Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malvertising Campaign Infects Your Router Instead of Your Browser (bleepingcomputer.com)

Posted by BeauHD on from the connected-devices dept.

An anonymous reader quotes a report from BleepingComputer: Malicious ads are serving exploit code to infect routers, instead of browsers, in order to insert ads in every site users are visiting. Unlike previous malvertising campaigns that targeted users of old Flash or Internet Explorer versions, this campaign focused on Chrome users, on both desktop and mobile devices. The malicious ads included in this malvertising campaign contain exploit code for 166 router models, which allow attackers to take over the device and insert ads on websites that didn't feature ads, or replace original ads with the attackers' own. Researchers haven't yet managed to determine an exact list of affected router models, but some of the brands targeted by the attackers include Linksys, Netgear, D-Link, Comtrend, Pirelli, and Zyxel. Because the attack is carried out via the user's browser, using strong router passwords or disabling the administration interface is not enough. The only way users can stay safe is if they update their router's firmware to the most recent versions, which most likely includes protection against the vulnerabilities used by this campaign. The "campaign" is called DNSChanger EK and works when attackers buy ads on legitimate websites and insert malicious JavaScript in these ads, "which use a WebRTC request to a Mozilla STUN server to determine the user's local IP address," according to BleepingComputer. "Based on this local IP address, the malicious code can determine if the user is on a local network managed by a small home router, and continue the attack. If this check fails, the attackers just show a random legitimate ad and move on. For the victims the crooks deem valuable, the attack chain continues. These users receive a tainted ad which redirects them to the DNSChanger EK home, where the actual exploitation begins. The next step is for the attackers to send an image file to the user's browser, which contains an AES (encryption algorithm) key embedded inside the photo using the technique of steganography. The malicious ad uses this AES key to decrypt further traffic it receives from the DNSChanger exploit kit. Crooks encrypt their operations to avoid the prying eyes of security researchers."

60 of 137 comments (clear)

  1. Linux router by ls671 · · Score: 2

    Just configure a Linux router and be done with this non-sense (flashing your router, etc.). That's what I have been doing since 1995.

    --
    Everything I write is lies, read between the lines.
    1. Re: Linux router by ArmoredDragon · · Score: 5, Interesting

      Better yet, I'd just say that it's your duty to use an ad blocker, mich like it was to use antivirus software in the past.

    2. Re:Linux router by Anonymous Coward · · Score: 1

      I use a Pentium space heater from 1995 as my router, because I love the soothing roar of fan noise, and Linux saves me so much money on the heating bill.

    3. Re: Linux router by starless · · Score: 2

      Better yet, I'd just say that it's your duty to use an ad blocker, mich like it was to use antivirus software in the past.

      The trouble is that more and more sites are now not allowing you to access them without turning off your ad-blocker.
      So far I've been avoiding those sites, but if the trend continues I might have to do so for at least some sites...

    4. Re: Linux router by KiloByte · · Score: 3, Insightful

      Yes, ads are malware. They waste your time, attention, bandwidth and battery time, and run hostile third-party code on your machine.

      Let's take a look at Wikipedia take at it:

      Malware, short for malicious software, is any software used to disrupt computer or mobile operations, gather sensitive information, gain access to private computer systems, or display unwanted advertising.

      Check, check, check and check.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    5. Re:Linux router by unixisc · · Score: 1

      I was using a Belkin router w/ my PC-BSD laptop, and I'd occasionally get under Chromium an ad where a voice announcement would start and there was no way I could even close the browser - it just seemed to lock it. My only escape was to log out and back in. I ultimately changed the router for a Netgear and escaped the problem.

      I wish I could know how to trouble shoot it so that the router could be fixed.

    6. Re:Linux router by antdude · · Score: 1

      How easy is it compared to a real router? Running computers as a router takes too much power, makes too much heat and noises, etc. :(

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    7. Re: Linux router by ArsenneLupin · · Score: 1

      The trouble is that more and more sites are now not allowing you to access them without turning off your ad-blocker.

      Indeed, there is the German tabloid "Bild Zeitung" which does this (no big loss...). Which other site does this?

      And, if you are so inclined, Bild's block is easy to subvert: just do View->PageStyle->NoStyle. Yeah, "No Style", quite fitting for that rag.

    8. Re: Linux router by AmiMoJo · · Score: 2

      Some banks require you to use anti-virus software. If you don't and your money is stolen, they will try to blame you and not pay out.

      I'm just waiting for the first bank to start asking customers if they run an ad-blocker and then claiming the lack of one is poor security and shifts the liability on to the account holder.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    9. Re: Linux router by amias · · Score: 1

      banks trying to make their policies seem like law to customers is nothing new

      --
      [site]
    10. Re: Linux router by starless · · Score: 1

      Indeed, there is the German tabloid "Bild Zeitung" which does this (no big loss...). Which other site does this?

      Forbes and Wired are the ones I notice the most.

    11. Re:Linux router by pnutjam · · Score: 1

      You can pick up microtik router for under $40, their routerOS is not open source, but it's very powerful. They also support wireless better then bsd or linux and many of their low cost routers have wireless.

      --
      Cheap storage VM.
    12. Re: Linux router by ArsenneLupin · · Score: 1
      No problem with Wired here.

      For Forbes however, you're right. Interesting to see that they've sunk down to the level of Bildzeitung...

    13. Re:Linux router by mlts · · Score: 1

      I personally prefer PFSense with 2FA. Bonus points if the config page is on its own segment so most machines can't access it.

      Done right, it is extremely hard for malware to get access to the configuration, much less trash it.

    14. Re: Linux router by Cramer · · Score: 1

      That's a game of whack-a-mole. It only takes a few minutes to break their anti-adblocker bullshit. At the end of the day, it's my browser; I control what it does or does not do. Pornhub started randomizing ids, which you'd think would kill adbolckers, but they've done it so wrong, it's only two mouse clicks to defeat. cpu-world, despite their (impressive) highly complicated, multi-thousand line crap, is defeated by a single rule.

  2. it's always JavaScript by turkeydance · · Score: 4, Insightful

    well, it seems that way.

  3. That's why I encrypted the firmware in my router by jfdavis668 · · Score: 4, Funny

    Of course, it doesn't work any more, but now I am safe.

  4. Netgear by 110010001000 · · Score: 2

    This fits in nicely with the recent attack that works on Netgear routers where you can execute a cgi-bin script as root without authorization. http://lifehacker.com/psa-seve...

    Seriously. What the fuck? Cgi-bin exploits in 2016?

    1. Re:Netgear by ls671 · · Score: 1

      yep, along with shellshock in 2014...

      https://en.wikipedia.org/wiki/...

      --
      Everything I write is lies, read between the lines.
    2. Re:Netgear by DigitAl56K · · Score: 1

      Most home routers have similar exploits (executing commands via a web interface while not authenticated), either currently or recently. While I can't defend Netgear in this instance, we also shouldn't falsely make people believe they are the worst of the bunch (IMO DLink is in the running for that honor).

      For anyone affected, Netgear has a beta FW update on their support site today. You need to manually upload it to your router via the web console.

  5. More router fun by Anonymous Coward · · Score: 1

    If this link or this link reboots your router, you should probably also seek new firmware (or better firmware like dd-wrt/openwrt/tomato). It would be fun to embed those as invisible images on Google for a day...

    1. Re:More router fun by Anonymous Coward · · Score: 1

      Jokes on you, my router's ip address is 127.0.0.1. Links won't wor%^&()!@@# __CARRIER LOST

  6. Ads and eyeballs by JaredOfEuropa · · Score: 4, Insightful

    Everybody hates ads, but in the end, it is ads that drove the value of companies like Google and Facebook to ridiculous heights (in fact it drove the last Internet bubble), and is now encouraging criminals to go to ridiculous lengths to serve us their ads instead of legitimate ones. What is wrong with this world?

    --
    If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    1. Re:Ads and eyeballs by Anonymous Coward · · Score: 2, Insightful

      What is wrong with this world?

      Nobody in the west is executing criminals.

      captcha: contempt

    2. Re:Ads and eyeballs by GuB-42 · · Score: 1

      Nobody in the west is executing criminals.

      Unlike browsers, which execute criminal scripts.

    3. Re:Ads and eyeballs by JaredOfEuropa · · Score: 1

      I suspect ad agencies make shit ads on purpose because they work. And publishers aren't going to reject them because they need the income.

      The best ads I've ever seen were from an insurance company, they were well made and really funny. Everybody loved them, and talked about them at the water cooler. "Did you see that ad?", yes of course, but if you asked people to name the insurance company, turns out they forgot.

      In contrast, one of the worst ads was from a supermarket. It had a guy literally shout out the bargains: "THIS WEEK AT EDAH, CHOCOLATE DONUTS FROM €3.99 FOR €1.99". Everybody hated those ads: "Not this again, damnit, too loud, why do they even do that, they are the worst... though, €1.99 is a pretty good deal".

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
  7. Ad servers at fault? by Michael+Woodhams · · Score: 4, Interesting

    If you are a web advertising company, why should you ever allow advertising clients to include arbitrary Javascript in their ads? Could you not provide a Javascript library of your own to do the legitimate things ad Javascript might do, and only allow advertising clients to use simple calls into your library?

    I'm not knowledgeable about Javascript or web advertising - these are genuine questions, not rhetorical ones.

    --
    Quattuor res in hoc mundo sanctae sunt: libri, liberi, libertas et liberalitas.
    1. Re:Ad servers at fault? by guruevi · · Score: 2

      Then how would you do things like tracking your users or serving them exploits or show them ads that pop up/under or cover the entire screen?

      If ads can't be annoying they would have less value.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    2. Re:Ad servers at fault? by Yvan256 · · Score: 5, Interesting

      The real question is, why do ads require fucking javascript in the first place? Limit ads to static images (JPEG, PNG) and we'll be done with all this nonsense.

    3. Re:Ad servers at fault? by Solandri · · Score: 5, Interesting

      That's what I'd like - an ad blocker which lets static images through but blocks any scripting or flash or other weirdness. That way instead of websites having to beg me to turn off my ad blocker, I can just tell them to find an advertiser who only serves static ads. And hopefully that would exert some pressure on the industry to abandon scripted ads in favor of static ads.

      While we're at it, I'd also like a law making the ad farm serving the ads legally liable for any damages a malicious ad does. They're the ones in the best position to vet the ads before they're unleashed onto users' browsers. The lack of liability has resulted in them not giving a damn about security, and just accepting anything handed over by anyone wishing to "advertise" and adding it to their ad rotation. If they were liable, we'd probably see them morph into a self-service website where you (1) upload the JPG/GIF you wish displayed as an ad, (2) pick which tracking service you wish to use, and (3) enter the account and ad ID that the tracking service should send the ad impression info to. Don't give "advertisers" the opportunity to script their own ads, make it a cookie cutter form so there's no way to insert anything malicious.

    4. Re:Ad servers at fault? by Big+Hairy+Ian · · Score: 1

      Static images can also be used to deliver exploits too

      --

      Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.

  8. WebRTC by Motherfucking+Shit · · Score: 5, Informative

    which use a WebRTC request to a Mozilla STUN server to determine the user's local IP address

    Yay, more garbage Web 3.0 anti-features! In Firefox, go to about:config and set these preferences:

    media.peerconnection.enabled = false
    media.peerconnection.video.enabled = false
    media.peerconnection.turn.disable = true
    media.peerconnection.use_document_iceservers = false

    --
    "BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
    1. Re:WebRTC by guruevi · · Score: 1

      I don't have a problem with features like WebRTC, there is a problem with browsers just allowing it to do things without asking. If you got a message saying, hey this site is trying to make a phone call. Or simply block all code that doesn't originate from the website you're trying to visit.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    2. Re:WebRTC by raind · · Score: 1

      Using latest FF update 50.1.0 last two were not listed in about:config - thanks though...

      --
      Get up!
    3. Re:WebRTC by jmv · · Score: 1

      Except that WebRTC is very useful, and (at least in principle) much more secure than most proprietary conferencing services. For example, it has (and mandates) end-to-end encryption, with perfect forward secrecy.

      (disclaimer: I work for Mozilla)

      --
      Opus: the Swiss army knife of audio codec
    4. Re:WebRTC by caseih · · Score: 3, Insightful

      Well tell the devs to ensure that anytime a web site initiates any kind of WebRTC traffic, the user is asked to okay this (with an option to remember). Make the message clear and easy to understand. Something like, "This web site is trying to initiate a internet telephone or internet video chat connection with another computer. Is this something you asked the web page to do?" Or how about letting the user opt into some kind of safe-webRTC list that tracks known "bad" webrtc connection attempts reported by users.

      But maybe we should just stop trying to make a web browser do everything and be its own OS. If an app wants to embed a browser engine as it's primary UI and use WebRTC, that's fine, since we can sandbox it on a per-app basis.

    5. Re:WebRTC by Anonymous Coward · · Score: 1

      FF addon uBlock Origin offer a setting to: Prevent WebRTC from leaking local IP addresses. Default setting is off.

    6. Re:WebRTC by jmv · · Score: 1

      Well tell the devs to ensure that anytime a web site initiates any kind of WebRTC traffic, the user is asked to okay this (with an option to remember).

      This is exactly what's *already* supposed to happen. Otherwise any website could spy on anyone.

      But maybe we should just stop trying to make a web browser do everything and be its own OS.

      Browsers will keep doing more stuff because people want them to do more. The choice we have is between proprietary binary plugins or actual standards. I'd rather have html5 than flash.

      --
      Opus: the Swiss army knife of audio codec
  9. Yep, NoScript is my default defence by evanh · · Score: 2

    Most sites I simply don't engage if they require any scripting at all.

    Before NoScript existed I just left scripting disabled at all times. Now I also use additional selective blocking, ie: all third party scripts, for the few sites that I deem important (banking, Google Maps) to use scripts on.

    1. Re:Yep, NoScript is my default defence by another_twilight · · Score: 1

      Have a look at uMatrix. It has a very intuituve interface. It's not stopping the scripts, but rather allows you to block connections by type and domain. I find that this cuts down the amount of fiddling with NoScript/Scriptsafe that I used to do.

  10. Re:A trap for stupid people by Anonymous Coward · · Score: 1

    I get my DHCP and my DNS from dnsmasq in my router because I don't feel the need to have an necessary dongle waving around like an epeen to impress gay hipster idiots.

  11. Summary is misleading by Anonymous Coward · · Score: 4, Informative

    Because the attack is carried out via the user's browser, using strong router passwords or disabling the administration interface is not enough. The only way users can stay safe is if they update their router's firmware to the most recent versions, which most likely includes protection against the vulnerabilities used by this campaign.

    Apparently anonymous reader didn't read the actual article, where it says:

    The exploit packages contain vulnerabilities or list of hardcoded admin credentials that can allow the crooks to control the victim's local router.

    Updating your firmware will not help with this. It is an issue of admin passwords being left at the default on 99.99% of routers. The admin password is used to change DNS settings on the router, which allows the attackers to redirect any traffic they want.

    1. Re:Summary is misleading by mrbester · · Score: 1

      Joke's on them then: I have a BT Home Hub 5. Can't change DNS settings on those babies.

      --
      "Wait. Something's happening. It's opening up! My God, it's full of apricots!"
  12. Re:For more protection vs. threats like this? by Anonymous Coward · · Score: 1

    Here we go, again.

    A hosts file, alone, is insufficient to protect you, as you admit

    P.S.=> I don't allow script in my browser

    Few users, these days, are using machines to browse that are constrained by resources. Saving 100MB of RAM may have been noticeable in the 90s, but where RAM is measured in GBs, 100MB is a single digit percentage gain. It's simply not noticeable in most cases. Even more so with IO or CPU. Using a hosts file will use less resources than an ad-blocker, but that is irrelevant in most cases.

    Blocking ads via a browser add-on that allows wild-cards allows blocking of domains based on format, rather than exhaustive listing. Add-ons update more frequently and require no user intervention. This cannot be overstated. Security that is automatic and easy will be used where security that might be better, but requires manual intervention will not (in the cast majority of cases).

    That just leaves edge cases - hardening DNS, blocking resolution for non-browser software. Maybe there are people for whom this is necessary, but for the vast majority of users, hosts file blacklist are not even part of the answer.

    YT

  13. How hard can it be? by WaffleMonster · · Score: 3, Interesting

    There is some kind of grand conspiracy of unimaginable stupidity going on with router vendors. I cannot for the life of me fathom how it is even possible to implement a consumer router so full of holes. You have to either not give a shit at all or be involved with intentional sabotage to explain the outcomes we are seeing.

    Even if routers offered no local authentication whatsoever and just simply checked HTTP_REFERER first this crap would fail outright. What is it... 2...3..4..5.. lines of code max and whole categories of remote exploitation possibilities disappear overnight.

    Unbelievable how f*****lame these exploits continue to be and how vendors are not in any way held accountable for not even trying.

    1. Re:How hard can it be? by WaffleMonster · · Score: 1

      Yes, another obstacle to cross, but HTTP_REFERER also can be spoofed. You would effectively have to implement an authentication scheme with HTTP_REFERER to achieve anything but a temporary effect.

      No it can't, not by your *BROWSER*. Any avenue to spoof is a security bug and has been treated as such for at least a decade.

      My comments are not about absolute protection of router from local access by a malicious HTTP client it is about preventing CSRF the lowest hanging fruit out there.

  14. How would that make you safe? by Sycraft-fu · · Score: 5, Insightful

    You know a large number of commercial routers run on Linux, right? The Linux kernel isn't some magic sauce that makes you immune to hacking. On the contrary, we see flaws in programs that run on Linux all the time, these being one of them. An exploit like this can work on anything, it isn't limited just to prepackaged routers.

    So what you mean is get an x64 system and run a Linux distro, with some built in tools for configuring routing. Ok... So long as it doesn't have any bugs they can exploit or check for, you are fine. If it does, well then you are back to having to update... if an update is available. A lot of the router-type Linux distros aren't very well maintained. Smoothwall, the one I hear the most crowing about, had its last release in 2014.

    If you were going to point to something freely available, BSD would probably be a better bet in the form of PFSense as it is actually maintained and supported pretty well. Of course the fact that it runs on BSD is incidental to its security, it is (as best we know) secure because it has competent programmers who maintain it regularly.

    However the real problem is that for many people, this is just not affordable. When you try and do all your routing and filtering in software on an x64 chip, you find you need a lot of power to push traffic. The CPUs aren't designed with routing in mind so they aren't super fast at it. PFSense needs about a 2.4GHz 4 core atom to push a gigabit of traffic, and then only if the ruleset is reasonably simple. That's about $550 for an appliance from Netgate that can do that, and that is with no wireless. Well for $180 a Netgear R7000 will push a gig of traffic no issue, and comes with a 3x3 802.11ac radio that does 2.4 and 5ghz at the same time. Likewise an EdgeRouter Lite gets a gig and is wired only for $100. They pull that off by having chips with dedicated routing logic on board.

    For normal users it also needs to be easy. A suggestion of "Assemble a computer from parts, load Linux, configure routing in text files and you are good," is totally unreasonable. Even something like buying an appliance and loading code on to it from a cold state is out of reach for most people. They need a ready-made solution.

    1. Re:How would that make you safe? by skids · · Score: 2

      You know a large number of commercial routers run on Linux, right?

      ...with a bunch of utter trash piled on top, wherein the exploitable code likely lies, given the large number of individualized signatures this campaign seems to be using.

      A basic OpenWRT with only what you need to connect to the Internet has a much smaller code surface. To the extent it looks at the packets above L3 at all, it does so only to build NAT helper rules and for DNS caching. You've got LUCI, dnsmasq, and dropbear listening on the internal network. At worst, you decided you needed uPnP and installed it. There's really not much reason to install much else than that.

      --
      Someone had to do it.
    2. Re:How would that make you safe? by Anonymous Coward · · Score: 1

      An exploit like this can work on anything, it isn't limited just to prepackaged routers.

      I suspect this is due to poorly made in-house administration interfaces that are not protected against cross-site request forgery (CSRF) attacks, use default admin credentials, and perhaps have remote code execution vulnerabilities. This combination in particular can be exploited from any javascript code fragment your browser executes, within normal security constraints (no violation of same-origin policy etc required). I have seen even worse cases than that.

      Installing a widely-used open source router operating system or even building from a normal Linux distribution yourself would most likely lead to not having those vulnerabilities, simply because you would not have such an admin interface (unless you explicitly install a bad one yourself).

    3. Re:How would that make you safe? by AmiMoJo · · Score: 1

      Many Buffalo routers run a modified version of DD-WRT. They are cheap, supported and seem to be quite secure.

      The most useful advice is to not use the router your ISP provided, or anything by TPLink, Netgear or Linksys. Malware targets popular devices for maximum return on investment, and those three have proven to be incompetent too many times.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    4. Re:How would that make you safe? by pnutjam · · Score: 1

      Pick up a Mikrotik device running RouterOS, they have them for under $40 with wireless.

      --
      Cheap storage VM.
    5. Re:How would that make you safe? by Bob+the+Super+Hamste · · Score: 1

      You should have gone with one of these little guys with 8GB ram and a 120GB SSD for about $250. It has no problem keeping up on my 120/40Mbps internet connection with Snort in IPS mode, Squid with ClamAV to MitM all web traffic (yes I have it set up to MitM SSL/TLS), and also doing some DNS level blocking of shit sites (a list of sites that offer some files to use as input can be found here). At most I have gotten it to 50% cpu usage (usually on startup) and the hottest it has run was about 29C.

      --
      Time to offend someone
    6. Re:How would that make you safe? by ebvwfbw · · Score: 1

      You have fallen prey to the BSD security myth. They spouted this nonsense a lot about a decade ago. How superior they were. Then a bunch of people simply ported the old, patched Linux vulnerabilities to BSD and they had a bad few years.

      They are no better than anyone else (well except Microsoft, everyone is better than they are).

      Today to say BSD is more secure is just crazy. They are way behind Linux. SELinux.. and so on and so on. I don't even bother to boot their stuff up anymore and I used to be a real fan of BSD. Love to be a fan again, bring it into the 2000s. BSD is missing a lot now. I think it's great if you need a simple Unix type machine to learn on. After you're competent with that you can move onto a real OS like Linux.

  15. Hosts files work vs. this threat by Anonymous Coward · · Score: 1, Insightful

    See subject: Blocking out both javascript downloaded from adserver domains & other parts in servers used in this malware's communication:

    0.0.0.0 onclickads.net
    0.0.0.0 popcash.net
    0.0.0.0 cdn.taboola.com
    0.0.0.0 taboola.com
    0.0.0.0 widgets.outbrain.com
    0.0.0.0 outbrain.com
    0.0.0.0 cdn.engine.4dsply.com
    0.0.0.0 engine.4dsply.com
    0.0.0.0 4dsply.com
    0.0.0.0 cdn.engine.phn.doublepimp.com
    0.0.0.0 phn.doublepimp.com
    0.0.0.0 doublepimp.com
    0.0.0.0 modificationserver.com
    0.0.0.0 expensiveserver.com
    0.0.0.0 immediatelyserver.com
    0.0.0.0 respectsserver.com
    0.0.0.0 ad.reverencegserver.com
    0.0.0.0 reverencegserver.com
    0.0.0.0 parametersserver.com
    0.0.0.0 phosphateserver.com
    0.0.0.0 cigaretteinserver.com
    0.0.0.0 pix1.payswithservers.com
    0.0.0.0 pix2.payswithservers.com
    0.0.0.0 pix3.payswithservers.com
    0.0.0.0 pix4.payswithservers.com
    0.0.0.0 pix5.payswithservers.com
    0.0.0.0 pix6.payswithservers.com
    0.0.0.0 pix7.payswithservers.com
    0.0.0.0 pix8.payswithservers.com
    0.0.0.0 pix9.payswithservers.com
    0.0.0.0 pix10.payswithservers.com
    0.0.0.0 pix11.payswithservers.com
    0.0.0.0 pix12.payswithservers.com
    0.0.0.0 pix13.payswithservers.com
    0.0.0.0 pix14.payswithservers.com
    0.0.0.0 sub1.domain254.com
    0.0.0.0 sub1.domain254.com
    0.0.0.0 sub2.domain254.com
    0.0.0.0 sub3.domain254.com
    0.0.0.0 sub4.domain254.com
    0.0.0.0 sub5.domain254.com
    0.0.0.0 sub6.domain254.com
    0.0.0.0 sub7.domain254.com
    0.0.0.0 sub8.domain254.com
    0.0.0.0 sub9.domain254.com
    0.0.0.0 sub10.domain254.com
    0.0.0.0 sub11.domain254.com
    0.0.0.0 sub12.domain254.com
    0.0.0.0 sub13.domain254.com
    0.0.0.0 sub14.domain254.com
    0.0.0.0 sub15.domain254.com
    0.0.0.0 sub16.domain254.com
    0.0.0.0 sub17.domain254.com
    0.0.0.0 sub18.domain254.com
    0.0.0.0 domain254.com
    0.0.0.0 sub16.domain.com
    0.0.0.0 sub17.domain.com
    0.0.0.0 domain.com
    0.0.0.0 stun.services.mozilla.com
    0.0.0.0 services.mozilla.com

    APK

    P.S.=> Data Source = https://www.proofpoint.com/us/... ... apk

  16. For more protection vs. threats like this? by Anonymous Coward · · Score: 1

    See subject & best hosts file creator APK Hosts File Engine 9.0++ SR-4 32/64-bit https://www.google.com/search?...

    Ads rob speed, security (malvertising) & privacy (tracking).

    Hosts add speed (hardcodes/adblocks), security (bad sites/poisoned dns), reliability (dns down), & anonymity (dns requestlogs/trackers) natively.

    Works vs. caps & PUSH ads.

    Avg. page = big as Doom http://www.theregister.co.uk/2... & ads = 40% of it.

    Hosts != ClarityRay blockable (vs. souled-out to admen inferior wasteful redundant slow usermode addons)

    Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus (slows you) + less security issues/complexity.

    Compliments firewalls (blocking less used IP addys vs. hosts blocking more used domains) & DNS (lightens dns load).

    Gets data via 10 security sites.

    APK

    P.S. - Safe https://www.virustotal.com/en/... (Verified by Malwarebytes' S. Burn "seen the code & it's safe" http://forum.hosts-file.net/vi... )

  17. Re: For more protection vs. threats like this? by Anonymous Coward · · Score: 1, Funny

    You're like an ad. What's the hosts entry to block you?

  18. Nonsense by evanh · · Score: 1

    I'm no guru but you're not making any sense talking about ads. If ads happen to end up blocked then that's just a side effect of poorly constructed website.

  19. Patched it 4 years ago on my DD-WRT router by henk717 · · Score: 1

    Luckily i already heard of this theoretical method years ago and have patched my router accordingly. I run a DD-WRT router so the flexibility is endless, on bootup a script runs that kills the webservice and then restarts it on a non standard port. So next time i get "infected" with this exploit kit, all they can do is endlessly scan my network for routers and once they find it they have no preprogrammed way of connecting.

  20. Change your routers pw by AHuxley · · Score: 1

    from username, password and the code moves on.

    --
    Domestic spying is now "Benign Information Gathering"
  21. Re:That's why I encrypted the firmware in my route by silentcoder · · Score: 1

    I pulled all the cables out of mine, more secure than your solution and less labour required.

    --
    Unicode killed the ASCII-art *