Three ways to detect phasing attacks in Windows
Pharming attacks in which a user is secretly redirected to phishing sites are consistently popular. Pharming attacks are carried out by malware primarily on the VKHost , QHost and DNSChanger families . The main goals are social networks, online banking systems and all kinds of web services. The following 3 simple steps will allow you to quickly identify the fact of a pharming attack and neutralize its consequences.
Step 1. Check the contents of the HOSTS file
By default, the HOSTS file is in the % SYSTEM% \ drivers \ etc directory. This is how the HOSTS file, modified by the Trojan.Win32.QHost.mcc malware, redirects the user to phishing social networking sites V Kontakte, Odnoklassniki, mail services Yandex.Mail, Rambler. Mail.
')
To restore functionality in the HOSTS file, delete all lines, leaving only 127.0.0.1 localhost. Do not forget to change the passwords for all web services that you use and the phishing sites of which were specified in the modified HOSTS file.
Step 2. Check the location of the HOSTS file
Modifying the HOSTS file is widely used by malware, but such modification is easy to detect. In search of ways to increase the secrecy of their actions, the attackers decided to change the location of the HOSTS file. The path to the HOSTS file can be changed by defining a new value in the DataBasePath registry key in the HKLM \ System \ ControlSet001 \ Services \ tcpip \ parameters registry key (it is better to look at all branches starting from CurrentControlSet and up to ControlSet001 / N). So Trojan.BAT.Delude.e creates its own HOSTS file in the % Windir% \ Help directory and sets the path to it in the system registry, and Trojan-Downloader.Win32.Esepor.z sets the % Windir% \ NSDB path to the HOSTS file.
If a path other than % SYSTEM% \ drivers \ etc is registered in this key, then check the HOSTS file along the path specified there to find out which sites it makes sense to change passwords. Then change the path to the standard and delete the malicious HOSTS file.
Step 3. Check the DNS server settings
Another pharming method is to point out the attacker's DNS servers. For example, the malware Trojan.Win32.DNSChanger.pwf replaces the DNS servers specified in the operating system with the malicious servers DNS servers by modifying the registry.
To detect this type of pharming attack, execute the IPconfig / all command, which will bring you all the settings of the network interfaces.
If you find that the DNS server is changed, then you can restore the correct values in the TCP / IP properties settings.
Instead of conclusion
It is noteworthy that even users without malicious software can become victims of pharming attacks .
How this is possible and other features of pharming attacks can be found in the 6th issue of the AV-School Security Bulletin:
- What methods of pharming exist;
- What kind of malware they are carried out and how;
- How to detect pharming attacks at an early stage using plug-ins to Firefox and AVZ;
The newsletter can be read here , either in PDF , or in XPS .
Step 1. Check the contents of the HOSTS file
By default, the HOSTS file is in the % SYSTEM% \ drivers \ etc directory. This is how the HOSTS file, modified by the Trojan.Win32.QHost.mcc malware, redirects the user to phishing social networking sites V Kontakte, Odnoklassniki, mail services Yandex.Mail, Rambler. Mail.
')
To restore functionality in the HOSTS file, delete all lines, leaving only 127.0.0.1 localhost. Do not forget to change the passwords for all web services that you use and the phishing sites of which were specified in the modified HOSTS file.
Step 2. Check the location of the HOSTS file
Modifying the HOSTS file is widely used by malware, but such modification is easy to detect. In search of ways to increase the secrecy of their actions, the attackers decided to change the location of the HOSTS file. The path to the HOSTS file can be changed by defining a new value in the DataBasePath registry key in the HKLM \ System \ ControlSet001 \ Services \ tcpip \ parameters registry key (it is better to look at all branches starting from CurrentControlSet and up to ControlSet001 / N). So Trojan.BAT.Delude.e creates its own HOSTS file in the % Windir% \ Help directory and sets the path to it in the system registry, and Trojan-Downloader.Win32.Esepor.z sets the % Windir% \ NSDB path to the HOSTS file.
If a path other than % SYSTEM% \ drivers \ etc is registered in this key, then check the HOSTS file along the path specified there to find out which sites it makes sense to change passwords. Then change the path to the standard and delete the malicious HOSTS file.
Step 3. Check the DNS server settings
Another pharming method is to point out the attacker's DNS servers. For example, the malware Trojan.Win32.DNSChanger.pwf replaces the DNS servers specified in the operating system with the malicious servers DNS servers by modifying the registry.
To detect this type of pharming attack, execute the IPconfig / all command, which will bring you all the settings of the network interfaces.
If you find that the DNS server is changed, then you can restore the correct values in the TCP / IP properties settings.
Instead of conclusion
It is noteworthy that even users without malicious software can become victims of pharming attacks .
How this is possible and other features of pharming attacks can be found in the 6th issue of the AV-School Security Bulletin:
- What methods of pharming exist;
- What kind of malware they are carried out and how;
- How to detect pharming attacks at an early stage using plug-ins to Firefox and AVZ;
The newsletter can be read here , either in PDF , or in XPS .
Source: https://habr.com/ru/post/73219/
All Articles