Birthday Reminder Hooks Up DNS and Displays Ads, reports ESET

Even the most simple, ordinary application may become a tool for an attacker. ESET researchers have identified one such example just recently, when a popular and harmless looking Birthday Reminder app was abused to hook up domain name resolution and serve up advertising.

Detected by ESET’s telemetry as DNSBirthday, this adware is evenly distributed around the globe with spikes in the US, Spain, Japan and Italy. The infected Birthday Reminder works properly and runs in the background as programmed, except it has „additional“ non-marketable components that enable it to tie up DNS functions inside web browser applications in order to inject ads into webpages.

Analyzing this threat, ESET researchers have found that all related communications are tied to RQZTech. The attackers working under this project have built a hook that is able to link to alternate DNS servers whenever it finds the domain name is present in the „block list“ of the configuration file.

“The authors have put a lot of effort into avoiding being detected,“ explains Marc-Étienne M. Leveillé, Senior Malware Reseracher at ESET. “The modular architecture of their malware allows updates and the addition of more features or malware, which suggests that we may not have witnessed all the capabilities yet. It’s also interesting to note that the communication to the C&C server is secured by a pinned public key, which prevents eavesdropping of what is happening.“  

ESET reserachers already reached out to OVH – the hosting company on which the C&C server and the rogue DNS server communication was made, both have been taken down.

To avoid these types of threats, investing in a good security solution is recommended, and if possible, one that includes a tool for monitoring the security of your router. If you want to know how a DNS attack works in detail, read our awareness article.

The entire analysis Birthday Reminder looks benign, but the devil’s in the details: hooks DNS, serves dodgy ads is now available on welivesecurity.com.