Computer criminals are using the dangerous DNSChanger Exploit Kit to Infect routers with malware code rather than browsers.
DNSChanger EK Used In Dangerous Campaigns
Computer criminals have reverted to use alternative ways to infect their victims. Most of the attack campaigns target the user’s browser or file system by serving various malware or using software vulnerabilities. However that has only a limited effect. The victims in the current campaign are targeted using malicious ads that are distributed on various legitimate sites via ad networks.
Now hackers use a new exploit kit called DNSChanger which serves dangerous code to the victim’s routers instead of their browsers of computers. The compromised models number a total of 166 devices that can get compromised with malicious ads or links. The hackers can use various security vulnerabilities in one of the following ways:
- Gain access to the device
- Insert ads on web sites that do not feature such content
- Replace ads with malicious ones generated by the hackers
In most of the cases the DNSChanger exploit kit uses the Chrome web browser on Microsoft Windows and Android devices. Once the routers are infected all connected clients to the internal network are vulnerable. According to the security researchers the attacks are made in waves that are associated with large malvertising campaigns. The attack chains and patterns are similar to a large campaign that took place in the first half of 2015. This means that the hacker group is experienced at launching such attacks. Some of the identified technical details and improvements include the following:
- The attacks feature external DNS resolution for the internal addresses
- Steganography is used as a stealth method. An AES key is used to decrypt the list of default account credentials and local address resolutions
- The new attack campaign features updated router exploits, adding a total of 166 fingerprints
- In some of the cases the exploit kit modifies the network rules to render the administration port visible from the outside network. This is probably used to recruit the device to botnets like Mirai
- Android devices can be affected as well
The conclusion of the security experts who analyzed the DNSChanger exploit kit reads the following:
When attackers control the DNS server on a network, they open up the possibility of carrying out a wide range of malicious actions on devices connecting to the network. These can include banking fraud, man-in-the-middle attacks, phishing [8], ad fraud, and more. In this case, the DNSChanger exploit kit allows attackers to leverage what is often the only DNS server on a SOHO network – the internet router itself. In general, avoiding these attacks requires router manufacturers to regularly patch their firmware and users to regularly apply these patches. Router vulnerabilities affect not only users on the network but potentially others outside the network if the routers are compromised and used in a botnet. While users must take responsibility for firmware updates, device manufacturers must also make security straightforward and baked in from the outset, especially on equipment designed for the SOHO market.
To read the full analysis click here.