The campaign of malicious advertising is aimed not at the browser and not at the computer, but at the router

The developers of malicious software are looking for new ways to infect computers. The goal is to steal data, encrypt files with the requirement of "ransom", show off third-party advertisements, clicks on which bring money to cybercriminals. Recently, information security experts from the company Proofpoint found exactly such software. And instead of a browser or operating system, it infects routers. The new DNSChanger EK is called.

The work pattern of cybercriminals is relatively simple . They buy ads on popular sites, and they inject a script into this ad using a WebRTC request to the Mozilla STUN server. The goal is to determine the local IP of the user who has entered the site with infected advertising banners.

If the public address is already known or not in the range of goals, then the user is shown a regular banner from a third-party advertising network. If you need to act (that is, if the network provides the router), then in this case JavaScript, attached to the advertisement, takes the PNG code from the comment field of the HTML code and opens the DNSChanger EK landing page.
')

Fake advertisements that redirect user requests to attackers' servers

From this moment the exploit starts working. If the user's router is vulnerable (this is determined automatically), an image file with an AES encryption key embedded by steganography is sent to its browser. The key allows the script in the "poisoned" ad to decode the traffic that the victim's PC receives from the exploit. Moreover, all operations of cybercriminals are encrypted so as not to show the ins and outs of the process to information security specialists.

After the victim receives the key, the exploit sends a list of the "prints" of the routers. According to experts, now there are more than 166 "prints" on the list. The script placed in the advertisement analyzes the router that the victim uses and sends the result of the survey to the server of the exploit. If the user's system is identified as vulnerable, the attack on the device begins using a specific set of hacking tools or a set of default password / login sets for each specific device model.

All this is done to change the DNS settings of the victim’s router in order to configure the redirect of the traffic through the attacker's servers. The operation itself takes place in seconds, this is only a description of the process itself looks long. If the settings of the router allow you to do this, the attackers open the control ports for external connection in order to control the infected devices directly. The researchers claim that they watched as the attackers opened control ports for 36 routers from 166 devices on the list.


Scheme of attack ekploita DNSChanger

In case the attack is successful, advertisements of such networks as AdSupply, OutBrain, Popcash, Propellerads, Taboola in the user's browser change the advertising inserts of intruders. Plus, advertising is shown now even on those sites where it does not exist.

It is worth noting that DNSChanger is aimed at attacking users with the Chrome browser, and not Internet Explorer, as in most cases. Moreover, attacks are carried out by attackers for both desktops and mobile devices. Advertising is shown on desktops and mobile devices.

Unfortunately, so far information security specialists cannot determine the entire list of vulnerable rotoers. But it is known that it includes device models from manufacturers such as Linksys, Netgear, D-Link, Comtrend, Pirelli, and Zyxel. Among the vulnerable routers, experts from Proofpoint can name such devices:

• D-Link DSL-2740R
• COMTREND ADSL Router CT-5367 C01_R12
• NetGear WNDR3400v3 (and, probably, all other systems from the same lineup)
• Pirelli ADSL2 / 2 + Wireless Router P.DGA4001N
• Netgear R6200

Analysis of DNSChanger EK traffic passing through a router hacked by intruders

Of course, the problem is not only that the victim sees the advertisement being imposed in his browser. The main thing is that attackers have the ability to manage user traffic, which means that it will be possible to remove a bank card data and steal personal data from any other sites, including social networks. When infecting a sufficiently large number of systems, cybercriminals will be able to form their own botnet.

And it is clear that not single users are hit, but all members of the local network formed by the compromised router.

What to do?

Since the attack is made through the user's browser, and attackers are able to intercept traffic, simply changing the password / login for the administrator of the router or disabling the administrator interface may not be enough.

The only way to feel safe is to upgrade the router firmware to the newest version, which most likely already includes protection against the actions of exploits from the DNSChanger EK package.

The Proofpoint team notes that a large number of “poisoned” advertisements placed by attackers are hiding with the help of blockers. So users of software blocking this type of advertising are less vulnerable than those users who do not try to hide ads.

Unfortunately, the problem is that the router manufacturers are not actively releasing security updates for their devices. If they responded in a timely manner, the attacks of the attackers would be less successful and much smaller.