Malvertising attack takes control over home routers
Wed 14 Dec 2016

A newly discovered malvertising campaign is serving exploit code to infect routers, instead of browsers, in an attempt to insert malicious ads across every site that a user visits.
The attack, discovered by U.S. cybersecurity firm Proofpoint, is based on the exploit kit DNSChanger EK. Cybercriminals are executing the campaign by purchasing ads on legitimate websites and inserting malicious JavaScript, which uses a WebRTC request to a Mozilla STUN server to identify the user’s local IP address.
Once the local IP address is attained, the code can determine whether or not the user is on a local network managed by a small home router. If the check returns a negative result, the criminals simply display a random legitimate ad and move on to the next target.
On the other hand, victims marked as ‘valuable’ receive an infected ad which redirects them to the landing of the DNSChanger EK. From here, the attackers send an image file to the user’s browser containing an AES encryption key. The key is used to decrypt further traffic from the DNSChanger EK.
Proofpoint explains that after the users receive the encryption key, the DNSChanger EK sends each user a list of router ‘fingerprints’.
The malicious ad uses the fingerprints to test the router type that the user is connected to, and report back to the exploit kit’s server. The DNSChanger EK then responds back with exploit packages that can commandeer the router and modify its DNS settings to direct traffic through the criminals’ servers.
Proofpoint notes that in cases where the router model allows this, the attackers can attempt to open the router’s administration ports to external connections, exposing the router to further attacks. The researchers say that they have seen attackers open up administration ports for 36 routers.
Once the attackers have control over the router, they are able to replace legitimate ads with infected versions and even insert them onto sites which don’t typically host ads.
The Proofpoint analysis confirmed that the malvertising attack is mainly carried out across Google Chrome for Windows as well as for Android.
While Proofpoint has not yet compiled a concrete list of affected router models, it did point out popular brands such as Belkin, Linksys, Netgear, Motorola and D-Link.