Researchers are warning about a new malware delivery campaign aimed at spreading Fareit, a password-stealing Trojan that can also download additional malware.
This campaign is targeting users who’s DNS server settings have been changed to redirect them to malicious sites without their knowledge. This can be the result of a previous compromise of their routers via malware such as the DNSChanger Trojan, or a malvertising campaign such as this one.
However it happened, these users are now in danger of getting saddled with Fareit.
“When the DNS server settings has been changed to point to a malicious server used by Fareit, the unsuspecting user visiting common websites gets an alert saying ‘WARNING! Your Flash Player may be out of date. Please update to continue’,” F-Secure researchers shared.
Users are then shown this (quite legitimate-looking) malicious download page (click on the screenshot to enlarge it):
Those who don’t know that a software named Flash Player Pro actually doesn’t exist could be tricked into downloading and running the offered file (setup.exe).
Users who have fallen for this scheme should be aware of the fact that if they don’t restore the router’s DNS server settings to what they should be, they are likely to be hit with infection attempts such as this one in the future.
F-Secure advises taking the following steps: disconnecting the router from the Internet and resetting it; changing the router password on the router; disabling its remote administration feature; updating its firmware; rebooting the computer to flush the DNS cache; and, finally, scanning the computer using an up-to-date antivirus solution.