Malvertising campaign targets/infects vulnerable routers

By Jim K
in Back Page News

 Share

Recommended Posts

Grand Master

Jim K Global Moderator

Posted
  • Global Moderator
Posted
Quote

Malicious ads are serving exploit code to infect routers, instead of browsers, in order to insert ads in every site users are visiting.

 

Discovered by security researchers from US security firm Proofpoint, this malvertising campaign is powered by a new exploit kit called DNSChanger EK.

 

The way this entire operation works is by crooks buying ads on legitimate websites. The attackers insert malicious JavaScript in these ads, which use a WebRTC request to a Mozilla STUN server to determine the user's local IP address.

 

Based on this local IP address, the malicious code can determine if the user is on a local network managed by a small home router, and continue the attack. If this check fails, the attackers just show a random legitimate ad and move on.

 

For the victims the crooks deem valuable, the attack chain continues. These users receive a tainted ad which redirects them to the DNSChanger EK home, where the actual exploitation begins.

 

The next step is for the attackers to send an image file to the user's browser, which contains an AES (encryption algorithm) key embedded inside the photo using the technique of steganography.

 

The malicious ad uses this AES key to decrypt further traffic it receives from the DNSChanger exploit kit. Crooks encrypt their operations to avoid the prying eyes of security researchers.

 

/snip

 

Because the attack is carried out via the user's browser, using strong router passwords or disabling the administration interface is not enough.

 

The only way users can stay safe is if they update their router's firmware to the most recent versions, which most likely includes protection against the vulnerabilities used by the DNSChanger EK.

 

This malvertising campaign has nothing to do with the exploit against Netgear routers that came to light over the weekend, or the malvertising campaign discovered by ESET last week, which embedded malicious code inside the pixels of banner ads.

 

Full article at BleepingComputer

Link to comment
Share on other sites
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.