Malware delivered by bad ads takes over your home router to serve more bad ads (for now)

Proofpoint has identified a new version of DNSChanger EK, a strain of malware that changes your DNS settings so that the ads on the websites you browse are replaced with other ads that benefit the attackers -- and which can also be used for more nefarious ends, because controlling your DNS means controlling things like where your computer gets software updates.

The new strain uses a combination of novel and established techniques to compromise its targets. First, it serves malvertising to users running Windows and Android. This malvertising consists of a PNG image and some Javascript. The PNG's comment field contains some HTML, which is extracted by the Javascript and run (hiding the malicious HTML in the PNG's comment field allows it to sneak past some malvertising checkers; using Javascript to activate it allows the malware to confine its activities to vulnerable systems).

The system, having ascertained that its target is vulnerable, then requests at Mozilla STUN server, which allows traffic to traverse the target's home router/firewall, and which can be used to ascertain the target's local IP address, which initiates a series of steps in which more attack code is sent hidden in images, which is then used to ascertain the target's router model and version.

The system has a catalog of exploits against known router vulnerabilities, and if the target's router is on this manifest, the system returns a targeted attack that is used to take over the router; otherwise, the system tries a series of default username/password logins on the router. If the system succeeds in penetrating the router, it changes the network-wide DNS settings (which are usually set when your device requests an IP address from the router), to a poisoned set of DNS servers that do the ad-swap, enriching the attackers.

This is a remarkable attack in several ways: first, its initial vector is malvertising, a growing problem that is spurring adoption of ad-blockers, and an ad-blocker-blocker arms race (Sarah Jeong's XOXO talk on ad-blockers is a must-watch on this subject). Second, the system hides its payloads in images, which is part of a trend to stegonography in malware delivery; finally, for all its sophistication, the attack is extremely unambitious, using a humdrum advertising fraud to enrich its creators, rather than stealing banking credentials or covertly taking over the users' cameras and mics for blackmail, or encrypting all the targets' files for a ransomware attack.

I'm going to make four predictions here:

1. This attack will be shown to be vulnerable to countermeasures aimed at its DNS servers (blocking at ISP levels, criminal prosecutions, etc) and there will be some evolution toward a rotating pool of "bulletproof" servers for the DNS.

2. Ad networks will respond to the growing use of stego with statistical checks: for example, checking the compressability, size, etc of PNG comments against a histogram of known-good PNGs to flag potential hidden malware payloads (similar checks can be done on the hue/transparency/value/saturation histogram of pixels in images to catch this sort of thing. These anti-stego checks are generally very effective, and in the absence of any legitimate use of these encodings, will eventually pop the malvertising stego bubble, but there will be stragglers in the ad-tech who will adopt these countermeasures late.

3. A criminal marketplace for router-level DNS compromises will develop, allowing criminals with different revenue strategies (bank fraud, blackmail, ransomware) to bulk-buy pre-compromised systems for their attacks.

4. Home routers will remain a fucking dumpster fire of security vulnerabilities.

When attackers control the DNS server on a network, they open up the possibility of carrying out a wide range of malicious actions on devices connecting to the network. These can include banking fraud, man-in-the-middle attacks, phishing [8], ad fraud, and more. In this case, the DNSChanger exploit kit allows attackers to leverage what is often the only DNS server on a SOHO network - the internet router itself. In general, avoiding these attacks requires router manufacturers to regularly patch their firmware and users to regularly apply these patches. Router vulnerabilities affect not only users on the network but potentially others outside the network if the routers are compromised and used in a botnet. While users must take responsibility for firmware updates, device manufacturers must also make security straightforward and baked in from the outset, especially on equipment designed for the SOHO market.

Home Routers Under Attack via Malvertising on Windows, Android Devices [Proofpoint]

Malvertising Campaign Infects Your Router Instead of Your Browser [Catalin Cimpanu/Bleeping Computer]

(via /.)

Start the discussion at