This article is more than 1 year old

Evolved DNSChanger malware slings evil ads at PCs, hijacks routers

Software nasty is packed with exploits for vulnerabilities in home broadband boxes

Malware that spreads via evil web ads and menaces broadband routers has been discovered – and it's going to be particularly horrible for small business and home internet users, which it targets.

This latest variant of the years-old DNSChanger nasty, just spotted by Californian infosec biz Proofpoint, works like this: some JavaScript code is hidden in advertisements placed on mainstream websites via ad networks. The code – which prefers Chrome on Windows and Android – checks for the local IP address of the browser visiting the site using a WebRTC request to a Mozilla STUN server.

If the target isn't in the desired IP range for the attacker, a legitimate advert is fetched and displayed, and nothing further happens. If the IP address is within range, the JS code downloads a bogus ad in the form of a PNG image, and extracts HTML from the comment field of the picture. The HTML is rendered in the page and it redirects the browser to another website that hosts the DNSChanger Exploit Kit.

Evil JavaScript on that webpage then fetches an AES key, concealed in an image using steganography, that is used to decrypt a separate payload that contains more code, a bunch of default username and passwords used in broadband routers, and 166 fingerprints used to identify the victim's router.

Next, the exploit kit, running within the browser using the decrypted data, tries to figure out the router being used from the list of possible fingerprints. If there's a match, it fetches the necessary code to run to exploit vulnerabilities in that particular gateway to hijack it. If there is no match, it tries out all the default login credentials, and if those don't work, it tries to run a load of exploits against common vulnerabilities in devices.

The ultimate aim is to connect to the router on the local network from the victim's browser and abuse security shortcomings – such as known default passwords or programming blunders – to commandeer the gateway and change its DNS settings to rogue name servers.

Then when computers join the local network, they may, depending on their configuration, pick up the bad DNS settings from the router and run domain-name lookups through hacker-controlled name servers. Whoever controls those servers can make people's browsers connect to malevolent systems masquerading as legit websites that steal login information; inject more malware onto the victim's PCs by redirecting downloads; serve them dodgy ads rather than real ones the browser was supposed to display; and so on.

Proofpoint's diagram showing the infection path ... Click for full diagram

Some of the infection exploits also start up vulnerable services on the routers that nasties like the Mirai botnet can attack to also joyride the gateway. Devices known to be vulnerable to DNSChanger EK include:

  • D-Link DSL-2740R
  • COMTREND ADSL Router CT-5367 C01_R12
  • NetGear WNDR3400v3 (and likely other models in this series)
  • Pirelli ADSL2/2+ Wireless Router P.DGA4001N
  • Netgear R6200

"When attackers control the DNS server on a network, they open up the possibility of carrying out a wide range of malicious actions on devices connecting to the network," Proofpoint said last week.

"These can include banking fraud, man-in-the-middle attacks, phishing, ad fraud, and more. In this case, the DNSChanger exploit kit allows attackers to leverage what is often the only DNS server on a SOHO network – the internet router itself. In general, avoiding these attacks requires router manufacturers to regularly patch their firmware and users to regularly apply these patches."

At present, it looks as though the DNSChanger masterminds are purely looking to reroute connections to legitimate advertising brokers to other networks, via the hijacked DNS settings, thus forcing browsers to display adverts the crooks can make money off.

Fogzy and TrafficBroker appear to be getting the most of this redirected traffic at the moment, and both companies have been advised that there's something dodgy going on. We were told on Monday that Fogzy has now blocked the redirection.

"Unfortunately, there is no simple way to protect against these attacks. Applying the latest router updates remains the best way to avoid exploits," Proofpoint said. Changing the username and password for the admin interface is also a good idea, as is logging out of the router when you're not fiddling with its settings. Some gateways can still be vulnerable even if you've taken these precautions.

"Changing the default local IP range, in this specific case, may also provide some protection. Neither of these solutions, though, is a typical action performed by average users of SOHO routers," the biz continued. ®

More about


Send us news

Other stories you might like