DNS malware strikes 30,000+ websites, make sure you’re protected

The invisible threat online

You visit a familiar website and everything looks perfectly normal, but what you can’t see is that the site itself might be secretly compromised. This is the reality of the massive Detour Dog malware campaign that has infected tens of thousands of websites globally.

This clever malware utilizes the internet’s basic address book, the Domain Name System, to carry out its malicious activities. It selectively targets visitors based on their location and device type, making it incredibly hard for anyone to detect the danger.

How websites get secretly hijacked

Cybercriminals break into websites through unprotected servers or by exploiting weak spots in their configuration. Once they gain access, they plant a sneaky piece of code known as the Detour Dog malware. This code gives them remote control over the website’s behavior, allowing them to redirect traffic whenever they want.

The compromised website is turned into a puppet, secretly making requests to servers controlled by the attackers. These requests happen entirely behind the scenes on the website’s server, not on your personal device.

A secret conversation you can’t hear

The hijacked website communicates with its masters using a special part of the DNS known as TXT records. These records are typically used for harmless verification purposes, but hackers have twisted them into a secret command channel.

The attacker’s server then sends back instructions hidden within a DNS response. These commands tell the compromised website what to do with you, the visitor. The instruction could be to leave you alone, redirect you to a scam, or deliver something much more dangerous.

From simple scams to stealing passwords

Originally, this campaign was all about generating revenue through deceptive redirects. It would send people to scam pages or push fake CAPTCHA to deliver unwanted browser notifications. This was a nuisance, but the scheme has recently taken a much more dangerous turn.

Researchers have discovered that Detour Dog now delivers powerful information-stealing malware called Strela Stealer. This shift means the attackers are no longer just chasing ad clicks; they are now directly targeting your personal login information and sensitive data from your computer.

The sneaky deliveryman

The malware is often delivered using a technique called a drive-by download. You might see a prompt encouraging you to download a file, or the site might exploit a weakness in your browser. In some cases, you don’t have to click on anything at all for the process to start.

The initial downloader, a backdoor called StarFish, paves the way for the main threat. Once StarFish is on a system, it calls back to its controller to fetch the final payload. This creates a multi-stage attack that is harder for security software to block in a single step.

What the infostealer takes from you

Strela Stealer is a powerful tool designed to hunt for your valuable digital credentials. It primarily targets email clients like Microsoft Outlook and Mozilla Thunderbird, stealing your usernames and passwords. This gives hackers direct access to your personal or work email accounts.

Over time, this stealer has evolved into a more modular threat. It can now also extract saved passwords from many popular web browsers and collect credentials from other sources on your computer. Once it has your data, it secretly sends everything back to the attackers.

Why do you rarely see it coming?

The most cunning part of this attack is its selective targeting. This low-and-slow approach helps the hackers avoid raising any alarms and keeps the site looking normal.

Only a small fraction of visitors (around 1%) receive the remote execution instruction or payload. The rest might just be redirected to a scam page. Because so few people encounter the real threat, the compromised website can stay infected for over a year without anyone noticing.

A global problem in your backyard

This is not a small, isolated issue. Security experts have identified over 30,000 infected websites spanning 89 different countries. The web of compromised sites is vast and diverse, affecting everything from small personal blogs to larger platforms.

Many infected sites serve U.S.-based visitors, though comprehensive traffic attribution is not public. This means the average American internet user is statistically more likely to encounter one of these compromised pages during their daily browsing.

The botnet connection

The attackers don’t just rely on hacked websites, they also use networks of infected devices called botnets. These botnets, with names like REM Proxy and Tofsee, are used to distribute spam emails that contain malicious links. These links lead back to the Detour Dog infrastructure.

This connection shows a collaboration between different criminal groups specializing in various services. Detour Dog provides the compromised websites and DNS manipulation, while other groups provide the spam distribution power to lure in unsuspecting victims.

The three-card monte of malware

Security researchers compare the delivery technique to a game of three-card monte. The malicious files aren’t actually hosted on the domain you see in the email link. Instead, that domain is just a relay point that fetches the real malware from a completely different, hidden server.

This clever misdirection makes it incredibly difficult for investigators to track down the true source of the infection. By the time they check a suspected server, the malware has already moved elsewhere, keeping the attackers one step ahead of defenders.

Why your antivirus might miss it

Traditional security software that runs on your computer can be blind to this threat. Since the malicious logic and DNS conversations happen on the website’s server, there are no obvious signs for your local antivirus to detect until it’s potentially too late.

The infection also generates a huge amount of harmless DNS traffic, which helps to hide the few malicious commands. The campaign may exploit background DNS queries and benign traffic to mask malicious commands, making detection more difficult in some scenarios.

The long-term infection problem

Many of these infected websites have been compromised for more than a full year. The combination of stealthy server-side operations and selective targeting allows the malware to persist for incredibly long periods. Website owners often have no idea their site is being used for malicious purposes.

Because the site continues to look and function normally for almost all visitors, there is no obvious reason for the owner to investigate. This long dwell time gives the attackers a stable and reliable platform to launch their operations from for months on end.

How researchers fought back

In an effort to disrupt the campaign, the Shadowserver Foundation took control of some of the attacker’s key domains. This action, known as sinkholing, allowed them to intercept millions of the secret DNS queries from infected sites.

This research revealed peaks of over two million requests in a single hour. Despite this successful countermeasure, the attackers proved resilient and established new control servers within just a few hours. This shows the challenge of taking down such adaptable threats.

Protecting your own website

If you own a website, it’s crucial to lock down your domain and DNS settings. Always enable multi-factor authentication on your domain registrar account to prevent unauthorized changes. You should also regularly review your DNS records for anything suspicious, like unfamiliar TXT entries.

Keep your content management system, plugins, and themes updated with the latest security patches. Using a Web Application Firewall can also help block malicious traffic and attempts to exploit vulnerabilities on your site before they cause damage.

Guarding your personal browsing

For everyday internet users, staying safe requires a proactive approach. Be very cautious about downloading files from websites, even if they look legitimate. Using a secure DNS resolver, like those offered by Cloudflare or Quad9, can help block known malicious domains before they can load.

Always ensure your internet browser is up-to-date, as updates often include critical security patches. It’s also a smart habit to use a reputable password manager and enable two-factor authentication wherever possible to protect your accounts from theft.

The bigger security picture

The Detour Dog campaign is a stark reminder that cyber threats are constantly evolving. Attackers are increasingly abusing fundamental internet services like DNS, which everyone trusts, to hide their activities. This makes them harder to find and stop using traditional methods.

This situation highlights the need for better security at the DNS and network level, not just on our personal devices. As attackers get smarter, our collective defenses must also advance, relying on high-quality threat intelligence to keep pace with the changing digital landscape.

Curious about how these tactics play out in real life? See how the Steam game demo caught spreading malware to learn more.

Staying one step ahead online

The key takeaway is to maintain healthy skepticism while you’re browsing the internet. If a website seems to be acting strangely, even in a small way, it’s best to close the tab immediately. Remember that a website looking normal does not always guarantee it is safe.

Cybersecurity is a shared responsibility between website owners and users. By staying informed and adopting good digital habits, you can significantly reduce your risk. The internet is an amazing resource, and with a little caution, you can navigate it safely and confidently.

This cautious approach is a great start. To see what might be coming next, check how DNS malware could be the next cyberweapon.

Which of these tips was most surprising to you? Share your number one takeaway in the comments.

Read More From This Brand:

• Malware attacks lurking in the internet’s core
• Dangerous Fake Office Add-Ons Spread Malware
• New Facebook Malware Attack Goes After Bitcoin

Don’t forget to follow us for more exclusive content right here on MSN.

If you liked this story, you’ll LOVE our FREE emails. Join today and be the first to get stories like this one.

This slideshow was made with AI assistance and human editing.