Recently one of our employees experienced a DNS hijacking attack while trying to visit a company’s website to learn more about them. You have probably experienced DNS hijacking at some point; your TCP/IP configuration is subverted to point at a rogue DNS server under the control of an attacker.  Essentially the website you tried to visit was somehow redirected to a domain chosen by the attacker.  In the case of our employee, the site that he was redirected to served up a pop-up that warned of malware on his PC.

The Story

Whilst developing leads and contacts, one of our employees went to investigate a company by visiting their website, which was listed on Salesforce.   Unfortunately, it had fallen victim to DNS hijacking; the site, (don’t go there), redirected to a subdomain of This particular redirect tries to take control of your browser and triggers a pop-up warning that your PC has been infected.  You can either click the OK button or call their toll free number to speak with Microsoft Support.

DNS Hijacking example

Naturally this can be alarming, but look closer: the pop-up from the site says you have malware, but only lists Microsoft to seem legitimate. A quick google search on that number confirms that this is bogus.

The Resolution

The first step to correct this was to take the infected user’s PC off the network so it couldn’t pose any further risk to the rest of our network. From another computer I downloaded a copy of Malwarebytes to detect malware on the user’s computer and installed it with a USB stick.  We ran a scan on the infected machine and found something called “PUP.Optional.Ask.A.”

Detecting Malware

You can learn more about this unwanted program from this site that also discusses how to remove malware from your PC.   The write-up shows how easily this is spread and how many browsers this affects with DNS hijacking:

“Once PUP.Optional.ASK.A is run on the computer, it targets mostly known browsers like Internet Explorer, Google Chrome, Mozilla Firefox, and Safari. This threat performs changes on browser settings that may result to home page hijacking and browser redirect problems. PUP.Optional.ASK.A also drops extension, add-on, and plug-in to achieve other malicious tasks.”

After removing the  “PUP.Optional.Ask.A” on the machine, we reset Chrome and IE browser settings on the user’s PC and verified that no 3rd-party plugins were being used.  We wanted to be sure that before we let the user back onto the network, their machine was no longer infected.    The final step in the resolution was identifying the flow data in a NetFlow Analyzer like Scrutinizer in order to see the sites that the user hit to get there.  You could also set up a threshold that alerts you on DNS Hijacking, so that when a user hits a subdomain of on any links in the network, it reports on any connections from local users.

For a proactive means to monitor your network for suspicious activity and detecting malware, don’t hesitate to call us at Plixer or evaluate our NetFlow traffic analyzer.


Austin Brooks

Austin is a QA Engineer in the R&D department at Plixer. He works on new report types and aids the front end team with changes to the user interface of Scrutinizer. He has worked in Tech Support as well as a Solutions Engineer for the sales team at Plixer before his move to Development. Austin graduated from UNH’s WSBE with a degree in International Business and speaks a bit of German. Outside of work, Austin spends his time honing his coding skills and does website design for friends and family. He enjoys skiing, hockey, playing and writing music as well as traveling to different countries.