DNS tricks used by the Fareit trojan mean users are tricked into downloading malware, seemingly from Google or Facebook
The latest variants of Fareit are infecting systems via malicious DNS servers, Finnish security firm F-Secure warns.
These servers push bogus Flash updates that actually come packed with malicious code, as a blog post by F-Secure explains.
When the DNS server settings has been changed to point to a malicious server used by Fareit, the unsuspecting user visiting common websites gets an alert saying 'WARNING! Your Flash Player may be out of date. Please update to continue'.
Victims are presented with a "Flash Player Pro" download page ostensibly from the site a user is attempting to visit.
Instead of getting a binary from Google or Facebook, they'll be getting a trojan stew; more specifically, the Fareit information stealer and downloader.
Fareit is designed to harvest login information from installed FTP clients and cryptocurrency wallets, as well as snaffling stored passwords in browsers. Previous attempts to spread the malware featured more traditional malicious email attachments. The same run of spam-based attacks back in January also sprayed the ZeuS banking trojan and Cryptolocker ransomware.
DNS server settings can be affected by either per-existing malware on a user's system or by exploiting vulnerabilities or security weaknesses in a home router to screw around with its settings.
Users can examine their current DNS server settings using a beta tool from F-Secure available here. ®