14 DAY TRIAL // An investigation into a set of hacked websites carried out by Sucuri's forensics team has uncovered a campaign abusing the FreeDNS service to hijack legitimate sites, while also revealing some curious findings involving the IP of old Conficker C&C servers that were sinkholed way back in 2009.
The Sucuri investigation started after seeing hacked websites that were redirecting their own traffic to one of their subdomains (www.site.com ---> ww2.site.com). The issues was that, despite showing a near-perfect copy of the original site, this subdomain was hosted on another server, with the 213.184.126.163 IP address.
Sucuri soon discovered that all these websites had been registered through NameCheap, a domain name registrar, and were using the company's FreeDNS service to redirect their domain name queries to the server IP address on which the site was hosted.
The weird FreeDNS DNS server naming scheme
The investigators discovered that hidden through the FreeDNS DNS servers associated with each domain were some mysterious-looking entries, such as "freedns4.registrar-serversjr5115ey.biz," with other random variations for the URL's ending.
Upon further investigation, Sucuri realized that these servers were indeed registered and managed by NameCheap, and there was nothing suspicious except the company's very weird decision to use such a random naming scheme.
Nevertheless, Sucuri did eventually discover something wrong. Taking advantage of the undecipherable DNS server URLs, someone managed to contaminate the FreeDNS entries with one entry that wasn't an official FreeDNS DNS server.
This was "freedns1.registrar-serversv67eds0q[.]biz", a domain name registered just a few days before by a person from Shanghai, China, which solved back to the 213.184.126.163, where all the cloned websites were also hosted.
Same IP was used in the 2007-2009 Conficker campaigns
Searching historical records about this IP, researchers found that it had been used in the past to host C&C servers (acawarkfegq[.]info, ahpamj[.]org, amfcsbetu[.]info, and others) for the Conficker malware.
This was one of the most aggressive Windows worms, which wrecked havoc in 2007-2008. A conglomerate of Microsoft, law enforcement, and ISPs managed to sinkhole the original Conficker botnet and its C&C servers back in 2009, by taking over the domain names used for the C&C servers and pointing them to dead-end IP addresses.
The malware made a comeback in the following years, on a new infrastructure, and is one of today's most active botnets.
Sucuri's discovery shows that someone is recycling that original IP address used from the first Conficker outbreak to run other cyber-crime activities.
Unlikely that someone hacked FreeDNS
Regarding how the malicious DNS entry ended up between authentic FreeDNS DNS servers, Sucuri's Denis Sinegubko has the following to say: "At this point it’s not clear what happened. Either someone hacked into the domain name registrar accounts and changed the name servers or someone compromised FreeDNS service and replaced one of their name servers."
Our bet is on the first option since it's more likely to happen. Users often use simple passwords or reuse them for their online accounts. Taking into account that there's no worldwide epidemic of compromised FreeDNS websites, this looks like isolated hacks due to an improper password policy for domain name registrar profiles that allowed hackers to take over the account and modify the DNS servers with their malicious entry.
It is a good idea that all webmasters check their DNS entries once in a while to make sure their visitors are redirected to their actual websites.
