Malvertising campaign compromises routers instead of computers

The DNSChanger exploit kit is back and more effective than ever, and is being used in a widespread malvertising attack whose goal is to compromise small/home office routers.

According to Proofpoint researchers, the attackers’ current main goal is to change DNS records on the target router, so that it queries the attacker’s rogue DNS servers, and the users are served with ads that will earn the attackers money.

Bad ads and DNSChanger EK compromise routers to serve bad ads

But, “when attackers control the DNS server on a network, they open up the possibility of carrying out a wide range of malicious actions on devices connecting to the network. These can include banking fraud, man-in-the-middle attacks, phishing, ad fraud, and more. In this case, the DNSChanger exploit kit allows attackers to leverage what is often the only DNS server on a SOHO network – the internet router itself,” Proofpoint researcher Kafeine noted.

The execution of the attack

It all starts with ads on legitimate sites. When served to a potential victim, they ping an attackers’ server and it “asks” their computer to share its local IP address.

If the IP address is already known, or is not in the targeted ranges, the user is served with a legitimate ad and the attack ends there.

But if the IP address makes the cut, the victim is served with a bad ad (a PNG file) that contains HTML code in the comment field that redirects victims to the landing page of the DNSChanger EK, and some JavaScript that executes all this.

After checking the IP address one more time, the DNSChanger EK loads multiple functions and an AES key concealed with steganography in a small image.

“This key will be used to decrypt the list of [router] fingerprints which can be deduplicated to 129 items,” Kafeine noted. “The victim’s browser will then try to locate and identify the router used in the network.”

The results of the recon are sent back to the exploit kit, and it then sends instructions on how to compromise that specific router model.

“This attack is determined by the particular router model that is detected during the reconnaissance phase. If there is no known exploit, the attack will attempt to use default credentials; otherwise, it will use known exploits to modify the DNS entries in the router and, when possible (observed for 36 fingerprints out of the 129 available), it will try to make administration ports available from external addresses. In this way, it will expose the router to additional attacks like those performed by the Mirai botnets,” Kafeine explained.

Once the router is compromised, its DNS settings are changed, and it’s ready to steal traffic from some large web ad agencies and sell it to two other ones. Whether the latter know that they are buying stolen traffic is still unknown, but they have now been notified of it.

How to prevent your router getting compromised?

The range of exploits used by the kit is wide, and potentially vulnerable router models are not easy to identify.

“The most secure approach for end users is to consider that all known exploits are integrated in this kind of exploit kit, and thus all routers should be updated to the last known firmware,” Kafeine advises. Of course, whether their manufacturers push out adequate firmware promptly is another matter.

Using ad-blocking software should also minimize the risk of getting hit through this and other malvertising campaigns.

According to Kafeine, the current one is successfully targeting Chrome browser users on Windows desktops and Android devices.

Also, this is not the first time that attackers are successfully using steganography to deliver and run malicious code. Earlier this month, ESET researchers flagged a malvertising campaign that redirected users to the Stegano exploit kit through malicious code hidden in the pixels of the bad ads/banners.

Don't miss