Malvertisement attack to home routers

DNSChanger is back!

DNSChanger is a malware that infected millions of computers across the world in 2012 and that works by changing DNS server entries in infected computers to point to malicious servers under the control of the attackers, rather than the DNS servers provided by ISP.
So, whenever a user tries to open a website, the malicious DNS server respond with the address of (for example) of a phishing site.

Researchers at Proofpoint have discovered a new widespread malvertising campaign, where a new version of DNSChanger malware is being spread using a steganography technique in order to hide malicious code in image data.
Once it hit your system, instead of infecting your PC, it takes control of your unsecured routers.
Proofpoint has discovered the DNSChanger exploit kit on more than 166 router models: it targets routers that run unpatched firmware or are secured with weak admin passwords.

According to researchers, some of the vulnerable routers include:

  • D-Link DSL-2740R
  • NetGear WNDR3400v3 (and likely other models in this series)
  • Netgear R6200
  • COMTREND ADSL Router CT-5367 C01_R12
  • Pirelli ADSL2/2+ Wireless Router P.DGA4001N

There’s a mitigation?

Proofpoint says:

Unfortunately, there is no simple way to protect against these attacks. Applying the latest router updates remains the best way to avoid exploits. Changing the default local IP range, in this specific case, may also provide some protection. Neither of these solutions, though, is a typical action performed by average users of SOHO routers. As a result, it is also incumbent upon router manufacturers to develop mechanisms for simple, user-friendly updates to their hardware.

Moreover, while we understand that advertising is an important component of the web publishing ecosystem, in some cases, ad-blocking browser add-ons might prevent these kinds of attacks when they originate through malvertising.

More technical info and references

Related posts