PINDROP BLOG

New Malvertising Campaign Exploits Home Routers, Changes DNS Servers

There’s a new malvertising campaign that is attacking Chrome users on both desktops and mobile devices and is exploiting victims’ home routers through the use of the DNSChanger exploit kit. The attacks have been going on for several weeks and researchers say they’re targeting several brands of routers, including D-Link, Netgear, and others.

The attackers behind this campaign are using malicious ads on a number of legitimate websites to redirect visitors to a site that serves the exploit kit. At the start of the attack, the kit does some fingerprinting of the client and looks up its IP address to see if it’s in the range of targeted IPs. If so, it then shows the victim the malicious advertisement and uses JavaScript to pull some code from the comment field of an image in the ad. That code then sends the victim to the DNSChanger landing page. The exploit kit then loads a long encrypted list of router fingerprints and a key to decrypt them, researchers at Proofpoint said in an analysis of the attacks.

“Unfortunately, there is no simple way to protect against these attacks.”

The kit then uses the victim’s browser to identify the home router and fingerprint it and then send the details back to the remote server. The server will then send back instructions on how to exploit that particular router.

“DNSChanger attacks internet routers via potential victims’ web browsers; the EK does not rely on browser or device vulnerabilities but rather vulnerabilities in the victims’ home or small office (SOHO) routers. Most often, DNSChanger works through the Chrome browser on Windows desktops and Android devices. However, once routers are compromised, all users connecting to the router, regardless of their operating system or browser, are vulnerable to attack and further malvertising,” the analysis says.

“This attack is determined by the particular router model that is detected during the reconnaissance phase. If there is no known exploit, the attack will attempt to use default credentials; otherwise, it will use known exploits to modify the DNS entries in the router and, when possible (observed for 36 fingerprints out of the 129 available), it will try to make administration ports available from external addresses. In this way, it will expose the router to additional attacks like those performed by the Mirai botnets.”

Changing the DNS records on a router can have disastrous effects for the victim. This gives the attacker the ability to direct victims’ traffic to any site they choose, making online banking fraud, credential theft, and other further attacks easy to execute. In this case, the Proofpoint researchers said it appears that the attackers are using this campaign to redirect traffic destined for some ad networks. The attackers can then substitute their own ads or perform other actions.

“Unfortunately, there is no simple way to protect against these attacks. Applying the latest router updates remains the best way to avoid exploits. Changing the default local IP range, in this specific case, may also provide some protection. Neither of these solutions, though, is a typical action performed by average users of SOHO routers. As a result, it is also incumbent upon router manufacturers to develop mechanisms for simple, user-friendly updates to their hardware,” the researchers said.

Several days ago, researchers at the CERT/CC warned about vulnerabilities in several Netgear home routers. However, the Proofopoint researchers said they didn’t see exploits for those specific flaws used in this malvertising campaign.

Image: Filter Forge, CC By license

Webinar: TACKLING THE 113% FRAUD INCREASE IN CALL CENTERS