases to be sure that their visitors are redirected to their actual website and not a copycat of it.

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.