DNSChanger Exploit kit targets Home routers in malvertising campaign

Pierluigi Paganini December 18, 2016

Security experts observed malvertising campaign leveraging the DNSChanger malware to compromise multiple models of home routers.

The Christmas season can be the busiest time of the year for online shopping in many countries. Researchers at Proofpoint have recently announced the discovery of a new and improved version of the DNSChanger Exploit Kit.

“Since the end of October, we have seen an improved version of the “DNSChanger EK” [1] used in ongoing malvertising campaigns. DNSChanger attacks internet routers via potential victims’ web browsers; the EK does not rely on browser or device vulnerabilities but rather vulnerabilities in the victims’ home or small office (SOHO) routers. ” states the analysis published by ProofPoint

The malware is used in malvertising campaigns and targets home routers.

When a victim clicks on a malicious link the malware, differently from most exploit kits in the wild, doesn’t attack the operating system or the browser but the home or small office router.

Once the router is compromised the victim’s internet traffic can be routed to any possible phishing sites and the victim could remain under constant malvertising attack that would help criminal to increase the damage they cause.

The similarities this attack campaign has with the “CSRF Soho Pharming” campaign uncovered at the beginning of 2015 suggests the same actors could be behind this new view of the attack. However, researchers note that several improvements were made to the exploit kit, which renders it more dangerous.

“Attack pattern and infection chain similarities led us to conclude that the actor behind these campaigns was also responsible for the “CSRF (Cross-Site Request Forgery) Soho Pharming” operations in the first half of 2015 [1].” continues the analysis.

The new version includes some additional features such as;

  • External DNS resolution for internal addresses
  • An AES key to decrypt the list of fingerprints / default credentials and local resolutions
  • Dozens of recent router exploits
  • When possible the exploit kit modifies the network rules to make the administration ports available from external addresses, exposing the router to additional attacks like those perpetrated by the Mirai botnets
  • The malvertising chain is now accepting Android devices as well.

dnschanger exploit kit-routers

The victim is initially compromised by advertisements on legitimate websites. Once the malware is installed on the victim’s browser (Chrome for Windows and Android), it tries to locate and identify the router. The exploit kit then receives the instructions to exploit that specific make/model. The exploit kit makes extensive use of steganography techniques such as HTML code hidden in the comment field of a PNG file.

DNSChanger seems to target large ad agencies by redirecting their traffic to other third party ad services.

The malware can currently exploit a large number of different router make and models including the following newly added exploits;

  • D-Link DSL-2740R
  • COMTREND ADSL Router  CT-5367 C01_R12
  • NetGear WNDR3400v3 (and likely other models in this series)
  • Pirelli ADSL2/2+ Wireless Router P.DGA4001N
  • Netgear R6200

There are currently no real effective mitigation techniques for this attack except making sure the router firmware is updated to the latest version.

Any attack compromising the DNS on any network can provide the attacker with a wide range of new attack vectors including man-in-the-middle, frauds, and phishing attacks.

Alper Basaran on PLC-based wormWritten by:  Alper Başaran

About the Author: Alper Başaran is a Hacker and Penetration Tester – Buccaneer of the Interwebs, he owns the Turkish blog alperbasaran.com.

Alper Basaran provides business process focused and goal oriented penetration testing services to his customers. Based in Turkey he has expanded his operations to the Middle East.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Odinaff malware, banking)

[adrotate banner=”12″]



you might also like

leave a comment