December 15, 2016 By Larry Loeb 2 min read

Proofpoint recently discovered a variant of the DNSChanger exploit kit (EK), which is commonly used in malvertising campaigns. The latest version infects physical internet routers through web browsers. But instead of poking holes in a victim’s browser or computer, DNSChanger exploits vulnerabilities in the router itself.

A Router Attack, Rerouted

The method of the attack is fairly sophisticated in execution. It starts when a cybercriminal buys legitimate ad space on a website and posts a file that has been poisoned with JavaScript. At first, the JavaScript simply makes a Web Real-Time Communication (WebRTC) request directed at a Mozilla STUN server that will be able to deliver the victim’s local IP address.

The attacker then tries to determine whether the victim is using a home or small business network. These networks are commonly attached to many vulnerable routers. If the victim’s IP is already known or exists outside the targeted range, he or she will be sent down a decoy path to view a benign, third-party advertisement. This allows the malware to avoid detection.

Hidden Keys

Unlucky victims, however, will be directed to a tainted ad. This .png file has JavaScript-extractable HTML code hidden inside the comment field, which pushes the victim to the landing page of the true exploit. The exploit server then passes the browser a small image.

The EK uses that image to load an Advanced Encryption Standard (AES) key hidden inside the image via steganography. That AES key is used to hide the next commands sent from the command-and-control (C&C) server. The vulnerable router list is then transferred, along with any suggested exploits. The EK looks for them on the network, infecting as it goes.

Once infected, the router serves malicious ads at will. Regardless of the initial infection vector, the malware changes the router’s Domain Name System (DNS) entries and infects any device that connects to it.

Mitigating DNSChanger

According to Bleeping Computer, targeted routers include Linksys, Netgear, D-Link, Comtrend, Pirelli and Zyxel. Users should upgrade their router firmware to the latest version to begin protecting themselves.

It’s not enough to simply use stronger router passwords, since the attack comes through the browser and bypasses all router security. However, users can also be cautious about the ads they click and work to avoid malvertising.

More from

ONCD releases 2024 Report on the Cybersecurity Posture of the U.S.

4 min read - On May 7, the Office of the National Cyber Director (ONCD) released the 2024 Report on the Cybersecurity Posture of the United States. This new document is a report card on how well cyber policy followed the guidelines set by the National Cybersecurity Strategy, introduced in March 2023. Here’s what you need to know about the newly released report. Fundamental shifts in cyber roles Over the past year, the U.S. national cybersecurity posture was driven by the 2023 National Cybersecurity…

CISA wants private industry to publicly commit to Secure by Design

4 min read - The tech industry has the power to protect the world from nation-state threat attacks, cyber crime and those wanting to compromise data and manipulate critical infrastructure. But with this power comes great responsibility, which, to be honest, the tech industry has not been that interested in holding. But at the RSA Conference (RSAC) in San Francisco, the cybersecurity and tech communities took steps to exert some power and take responsibility. They took the Secure by Design pledge, a promise to…

Change Healthcare discloses $22M ransomware payment

3 min read - UnitedHealth Group CEO Andrew Witty found himself answering questions in front of Congress on May 1 regarding the Change Healthcare ransomware attack that occurred in February. During the hearing, he admitted that his organization paid the attacker's ransomware request. It has been reported that the hacker organization BlackCat, also known as ALPHV, received a payment of $22 million via Bitcoin.Even though they made the ransomware payment, Witty shared that Change Healthcare did not get its data back. This is a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today