New router attack altering DNS settings, stealing ad traffic from infected users

Posted:
in General Discussion edited December 2016
A second wide-spread attack on vulnerable home networking equipment is underway, with the latest attack redirecting an afflicted network's traffic, including that from Apple users, to fraudulent domains and opening up the routers to further attack.




The "DNSChanger" attack vector hides malicious code intended to assault routers in specifically crafted images. The code inside redirects viewers to webpages hosting router-infecting malware itself. The webpages then attack routers running out of date firmware or ones that are secured with weak, default administrative passwords.

"Once compromised, these devices can affect the security of every device on the network, opening them up to further attacks, pop-ups, malvertising, et cetera," security firm Proofpoint's Director of Threat Intelligence Patrick Wheeler told Ars Technica. "The potential footprint of this kind of attack is high and the potential impact is significant."

Pages serving the first stage of the DNSChanger exploit check a user's IP address. Should the user fall in the targeted range, the attack continues. After the target is identified by the first phase of the malware, an image is then served to the victim designed to impact that particular router.

DNSChanger uses the webRTC protocol to launch the attack in the second image. Should the user under attack be utilizing Chrome for Android or Chrome, the attack then identifies the router further, and will alter one of 166 vulnerable router firmwares.

Proofpoint says that it is impossible to list all vulnerable routers, but the D-Link DSL-2740R, Netgear WNDR3400v3 (plus related models), and Netgear R6200 are all subject to attack. At this time, it does not appear that Apple's routers are able to be exploited in such a fashion.

The researchers have discovered that the malicious ads containing the first wave of the attack are being hosted in waves lasting several days at a time through legitimate ad networks and displayed on ordinary, and otherwise safe websites.

After the malware is successfully installed, all devices connected through the router, including Apple ones, are redirected to less legitimate ad agencies -- connections generally not secured or authenticated by HTTPS.

At present, ads from Propellerads, Popcash, Taboola, OutBrain, and AdSupply are affected, and re-routing to Fogzy and TrafficBroker.

In addition to redirecting advertising traffic, the assault also attempts to open up remote administration ports on the router, allowing for other attacks. Proofpoint researchers do not believe that this "DNSchanger" attack is directly related to the wide Netgear security vulnerability from Dec. 14, but victims of the latest attack are opened up to the older vector.

"Router vulnerabilities affect not only users on the network but potentially others outside the network if the routers are compromised and used in a botnet," said Proofpoint in a blog post about the attack. "While users must take responsibility for firmware updates, device manufacturers must also make security straightforward and baked in from the outset."

Near the end of November, reports started circulating backed by AppleInsider sources, that Apple may be ending the AirPort family. Former AirPort engineers are now reportedly working on other teams, including Apple TV development.

The internal changes suggest that Apple has no plans to update its existing lineup of routers, including the AirPort Extreme, Time Capsule, and AirPort Express, but do not discount the possibility of the functionality being added to a different product. Apple's AirPort Express network extender and AirPlay audio target has not even been updated to the 802.11ac wi-fi specification.
gilly017
«1

Comments

  • Reply 1 of 24
    SoliSoli Posts: 8,680member
    This is one reason I'd like for Apple to continue making routers.
    r00fus1airbubbledysamoriamacseekerdasanman69SpamSandwichmagman1979gilly017watto_cobrabadmonk
  • Reply 2 of 24
    macxpressmacxpress Posts: 4,791member
    Soli said:
    This is one reason I'd like for Apple to continue making routers.
    Just don't buy a shitty router...problem solved! If you're only paying $20-30 for a router then thats probably not a good thing. If people would have purchased an AirPort/Time Capsule more than Apple sees then maybe they wouldn't be dropping them. Apple knows something we don't. 
    watto_cobra
  • Reply 3 of 24
    SoliSoli Posts: 8,680member
    macxpress said:
    If people would have purchased an AirPort/Time Capsule more than Apple sees then maybe they wouldn't be dropping them.
    Your placement of maybe in your comment implies that they are dropping their routers.
  • Reply 4 of 24
    gatorguygatorguy Posts: 20,282member
    It does make some of the new "smart" routers more attractive since security updates that block just this type of thing (and others) are handled quickly and efficiently. I won't recommend particular names but they're well worth looking into and many are exceptionally easy to set up even for someone who has never done so before. 
    edited December 2016 macxpress
  • Reply 5 of 24
    I'd normally just leave a comment to "use Apple routers" but given the current direction, I'll adjust my messaging: "Do not use Netgear, TP-Link, D-Link, Cisco/Linksys consumer gear. Use router companies that pay attention like Eero, Ubiquiti"
    pscooter63
  • Reply 6 of 24
    blastdoorblastdoor Posts: 1,894member
    I wonder -- what makes an ad network "legitimate"? 

    dysamoria
  • Reply 7 of 24
    macxpressmacxpress Posts: 4,791member
    Soli said:
    macxpress said:
    If people would have purchased an AirPort/Time Capsule more than Apple sees then maybe they wouldn't be dropping them.
    Your placement of maybe in your comment implies that they are dropping their routers.
    I would say AirPort and Time Capsule are done, but that doesn't mean they're absolutely done making a router. I still think they could make an all-in-one connected device. The fact that the AirPort team has been "reassigned" makes me think something like this could be a possibility, assuming they're still using them as wireless engineers. 
    tmaypropod
  • Reply 8 of 24
    blastdoorblastdoor Posts: 1,894member
    r00fus1 said:
    I'd normally just leave a comment to "use Apple routers" but given the current direction, I'll adjust my messaging: "Do not use Netgear, TP-Link, D-Link, Cisco/Linksys consumer gear. Use router companies that pay attention like Eero, Ubiquiti"
    But how sure are we that those companies you cite as "good" will remain "good" in the future? Suppose they are bought out by one of the "bad" companies and stop providing firmware updates? And really... are these companies well known enough and with a long enough track record for us to have the same confidence in them that we have in Apple? 
    propodGeorgeBMac
  • Reply 9 of 24
    SoliSoli Posts: 8,680member

    macxpress said:
    Just don't buy a shitty router...problem solved! If you're only paying $20-30 for a router then thats probably not a good thing.

    1) Here's are some of the routers on the list. None are in a $20–30 range. I don't even know what is.
    • Neatgear R6200 - $78
    • NetGear WNDR3400v3 - $78 
    • D-Link DSL-2740R - $77

    2) Cost, volume, profit margin, and brand can help lead to more attention in SW, but there is no guarantee of anything. Apple certainly has had its share with major security issues. The cost of your Mac couldn't save you from Thunderstrike, and potentially makes it more of a target.

  • Reply 10 of 24
    SoliSoli Posts: 8,680member
    macxpress said:
    Soli said:
    macxpress said:
    If people would have purchased an AirPort/Time Capsule more than Apple sees then maybe they wouldn't be dropping them.
    Your placement of maybe in your comment implies that they are dropping their routers.
    I would say AirPort and Time Capsule are done, but that doesn't mean they're absolutely done making a router. I still think they could make an all-in-one connected device. The fact that the AirPort team has been "reassigned" makes me think something like this could be a possibility, assuming they're still using them as wireless engineers. 
    WiFi isn't going away so they still need wireless engineers indefinitely. If the rumour of Apple creating their own Amazon Echo and Amazon Dot competitors are true, that might be a good place to put the next generation hub. 
    gilly017
  • Reply 11 of 24
    So they mentioned Chrome being used to identify the router. No mention of whether this is only possible through Chrome, and that if you were using Firefox or Edge that it wouldn't work? Why mention only Chrome and not further qualify there statements by talking about other browsers?
    baconstangGeorgeBMac
  • Reply 12 of 24
    dysamoriadysamoria Posts: 1,981member
    "A second attack wide-spread attack on..."
  • Reply 13 of 24
    lkrupplkrupp Posts: 6,789member
    At this time, it does not appear that Apple’s routers are able to be exploited in such a fashion."


    watto_cobra
  • Reply 14 of 24
    Mike WuertheleMike Wuerthele Posts: 4,343administrator
    So they mentioned Chrome being used to identify the router. No mention of whether this is only possible through Chrome, and that if you were using Firefox or Edge that it wouldn't work? Why mention only Chrome and not further qualify there statements by talking about other browsers?
    Original report said just Chrome, which is what we said too.
    watto_cobra
  • Reply 15 of 24
    gatorguygatorguy Posts: 20,282member
    So they mentioned Chrome being used to identify the router. No mention of whether this is only possible through Chrome, and that if you were using Firefox or Edge that it wouldn't work? Why mention only Chrome and not further qualify there statements by talking about other browsers?
    Original report said just Chrome, which is what we said too.
    I read that Firefox specifically is another browser that can be used. Just a guess but I would think any browser that uses WebRTC would work. DNS Changer has been used for redirecting ad revenue for awhile...
    http://blog.trendmicro.com/trendlabs-security-intelligence/dns-changer-malware-sets-sights-on-home-routers/
    ...with a couple of Russians being among the first prosecuted for profiting from it from my reading

    If using Chrome I believe some of the script blockers such as ScriptSafe and NoScript will prevent DNS Changer from working.
    edited December 2016
  • Reply 16 of 24
    Soli said:
    This is one reason I'd like for Apple to continue making routers.
    I'd like them to make secure mesh routers.
  • Reply 17 of 24
    SoliSoli Posts: 8,680member
    Soli said:
    This is one reason I'd like for Apple to continue making routers.
    I'd like them to make secure mesh routers.
    As I've stated on other threads, I wouldn't be surprised if that's the direction they're heading.
  • Reply 18 of 24
    I use an ASUS RT-AC68U, and it just got a firmware update for multiple items including OpenSSL, OpenVPN, XSS cross scripting vulnerabilities, and more. Routers like these, properly configured by the owner, and maintained with updates, should be ok, but we're now seeing a new frontier in malicious attacks, one which I've been predicting for years due to the completely insecure nature of these devices and ignorant owners not taking the time to set them up properly.
    So they mentioned Chrome being used to identify the router. No mention of whether this is only possible through Chrome, and that if you were using Firefox or Edge that it wouldn't work? Why mention only Chrome and not further qualify there statements by talking about other browsers?
    Original report said just Chrome, which is what we said too.
    This is just ONE of MANY reasons I strip those junk browsers off ANY PC or Mac I find at work, causes nothing but problems and security issues.
  • Reply 19 of 24
    volcanvolcan Posts: 1,770member
    r00fus1 said:
    I'd normally just leave a comment to "use Apple routers" but given the current direction, I'll adjust my messaging: "Do not use Netgear, TP-Link, D-Link, Cisco/Linksys consumer gear. Use router companies that pay attention like Eero, Ubiquiti"

    As far as I know Linksys was not mentioned as vulnerable and they do make some highly rated consumer models although a little pricey.  Cisco is one of the highest rated enterprise router companies so I would expect some of that technology to make its way into their consumer line. Check out the following review as an example.

    http://www.pcmag.com/review/347847/linksys-ea9500-max-stream-ac5400-mu-mimo-gigabit-router
    edited December 2016
  • Reply 20 of 24
    volcan said:
    r00fus1 said:
    I'd normally just leave a comment to "use Apple routers" but given the current direction, I'll adjust my messaging: "Do not use Netgear, TP-Link, D-Link, Cisco/Linksys consumer gear. Use router companies that pay attention like Eero, Ubiquiti"

    As far as I know Linksys was not mentioned as vulnerable and they do make some highly rated consumer models although a little pricey.  Cisco is one of the highest rated enterprise router companies so I would expect some of that technology to make its way into their consumer line. Check out the following review as an example.

    http://www.pcmag.com/review/347847/linksys-ea9500-max-stream-ac5400-mu-mimo-gigabit-router
    Just as an FYI...Linksys is no longer owned by Cisco. They were sold to Belkin back in 2013. Cisco didn't really do anything for the Linksys brand IMO...they kinda ruined them a little. The only started to be good again when they were sold to Belkin. 
    Solivolcanpscooter63damn_its_hot
Sign In or Register to comment.