Windows And Android Malvertising Campaign Puts Home Routers Under Attack

Security researchers at Proofpoint have identified a new malvertising attack on internet routers which ensnares victim networks though legitimate websites hosting unknowingly distributed malicious advertisements.

Targeting Windows and Android devices, the ‘DNSChanger Exploit Kit’ (EK) preys on vulnerabilities in victims’ home or small office (SOHO) routers and attacks via infected web browsers.

Although initially limited to Android and Windows, once a router has been compromised all users who then connect to it will be vulnerable to further malvertising attacks, regardless of their browser or operating system.

Router raid

According to Proofpoint, the attacks occur “in waves that are likely associated with ongoing malvertising campaigns lasting several days.

“DNSChanger will use webRTC to request a STUN server via stun.services.mozilla[.]com and determine the victim’s local IP address. If the victim’s public IP is already known or their local IP is not in the targeted ranges, they will be directed to a decoy path where a legitimate advertisement from a third party ad agency is displayed. If the client passes this check then a fake advertisement will be displayed to the victim.”

A series of checks and decryptions then take place, with the attack being determined by the router model and whether there are any known vulnerabilities to exploit. Although Proofpoint says it is not possible to provide a definitive list of vulnerable routers, it has identified some that are at risk. These include the D-Link DSL-2740R, the COMTREND ADSL Router CT-5367 C01_R12 and the Netgear R6200.

Although there is “no simple way to protect against these attacks,” updating routers to the latest known firmware is suggested as “the best way to avoid exploits.” Disabling remote administration, changing the default local IP range and installing ad-blocking browser add-ons can also provide some protection.

Ultimately though, Proofpoint believes manufacturers should be doing more to increase security: “While users must take responsibility for firmware updates, device manufacturers must also make security straightforward and baked in from the outset, especially on equipment designed for the SOHO market.”

“It is incumbent upon router manufacturers to develop mechanisms for simple, user-friendly updates to their hardware.”

Are you a security pro? Try our quiz!