A new cyber attack is hijacking router's DNS settings so that web browsers display alerts for a fake COVID-19 information app from the World Health Organization that is the Oski information-stealing malware.
For the past five days, people have been reporting their web browser would open on its own and display a message prompting them to download a 'COVID-19 Inform App' that was allegedly from the World Health Organization (WHO).
After further research, it was determined that these alerts were being caused by an attack that changed the DNS servers configured on their home Linksys, and possibly D-Link [1], routers to use DNS servers operated by the attackers.
As most computers use the IP address and DNS information provided by their router, the malicious DNS servers were redirecting victims to malicious content under the attacker's control.
Hijack Windows NCSI active probes
At this time, it is not known how the attackers are gaining access to the routers to change their DNS configuration, but some users state that they had remote access to the router enabled with a weak admin password.
Once the attackers gained access to the router, they would change the configured DNS servers to 109.234.35.230 and 94.103.82.249, which would also be configured on most computers that connect to the router.
When a computer connects to a network, Microsoft utilizes a feature called 'Network Connectivity Status Indicator (NCSI)' that is used to periodically run probes that check whether a computer is actively connected to the Internet.
In Windows 10, one of these active probes will be to connect to the http://www.msftconnecttest.com/connecttest.txt site and check if the returned content contains the string 'Microsoft Connect Test'.
If it does, then the computer is connected to the Internet and if it isn't, Windows warns that the Internet is not accessible.
For victims of this attack, when Windows performs this NCSI active probe, instead of being connected to the legitimate 13.107.4.52 Microsoft IP address, the malicious DNS servers send you to a web site located at 176.113.81.159.
As this IP address is under the attacker's control, instead of sending back a simple text file, they display a page prompting the victim to download and install a fake 'Emergency - COVID-19 Informator' or 'COVID-19 Inform App' from the WHO as shown below.
If a user downloads and installs the application, instead of receiving a COVID-19 information application they will have the Oski information-stealing Trojan installed on their computer.
When launched, this malware will attempt to steal the following information from the victim's computer:
- browser cookies
- browser history
- browser payment information
- saved login credentials
- cryptocurrency wallets
- text files
- browser form autofill information
- Authy 2FA authenticator databases
- a screenshot of your desktop at the time of infection, and more.
This information will then be uploaded to a remote server so that it can be collected by the attackers and used to perform further attacks on your online accounts.
This could be to steal money from bank accounts, perform identity theft, or further spear phishing attacks.
What you should do if affected by this attack
If your browser is randomly opening to a page promoting a COVID-19 information app, then you need to login to your router and make sure you configure it to automatically receive its DNS servers from your ISP.
As every router has a different way of configuring DNS servers, it is not possible to give a specific method on how to do this.
In general, you will want to follow these steps:
- Login to your router
- Find the DNS settings and make sure there are no servers, especially 109.234.35.230 and 94.103.82.249, manually configured. If they are, set the DNS servers setting to 'Automatic' or ISP assigned.
- Then save your configuration.
You should now be able to reboot your mobile devices, game consoles, and computers so that they use the correct DNS settings from your ISP.
As people are reporting that they think their settings were changed because of a weak password and that remote administration was enabled, it is important to change your password to something stronger and to disable remote administration on the router.
Finally, if you downloaded and installed the COVID-19 app, you should immediately perform a scan on your computer for malware.
Once clean, you should change all of the passwords for sites whose credentials are saved in your browser and you should change the passwords for any site that you visited since being infected.
When resetting your passwords, be sure to use a unique password at every site.
Update 3/24/20: Security researcher Fumik0_ told BleepingComputer that based on the network traffic, this is the Oski information-stealer, not Vidar. Article updated.
Comments
TanyaC - 4 years ago
Whilst I agree something needs to be done, ISP DNS servers are typically the worst servers to ever use. I don't know about outside Australia, but in May 2017 the Australian government passed mass surveillance laws requiring ISPs to capture all DNS traffic (among many other things), and keep that data indefinitely. That's just one problem. These ISP servers are typically slow, less secure and unreliable. No one should surf the net these days without some form of protection, such as a VPN, and using ISP DNS servers, or just as bad; cloudfront or google servers; effectively voids any and all security you have striven to achieve. Just my 2 cents worth.
buddy215 - 4 years ago
From what I just read....In Australia, it became mandatory in April 2017 for Australian ISPs and telecommunication companies to collect and store “metadata” about their customers' communications for a minimum of two years.May 10, 2018
AND.....it is illegal to view internet porn in Australia....but...is that enforced? Don't think so.
SavageWagon - 4 years ago
I had this happen to me. I'm a pretty tech savvy guy, and this totally caught me by surprise. I figured it was a DNS hijack, which I've seen many times helping other people with their computer issues. Anytime I've seen a DNS hijack, it was because someone unknowingly download malware that changed the DNS server in the network settings on the computer. So I checked my network properties and saw that my DNS was unchanged. Then the message popped up on my wife's PC. So we scanned for malware on both machines and it came back clean. Puzzled I grabbed a live linux flash drive and booted it up. Soon as I did, I saw the message about needing to sign in to connect to the internet, and immediately the COVID-19 APP window popped. That's when I knew it wasn't malware on my PCs, but something affecting my entire network. So I started searching around the internet and found this article. Logged into my router, and sure enough, the very IPs listed here were in my router. Fortunately I was never foolish enough to click the "download" button on the popup window. My router is an older Linksys. Maybe since it's older and hasn't had a firmware update in a few years there is an unaddressed vulnerability? I'm VERY tempted to just go out and buy a new router...
michael43 - 4 years ago
If you suspect DNS trouble, this page
https://routersecurity.org/testdns.php
links to some DNS tester web pages that will display the currently in-effect DNS servers.
TanyaC is correct, it is safer to use DNS servers from known trusted sources such as Cloudflare, Quad9, OpenDNS, NextDNS or Google, among others.
MarekVyk - 4 years ago
It seems D-Link routers are mentioned incorrectly:
https://eu.dlink.com/uk/en/support/support-news/2020/march/27/d-link-devices-accused-in-covid-19-malware-security-threat
Lawrence Abrams - 4 years ago
According to one report, it affected D-link as well.
https://www.reddit.com/r/xbox/comments/fkfn48/xbox_wont_connect_to_internet_instead_makes_me/
If it was brute-force of remote admin passwords, it could affect almost any brand of router.