The Christmas season can be the busiest time of the year for online shopping in many countries. Researchers at Proofpoint have recently announced the discovery of a new and improved version of the DNSChanger Exploit Kit.
“Since the end of October, we have seen an improved version of the “DNSChanger EK”  used in ongoing malvertising campaigns. DNSChanger attacks internet routers via potential victims’ web browsers; the EK does not rely on browser or device vulnerabilities but rather vulnerabilities in the victims’ home or small office (SOHO) routers. ” states the analysis published by ProofPoint.
The malware is used in malvertising campaigns and targets home routers.
When a victim clicks on a malicious link the malware, differently from most exploit kits in the wild, doesn’t attack the operating system or the browser but the home or small office router.
Once the router is compromised the victim’s internet traffic can be routed to any possible phishing sites and the victim could remain under constant malvertising attack that would help criminal to increase the damage they cause.
The similarities this attack campaign has with the “CSRF Soho Pharming” campaign uncovered at the beginning of 2015 suggests the same actors could be behind this new view of the attack. However, researchers note that several improvements were made to the exploit kit, which renders it more dangerous.
“Attack pattern and infection chain similarities led us to conclude that the actor behind these campaigns was also responsible for the “CSRF (Cross-Site Request Forgery) Soho Pharming” operations in the first half of 2015 .” continues the analysis.
The new version includes some additional features such as;
The victim is initially compromised by advertisements on legitimate websites. Once the malware is installed on the victim’s browser (Chrome for Windows and Android), it tries to locate and identify the router. The exploit kit then receives the instructions to exploit that specific make/model. The exploit kit makes extensive use of steganography techniques such as HTML code hidden in the comment field of a PNG file.
DNSChanger seems to target large ad agencies by redirecting their traffic to other third party ad services.
The malware can currently exploit a large number of different router make and models including the following newly added exploits;
There are currently no real effective mitigation techniques for this attack except making sure the router firmware is updated to the latest version.
Any attack compromising the DNS on any network can provide the attacker with a wide range of new attack vectors including man-in-the-middle, frauds, and phishing attacks.
Written by: Alper Başaran
Alper Basaran provides business process focused and goal oriented penetration testing services to his customers. Based in Turkey he has expanded his operations to the Middle East.
(Security Affairs – Odinaff malware, banking)