Evolved DNSChanger malware slings evil ads at PCs, hijacks routers

Software nasty is packed with exploits for vulnerabilities in home broadband boxes

By Iain Thomson in San Francisco


Malware that spreads via evil web ads and menaces broadband routers has been discovered – and it's going to be particularly horrible for small business and home internet users, which it targets.

This latest variant of the years-old DNSChanger nasty, just spotted by Californian infosec biz Proofpoint, works like this: some JavaScript code is hidden in advertisements placed on mainstream websites via ad networks. The code – which prefers Chrome on Windows and Android – checks for the local IP address of the browser visiting the site using a WebRTC request to a Mozilla STUN server.

If the target isn't in the desired IP range for the attacker, a legitimate advert is fetched and displayed, and nothing further happens. If the IP address is within range, the JS code downloads a bogus ad in the form of a PNG image, and extracts HTML from the comment field of the picture. The HTML is rendered in the page and it redirects the browser to another website that hosts the DNSChanger Exploit Kit.

Evil JavaScript on that webpage then fetches an AES key, concealed in an image using steganography, that is used to decrypt a separate payload that contains more code, a bunch of default username and passwords used in broadband routers, and 166 fingerprints used to identify the victim's router.

Next, the exploit kit, running within the browser using the decrypted data, tries to figure out the router being used from the list of possible fingerprints. If there's a match, it fetches the necessary code to run to exploit vulnerabilities in that particular gateway to hijack it. If there is no match, it tries out all the default login credentials, and if those don't work, it tries to run a load of exploits against common vulnerabilities in devices.

The ultimate aim is to connect to the router on the local network from the victim's browser and abuse security shortcomings – such as known default passwords or programming blunders – to commandeer the gateway and change its DNS settings to rogue name servers.

Then when computers join the local network, they may, depending on their configuration, pick up the bad DNS settings from the router and run domain-name lookups through hacker-controlled name servers. Whoever controls those servers can make people's browsers connect to malevolent systems masquerading as legit websites that steal login information; inject more malware onto the victim's PCs by redirecting downloads; serve them dodgy ads rather than real ones the browser was supposed to display; and so on.

Proofpoint's diagram showing the infection path ... Click for full diagram

Some of the infection exploits also start up vulnerable services on the routers that nasties like the Mirai botnet can attack to also joyride the gateway. Devices known to be vulnerable to DNSChanger EK include:

"When attackers control the DNS server on a network, they open up the possibility of carrying out a wide range of malicious actions on devices connecting to the network," Proofpoint said last week.

"These can include banking fraud, man-in-the-middle attacks, phishing, ad fraud, and more. In this case, the DNSChanger exploit kit allows attackers to leverage what is often the only DNS server on a SOHO network – the internet router itself. In general, avoiding these attacks requires router manufacturers to regularly patch their firmware and users to regularly apply these patches."

At present, it looks as though the DNSChanger masterminds are purely looking to reroute connections to legitimate advertising brokers to other networks, via the hijacked DNS settings, thus forcing browsers to display adverts the crooks can make money off.

Fogzy and TrafficBroker appear to be getting the most of this redirected traffic at the moment, and both companies have been advised that there's something dodgy going on. We were told on Monday that Fogzy has now blocked the redirection.

"Unfortunately, there is no simple way to protect against these attacks. Applying the latest router updates remains the best way to avoid exploits," Proofpoint said. Changing the username and password for the admin interface is also a good idea, as is logging out of the router when you're not fiddling with its settings. Some gateways can still be vulnerable even if you've taken these precautions.

"Changing the default local IP range, in this specific case, may also provide some protection. Neither of these solutions, though, is a typical action performed by average users of SOHO routers," the biz continued. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

FBI fingers North Korea for two malware strains

'Joanap' and 'Brambul' harvest info about your systems and send it home

Ignore that FBI. We're the real FBI, says the FBI that's totally the FBI

Don't open that malware mail from the Feds that's not from the Feds, Feds warn

Facebook, Google, Microsoft, Twitter make it easier to download your info and upload to, er, Facebook, Google, Microsoft, Twitter etc...

GDPR put a gun to their heads

Neil Young slams Google, after you log in to read his rant with Google or Facebook

Heart Of Gold meets Piece Of Crap

FBI to World+Dog: Please, try turning it off and turning it back on

Feds trying to catalogue VPNFilter infections

FBI agents take aim at VPNFilter botnet, point finger at Russia, yell 'national security threat'

Feds warn admins malware is rather tough to destroy

Team Trump goes in to bat for Google and Facebook

What swamp?

Max Schrems is back: Facebook, Google hit with GDPR complaint

'Forced consent' is no consent, state legal challenges

Facebook's new always-listening home appliance kit Portal doesn't do Facebook

Trust us, pleads the Zuck

French competition watchdog aims probe at 'overwhelming' ad power of Google and Facebook

We'll take a very long lunch then decide what to do