New router DNS attack delivers porn and game ads on mainstream websites

[Reefa]

Of all the various malware attack vectors, hacking a person’s router is one of the most effective. A new report from Ara Labs highlights how router attacks have evolved in recent years, and details a new method of serving unwanted advertising via intercepted Google Analytics information.

When evil routers attack

The reason routers are tempting targets for botnet builders and NSA agents alike is because they typically function as the gateway to an entire local network. Consumers tend to forget that the router is, itself, vulnerable. It’s not at all unusual for a router to serve its entire operating lifetime running default firmware and using the stock admin/admin name and password.

Once an attacker has gained access to a local router, they can tamper with its configuration. The most common type of attack is known as DNS spoofing or cache poisoning. Here’s how it works:

When you type an address like “www.extremetech.com” into your browser, or click on a bookmarked link, your computer initially has no idea where “extremetech.com” is supposed to be online. It therefore sends a query to a Domain Name System server, asking “Where’s extremetech.com?” If the initial DNS server doesn’t know, it will query a server upstream from itself, until it finds a server that can give an actual IP address. When a server is repeatedly asked for the same information, it will cache that data locally.

By taking control of the local router, an attacker can “spoof” this system by misdirecting queries to poisoned DNS servers that are designed to return incorrect results. A request for Google.com can therefore be redirected to “www.ScamSearch.com.” The PC thinks that it’s properly directed you to the location you were seeking, because as far as the client system can tell, its query was answered by a genuine DNS server.

DNS-changing malware packages have evolved over the years — the latest versions use JavaScript to try and stealth-modify routers — but the basic mechanics of the attack have remained the same. What’s unusual about Ara Labs’ findings is that the malware specifically targets Google Analytics.

Ads Injected Via Hijacked Router DNS from AraLabs on Vimeo.

Since many websites use Google Analytics, it’s considered a perfect attack vector. Instead of aiming users at fake banking websites or bad search engines, the attack intercepts requests for Google Analytics information at a legitimate website. As the video shows,

users who visit mainstream websites like the Huffington Post are seeing unusual ads injected into the web page. Instead of retrieving information from GA, the browser is pulling nefarious code from the hijacked DNS.

The malicious JavaScript has been detected injecting ads for various games as well as hardcore pornography. It’s a significant issue for multiple reasons — not only is it built off one of the most common analysis platforms around, it breaks style formatting at the “host” websites and injects ads and overlays that appear, to the end-user, to be officially sanctioned by the site in question. No amount of system reformatting or malware scans will find the error, since the problem is embedded in the router.

Securing the system

If you think you’re suffering the effects of a DNS cache poisoning attack (or simply want to avoid one), there are a number of things you can do to lock down the problem. First and foremost, don’t use a default login and password for your router. While some routers have flaws in their web interfaces that allow for backdoor access no matter what, a large fraction of attacks against home routers succeed because people don’t change the near-ubiquitous “admin/admin” login and password combination.

If your router has a known issue that allow for unauthenticated DNS changes (as some D-Link routers do), investigate whether it’s possible to load a version of DD-WRT or one of the Tomato forks. If the manufacturer of your device isn’t providing updates that resolve these problems, third-party firmware can, in some cases, resolve the issue.

Finally, if you see inappropriate advertising on a website, or ads that appear to break page formatting or are vastly different in scope and type from what you’re used to seeing, reach out to the site itself. While many websites have contracts with third-parties that provide advertising, they can still verify if you’re seeing material that’s meant to be on the site or not.

http://www.extremetech.com/extreme/202050-new-router-dns-attack-delivers-porn-and-game-ads-on-mainstream-websites

[Tharixxx]

TFS

[nitama]

Sir,

I am a not so good computer user. Besides changing the router password, can you suggest more solutions of how to protect a novice user like me? Furthermore, how can user knows if his or her computer has been turn into botnet?.

Thank you for your assistance in the matter. Apologize if these questions are too basic for you.

:showoff: :rolleyes: :lol:

[Chancer]

Sir,

I am a not so good computer user. Besides changing the router password, can you suggest more solutions of how to protect a novice user like me? Furthermore, how can user knows if his or her computer has been turn into botnet?.

Thank you for your assistance in the matter. Apologize if these questions are too basic for you.

:showoff: :rolleyes: :lol:

A lot depends on the type of router you have.

If you post the make and model number I'm sure people will help you.

[nitama]

Thanks for you reply and advise.

My router is Netgear Wireless Extreme Model: WNDRMACv2.

Again thank you very much and looking forward for any advises provided.

[humble3d]

Thanks for you reply and advise.

My router is Netgear Wireless Extreme Model: WNDRMACv2.

Again thank you very much and looking forward for any advises provided.

Thank you...We'll be right over strait away... :wtf: :lol: