Shopperz adware takes local DNS hijacking to the next level

The program uses multiple ad injection mechanisms to prevent clean-up efforts

New versions of a highly persistent adware program called Shopperz use a cunning technique to make DNS (Domain Name System) hijacking harder to detect and fix.

Shopperz, also known as Groover, injects ads into users' Web traffic through methods researchers consider malicious and deceptive.

In addition to installing extensions in Internet Explorer and Firefox, the program creates Windows services to make it harder for users to remove those add-ons. One service is configured to run even in Safe Mode, a Windows boot option often used to clean malware.

Moreover, Shopperz creates a rogue Layered Service Provider (LSP) in Windows's network stack that allows it to inject ads into Web traffic regardless of the browser used.

Therefore, removing the adware extensions installed in IE or Firefox won't prevent the ad injection, Malwarebytes security researchers said in a blog post Tuesday.

The adware program also uses DNS hijacking, which involves tricking computers to access servers controlled by attackers when users try to access legitimate websites.

The Domain Name System, the Internet's phone book, is used to translate domain names that humans can easily remember into numerical IP (Internet Protocol) addresses that computers use to communicate with each other.

Computers typically query DNS servers operated by ISPs to resolve host names. However, before doing this, Windows first checks a list of static DNS entries stored in a file called hosts.

If the DNS is a phone book, the Windows hosts file is the equivalent of speed dial, the Malwarebytes researchers said.

Many malicious programs add rogue entries to the hosts file to hijack requests for legitimate websites, so the file is commonly inspected by users or security tools when dealing with malware infections.

To avoid their DNS hijacking activity from being discovered, the Shopperz creators have come up with a cunning technique.

The program leaves intact the real hosts file from the system32\drivers\etc\ folder and creates a copy under a different name inside a directory whose path has the same length in characters as that of the original file.

It then replaces all instances of a system file called dnsapi.dll that's used by Windows to parse the hosts file with one that has been modified to use the rogue copy.

Because the only thing that gets changed in dnsapi.dll is the path to the hosts file, and because both the legitimate path and the new one have the same length, the modified dnsapi.dll file will have the same size as the original one. This is done to trick some security tools that check the size of known system files.

The rogue hosts file contains DNS entries for www.google-analytics.com, google-analytics.com and connect.facebook.com. These are legitimate Google and Facebook domain names for services used by many websites, but due to the rogue DNS entries, the browsers on infected computers are directed to attacker-controlled servers instead. The hijacking gives creators many opportunities to inject ads into Web pages opened by users.

The Malwarebytes researchers advise users dealing with a Shopperz infection to use the Windows System File Checker (SFC) tool which can identify and repair modified system files. The tool must be run from the command line with administrator privileges by following instructions in this Microsoft knowledge base article.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?