Router list constantly updated, at least 55 models targeted

May 25, 2015 15:18 GMT  ·  By

A malicious campaign deployed by cybercriminals aims at changing the Domain Name System (DNS) server settings in router configuration, responsible for retrieving the correct web pages from legitimate web servers.

An attacker changing these settings can point to malicious locations, exposing the victim to a wide range of risks varying from credential stealing and ad-fraud to traffic interception and malware delivery.

Google public DNS address used as a failover

Cybercriminals behind this campaign rely on a technique called cross-site request forgery (CSRF), which allows malicious requests from a website to be executed by the browser on a different page, without user consent.

Independent security researcher Kafeine found that on May 18 the operation targeted 43 router models from different vendors, like D-Link, Netgear, Asus, Belkin, Edimax, Zyxel, TP-Link, Linksys.

However, the list is constantly updated and it has grown to more than 55 router models from a dozen vendors, the researcher says.

The attack is deployed when a Google Chrome user visits a compromised website and is redirected to a server that delivers a malicious script designed to check the router model used and to replace the DNS servers’ IP addresses.

Kafeine says that, as precaution, one IP is left to point to Google DNS, as a fail-back measure. This way, if the rogue server cannot complete the redirect (it can be offline for a brief while), the correct website is still loaded and no alarm goes off.

DNS settings changed via command injection and dictionary attacks

The researcher noticed the campaign in April. In May, he observed that the redirect server recorded increased traffic that peaked close to 1 million connections from unique IPs on May 9. A few days later, the traffic dropped to 250,000 unique addresses.

Most of the devices were from the US and Australia, but users in Brazil, Russia, Italy, France, India, the UK, Morocco and Turkey are also affected.

The malicious script includes the local addresses for the router’s configuration page as well as a set of common credentials to try out: “admin:admin,” “admin:1234,” “admin:password,” and “admin:12345.”

Apart from this, changing the DNS settings is also done by exploiting vulnerabilities in the routers. For some D-Link models, the cybercriminals leverage a remote command injection glitch (CVE-2015-1187), but older flaws (CVE-2008-1244 and CVE-2013-2645) that are patched by the vendors are also employed.

Taking advantage of these security vulnerabilities is possible because routers do not have an automatic update mechanism and owners have to run the procedure by manually downloading and applying the new firmware to the device when it becomes available from the vendor.

Although this is not difficult, many users lack the necessary skills to complete the action themselves. Sometimes, reconfiguring the router is necessary, which is also a task not too many users venture to engage in.

Traffic redirection to exploit kit observed in one week
Traffic redirection to exploit kit observed in one week

Photo Gallery (2 Images)

List of targeted routers in the malicious script
Traffic redirection to exploit kit observed in one week
Open gallery