Slashdot Mirror
Malvertising Campaign Infects Your Router Instead of Your Browser (bleepingcomputer.com)
An anonymous reader quotes a report from BleepingComputer: Malicious ads are serving exploit code to infect routers, instead of browsers, in order to insert ads in every site users are visiting. Unlike previous malvertising campaigns that targeted users of old Flash or Internet Explorer versions, this campaign focused on Chrome users, on both desktop and mobile devices. The malicious ads included in this malvertising campaign contain exploit code for 166 router models, which allow attackers to take over the device and insert ads on websites that didn't feature ads, or replace original ads with the attackers' own. Researchers haven't yet managed to determine an exact list of affected router models, but some of the brands targeted by the attackers include Linksys, Netgear, D-Link, Comtrend, Pirelli, and Zyxel. Because the attack is carried out via the user's browser, using strong router passwords or disabling the administration interface is not enough. The only way users can stay safe is if they update their router's firmware to the most recent versions, which most likely includes protection against the vulnerabilities used by this campaign. The "campaign" is called DNSChanger EK and works when attackers buy ads on legitimate websites and insert malicious JavaScript in these ads, "which use a WebRTC request to a Mozilla STUN server to determine the user's local IP address," according to BleepingComputer. "Based on this local IP address, the malicious code can determine if the user is on a local network managed by a small home router, and continue the attack. If this check fails, the attackers just show a random legitimate ad and move on. For the victims the crooks deem valuable, the attack chain continues. These users receive a tainted ad which redirects them to the DNSChanger EK home, where the actual exploitation begins. The next step is for the attackers to send an image file to the user's browser, which contains an AES (encryption algorithm) key embedded inside the photo using the technique of steganography. The malicious ad uses this AES key to decrypt further traffic it receives from the DNSChanger exploit kit. Crooks encrypt their operations to avoid the prying eyes of security researchers."
well, it seems that way.
Everybody hates ads, but in the end, it is ads that drove the value of companies like Google and Facebook to ridiculous heights (in fact it drove the last Internet bubble), and is now encouraging criminals to go to ridiculous lengths to serve us their ads instead of legitimate ones. What is wrong with this world?
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
Yes, ads are malware. They waste your time, attention, bandwidth and battery time, and run hostile third-party code on your machine.
Let's take a look at Wikipedia take at it:
Malware, short for malicious software, is any software used to disrupt computer or mobile operations, gather sensitive information, gain access to private computer systems, or display unwanted advertising.
Check, check, check and check.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
Well tell the devs to ensure that anytime a web site initiates any kind of WebRTC traffic, the user is asked to okay this (with an option to remember). Make the message clear and easy to understand. Something like, "This web site is trying to initiate a internet telephone or internet video chat connection with another computer. Is this something you asked the web page to do?" Or how about letting the user opt into some kind of safe-webRTC list that tracks known "bad" webrtc connection attempts reported by users.
But maybe we should just stop trying to make a web browser do everything and be its own OS. If an app wants to embed a browser engine as it's primary UI and use WebRTC, that's fine, since we can sandbox it on a per-app basis.
You know a large number of commercial routers run on Linux, right? The Linux kernel isn't some magic sauce that makes you immune to hacking. On the contrary, we see flaws in programs that run on Linux all the time, these being one of them. An exploit like this can work on anything, it isn't limited just to prepackaged routers.
So what you mean is get an x64 system and run a Linux distro, with some built in tools for configuring routing. Ok... So long as it doesn't have any bugs they can exploit or check for, you are fine. If it does, well then you are back to having to update... if an update is available. A lot of the router-type Linux distros aren't very well maintained. Smoothwall, the one I hear the most crowing about, had its last release in 2014.
If you were going to point to something freely available, BSD would probably be a better bet in the form of PFSense as it is actually maintained and supported pretty well. Of course the fact that it runs on BSD is incidental to its security, it is (as best we know) secure because it has competent programmers who maintain it regularly.
However the real problem is that for many people, this is just not affordable. When you try and do all your routing and filtering in software on an x64 chip, you find you need a lot of power to push traffic. The CPUs aren't designed with routing in mind so they aren't super fast at it. PFSense needs about a 2.4GHz 4 core atom to push a gigabit of traffic, and then only if the ruleset is reasonably simple. That's about $550 for an appliance from Netgate that can do that, and that is with no wireless. Well for $180 a Netgear R7000 will push a gig of traffic no issue, and comes with a 3x3 802.11ac radio that does 2.4 and 5ghz at the same time. Likewise an EdgeRouter Lite gets a gig and is wired only for $100. They pull that off by having chips with dedicated routing logic on board.
For normal users it also needs to be easy. A suggestion of "Assemble a computer from parts, load Linux, configure routing in text files and you are good," is totally unreasonable. Even something like buying an appliance and loading code on to it from a cold state is out of reach for most people. They need a ready-made solution.
See subject: Blocking out both javascript downloaded from adserver domains & other parts in servers used in this malware's communication:
0.0.0.0 onclickads.net
0.0.0.0 popcash.net
0.0.0.0 cdn.taboola.com
0.0.0.0 taboola.com
0.0.0.0 widgets.outbrain.com
0.0.0.0 outbrain.com
0.0.0.0 cdn.engine.4dsply.com
0.0.0.0 engine.4dsply.com
0.0.0.0 4dsply.com
0.0.0.0 cdn.engine.phn.doublepimp.com
0.0.0.0 phn.doublepimp.com
0.0.0.0 doublepimp.com
0.0.0.0 modificationserver.com
0.0.0.0 expensiveserver.com
0.0.0.0 immediatelyserver.com
0.0.0.0 respectsserver.com
0.0.0.0 ad.reverencegserver.com
0.0.0.0 reverencegserver.com
0.0.0.0 parametersserver.com
0.0.0.0 phosphateserver.com
0.0.0.0 cigaretteinserver.com
0.0.0.0 pix1.payswithservers.com
0.0.0.0 pix2.payswithservers.com
0.0.0.0 pix3.payswithservers.com
0.0.0.0 pix4.payswithservers.com
0.0.0.0 pix5.payswithservers.com
0.0.0.0 pix6.payswithservers.com
0.0.0.0 pix7.payswithservers.com
0.0.0.0 pix8.payswithservers.com
0.0.0.0 pix9.payswithservers.com
0.0.0.0 pix10.payswithservers.com
0.0.0.0 pix11.payswithservers.com
0.0.0.0 pix12.payswithservers.com
0.0.0.0 pix13.payswithservers.com
0.0.0.0 pix14.payswithservers.com
0.0.0.0 sub1.domain254.com
0.0.0.0 sub1.domain254.com
0.0.0.0 sub2.domain254.com
0.0.0.0 sub3.domain254.com
0.0.0.0 sub4.domain254.com
0.0.0.0 sub5.domain254.com
0.0.0.0 sub6.domain254.com
0.0.0.0 sub7.domain254.com
0.0.0.0 sub8.domain254.com
0.0.0.0 sub9.domain254.com
0.0.0.0 sub10.domain254.com
0.0.0.0 sub11.domain254.com
0.0.0.0 sub12.domain254.com
0.0.0.0 sub13.domain254.com
0.0.0.0 sub14.domain254.com
0.0.0.0 sub15.domain254.com
0.0.0.0 sub16.domain254.com
0.0.0.0 sub17.domain254.com
0.0.0.0 sub18.domain254.com
0.0.0.0 domain254.com
0.0.0.0 sub16.domain.com
0.0.0.0 sub17.domain.com
0.0.0.0 domain.com
0.0.0.0 stun.services.mozilla.com
0.0.0.0 services.mozilla.com
APK
P.S.=> Data Source = https://www.proofpoint.com/us/... ... apk