Attackers change home routers’ DNS settings via malicious code injected in ads

Sucuri Security researchers have unearthed a malvertising campaign aimed at changing the DNS settings of home routers in order to lead users questionable and potentially malicious websites.

The attackers have embedded the malicious code in question directly into an ad hosted on the googlesyndication.com network, the researchers claim, and the ad has been served to a variety of websites that use that particular ad service.

“The malicious code was heavily encoded and injected in the ad body. After sanitizing the code I was able to catch the decoding function that will translate all the noise,” Sucuri’s Fioravante Souza shared.

“Decoding the malicious content, I went through 2,716 blank characters before I found something malicious. It’s hard to tell if this was intentional to evade detection, but the code is there, and it is trying to change your home routers DNS settings and force a reboot.”

The reboot command is given so that DNS cache is flushed and the new DNS server is used immediately. It is located in California and, for the time being, does not direct users towards malicious websites, which could mean that this campaign in currently directed towards setting the stage for the eventual redirection attack.