MSRT December 2016 addresses Clodaconas, which serves unsolicited ads through DNS hijacking
In this month’s Microsoft Malicious Software Removal Tool (MSRT) release, we continue taking down unwanted software, the pesky threats that force onto our computers things that we neither want nor need.
BrowserModifier:Win32/Clodaconas, for instance, displays ads when you’re browsing the internet. It modifies search results pages so that you see unsolicited ads related to your searches.
For example, if you were looking for a gift to give a loved one this holiday season and are searching for “fitness tracker”, your search results page might contain an ad like this:
Figure 1. Ads injected by Clodaconas to search results for “fitness tracker”
It can also add pop-up ads when you’re visiting online retailer websites. For example, if you previously searched for “TV”, and then visited an online shop, the threat may display the following ad:
Figure 2. Pop-up ad injected by Clodaconas to online retailer pages
BrowserModifier:Win32/Clodaconas does this by hijacking your domain name server (DNS) settings.
Injecting ads through DNS hijacking
When you browse the Internet, your PC contacts a DNS server to resolve the domain of the website you’d like to access. The DNS server returns the IP address of the website, which your PC then accesses to get the content to display.
Figure 3. Normal domain name resolution by legitimate DNS servers
BrowserModifier:Win32/Clodaconas compromises this process to inject ads. It modifies DNS settings in your registry so that they point to a rogue DNS server. All DNS queries are therefore redirected to this DNS server, which resolves specific domains to the IP address of another attacker-controlled server.
This results in a man-in-the-middle (MITM) attack. Instead of getting content directly from the server of the website you’re accessing, your PC gets content from the MITM server. It contacts legitimate websites to get the actual content you’re looking for, but modifies it before it is displayed on your browser. This is how the unwanted ads are displayed on your search results pages or on online retail websites.
Figure 4. In DNS hijacking, DNS requests are redirected to a rogue DNS server
This method of injecting ads meets the evaluation criteria that Microsoft Malware Protection Center (MMPC) uses for identifying unwanted software. This threat modifies webpage content without your consent. It also does this without using the browser’s supported extensibility models, hence our classification of this program as unwanted software.
Using rogue root certificate
Many websites use SSL encryption to protect transactions. This mechanism also prevents the modification of content served by websites. Browsers check the validity of a website’s SSL certificate against trusted root certification authorities’ certificates stored on your PC. Browsers show a warning page or icon if a website’s certificate is not trusted.
To avoid triggering this alert, BrowserModifier:Win32/Clodaconas installs a root certificate as a trusted root certification authority. With the rogue root certificate installed, ads can be injected into encrypted content and still appear valid to the browser.
MSRT removes Clodaconas
This month, we’re adding detections for BrowserModifier:Win32/Clodaconas to Microsoft Malicious Software Removal Tool (MSRT). If your PC is infected with this threat, run MSRT to remove all related files and restore all system modifications on your PC.
You may need to clear your browser cache after the threat is removed. The browser might still hold cache of a website you recently visited, so you might still see the ads.
Prevention, detection, and recovery
Stay protected from BrowserModifier:Win32/Clodaconas and other threats:
- Keep your Windows operating system and antivirus up-to-date; if you haven’t already, upgrade to Windows 10.
- Use Microsoft Edge. It can:
- Help warn you about sites that are known to be hosting exploits and other threats
- Help protect you from social engineering attacks such as phishing and malware downloads
- Automatically detect bad changes and protect settings
- Use the Settings app to reset to Microsoft recommended defaults if your default apps were changed.
- Launch the Settings app.
- Navigate to the Default apps page.
- From Home go to System > Default apps.
- Click Reset.
- Ensure your antimalware protection (such as Windows Defender and Microsoft Malicious Software Removal Tool) is up-to-date.
- If you are using Windows Defender, you can check your exclusion settings to see whether the malware added some entries in an attempt to exclude folders from being scanned.
- To check and remove excluded items in Windows Defender:
- Navigate to Settings > Update & security > Windows Defender > Add an exclusion.
- Go through the lists under Files and File locations, select the excluded item that you want to remove, and click Remove.
- Click OK to confirm.
- If you are using Windows Defender, you can check your exclusion settings to see whether the malware added some entries in an attempt to exclude folders from being scanned.
- Use cloud protection to help guard against the latest malware threats. It’s turned on by default for Microsoft Security Essentials and Windows Defender for Windows 10. Go to All settings > Update & security > Windows Defender and make sure that your Cloud-based Protection settings is turned On.
Jody Koo
MMPC