Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malvertising Campaign Infects Your Router Instead of Your Browser (bleepingcomputer.com)

Posted by BeauHD on from the connected-devices dept.

An anonymous reader quotes a report from BleepingComputer: Malicious ads are serving exploit code to infect routers, instead of browsers, in order to insert ads in every site users are visiting. Unlike previous malvertising campaigns that targeted users of old Flash or Internet Explorer versions, this campaign focused on Chrome users, on both desktop and mobile devices. The malicious ads included in this malvertising campaign contain exploit code for 166 router models, which allow attackers to take over the device and insert ads on websites that didn't feature ads, or replace original ads with the attackers' own. Researchers haven't yet managed to determine an exact list of affected router models, but some of the brands targeted by the attackers include Linksys, Netgear, D-Link, Comtrend, Pirelli, and Zyxel. Because the attack is carried out via the user's browser, using strong router passwords or disabling the administration interface is not enough. The only way users can stay safe is if they update their router's firmware to the most recent versions, which most likely includes protection against the vulnerabilities used by this campaign. The "campaign" is called DNSChanger EK and works when attackers buy ads on legitimate websites and insert malicious JavaScript in these ads, "which use a WebRTC request to a Mozilla STUN server to determine the user's local IP address," according to BleepingComputer. "Based on this local IP address, the malicious code can determine if the user is on a local network managed by a small home router, and continue the attack. If this check fails, the attackers just show a random legitimate ad and move on. For the victims the crooks deem valuable, the attack chain continues. These users receive a tainted ad which redirects them to the DNSChanger EK home, where the actual exploitation begins. The next step is for the attackers to send an image file to the user's browser, which contains an AES (encryption algorithm) key embedded inside the photo using the technique of steganography. The malicious ad uses this AES key to decrypt further traffic it receives from the DNSChanger exploit kit. Crooks encrypt their operations to avoid the prying eyes of security researchers."

5 of 137 comments (clear)

  1. Re: Linux router by ArmoredDragon · · Score: 5, Interesting

    Better yet, I'd just say that it's your duty to use an ad blocker, mich like it was to use antivirus software in the past.

  2. Ad servers at fault? by Michael+Woodhams · · Score: 4, Interesting

    If you are a web advertising company, why should you ever allow advertising clients to include arbitrary Javascript in their ads? Could you not provide a Javascript library of your own to do the legitimate things ad Javascript might do, and only allow advertising clients to use simple calls into your library?

    I'm not knowledgeable about Javascript or web advertising - these are genuine questions, not rhetorical ones.

    --
    Quattuor res in hoc mundo sanctae sunt: libri, liberi, libertas et liberalitas.
    1. Re:Ad servers at fault? by Yvan256 · · Score: 5, Interesting

      The real question is, why do ads require fucking javascript in the first place? Limit ads to static images (JPEG, PNG) and we'll be done with all this nonsense.

    2. Re:Ad servers at fault? by Solandri · · Score: 5, Interesting

      That's what I'd like - an ad blocker which lets static images through but blocks any scripting or flash or other weirdness. That way instead of websites having to beg me to turn off my ad blocker, I can just tell them to find an advertiser who only serves static ads. And hopefully that would exert some pressure on the industry to abandon scripted ads in favor of static ads.

      While we're at it, I'd also like a law making the ad farm serving the ads legally liable for any damages a malicious ad does. They're the ones in the best position to vet the ads before they're unleashed onto users' browsers. The lack of liability has resulted in them not giving a damn about security, and just accepting anything handed over by anyone wishing to "advertise" and adding it to their ad rotation. If they were liable, we'd probably see them morph into a self-service website where you (1) upload the JPG/GIF you wish displayed as an ad, (2) pick which tracking service you wish to use, and (3) enter the account and ad ID that the tracking service should send the ad impression info to. Don't give "advertisers" the opportunity to script their own ads, make it a cookie cutter form so there's no way to insert anything malicious.

  3. How hard can it be? by WaffleMonster · · Score: 3, Interesting

    There is some kind of grand conspiracy of unimaginable stupidity going on with router vendors. I cannot for the life of me fathom how it is even possible to implement a consumer router so full of holes. You have to either not give a shit at all or be involved with intentional sabotage to explain the outcomes we are seeing.

    Even if routers offered no local authentication whatsoever and just simply checked HTTP_REFERER first this crap would fail outright. What is it... 2...3..4..5.. lines of code max and whole categories of remote exploitation possibilities disappear overnight.

    Unbelievable how f*****lame these exploits continue to be and how vendors are not in any way held accountable for not even trying.