Home routers find themselves under attack in ongoing mal-advertisements blitz
DNSChanger has been causing computers connected to the network to visit fraudulent domains
Malicious ads on legitimate websites are now targeting visitors with malware. But the malware does not affect users’ computers, researchers have stated. Instead, it causes unsecured routers to connect to fraudulent domains.
Using a technique known as steganography, the ads have hidden malicious code into their image data. The hidden code the redirects targets to webpages hosting DNSChanger, an exploit kit that infects routers running unpatched firmware or are secured with weakened administrative passwords. Once a router is compromised, DNSChanger configures it to utilise an attacker-controlled domain name system server. This causes most computers on the network to visit fraudulent servers, rather than servers corresponding to their official domain.
Patrick Wheeler, director of threat intelligence for security firm Proofpoint, stated, “These findings are significant because they demonstrate clearly that ubiquitous and often-overlooked devices are being actively attacked, and once compromised, these devices can affect the security of every device on the network, opening them up to further attacks, pop-ups, malvertising, etc. Thus, the potential footprint of this kind of attack is high and the potential impact is significant.”
"This attack is determined by the particular router model that is detected during the reconnaissance phase," a Proofpoint researcher who uses the moniker Kafeine wrote in a blog post. "If there is no known exploit, the attack will attempt to use default credentials." In the event there are no known exploits and no default passwords, the attack aborts.
DNSChanger uses a set of real-time communications protocols known as webRTC to send so-called STUN server requests primarily used in VoIP communications. The exploit funnels code through the Chrome browser for Windows and Android to reach the network router. The attack compares the accessed router against 155 fingerprints of known vulnerable router firmware images. A standard wave of malicious ads lasts for several days at a time through legitimate ad networks and displayed on legitimate websites.