Shopperz adware takes local DNS hijacking to the next level

The program uses multiple ad injection mechanisms to prevent clean-up efforts

New versions of a highly persistent adware program called Shopperz use a cunning technique to make DNS (Domain Name System) hijacking harder to detect and fix.

Shopperz, also known as Groover, injects ads into users' Web traffic through methods researchers consider malicious and deceptive.

In addition to installing extensions in Internet Explorer and Firefox, the program creates Windows services to make it harder for users to remove those add-ons. One service is configured to run even in Safe Mode, a Windows boot option often used to clean malware.

Moreover, Shopperz creates a rogue Layered Service Provider (LSP) in Windows's network stack that allows it to inject ads into Web traffic regardless of the browser used.

Therefore, removing the adware extensions installed in IE or Firefox won't prevent the ad injection, Malwarebytes security researchers said in a blog post Tuesday.

The adware program also uses DNS hijacking, which involves tricking computers to access servers controlled by attackers when users try to access legitimate websites.

The Domain Name System, the Internet's phone book, is used to translate domain names that humans can easily remember into numerical IP (Internet Protocol) addresses that computers use to communicate with each other.

Computers typically query DNS servers operated by ISPs to resolve host names. However, before doing this, Windows first checks a list of static DNS entries stored in a file called hosts.

If the DNS is a phone book, the Windows hosts file is the equivalent of speed dial, the Malwarebytes researchers said.

Many malicious programs add rogue entries to the hosts file to hijack requests for legitimate websites, so the file is commonly inspected by users or security tools when dealing with malware infections.

To avoid their DNS hijacking activity from being discovered, the Shopperz creators have come up with a cunning technique.

The program leaves intact the real hosts file from the system32\drivers\etc\ folder and creates a copy under a different name inside a directory whose path has the same length in characters as that of the original file.

It then replaces all instances of a system file called dnsapi.dll that's used by Windows to parse the hosts file with one that has been modified to use the rogue copy.

Because the only thing that gets changed in dnsapi.dll is the path to the hosts file, and because both the legitimate path and the new one have the same length, the modified dnsapi.dll file will have the same size as the original one. This is done to trick some security tools that check the size of known system files.

The rogue hosts file contains DNS entries for www.google-analytics.com, google-analytics.com and connect.facebook.com. These are legitimate Google and Facebook domain names for services used by many websites, but due to the rogue DNS entries, the browsers on infected computers are directed to attacker-controlled servers instead. The hijacking gives creators many opportunities to inject ads into Web pages opened by users.

The Malwarebytes researchers advise users dealing with a Shopperz infection to use the Windows System File Checker (SFC) tool which can identify and repair modified system files. The tool must be run from the command line with administrator privileges by following instructions in this Microsoft knowledge base article.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?