Malicious code is heavily obfuscated to evade detection

Oct 21, 2014 22:51 GMT  ·  By

A rogue advertisement injected in a large online advertising network is being used to deliver a payload for changing the DNS (Domain Name System) settings of home routers.

An attack leveraging ads from a third-party service displayed to websites is called malvertising and it is usually carried out by including a redirect to an online location, either compromised or under the control of the cybercriminals, which serves a malicious payload.

However, in the incident observed by Sucuri, the bad actor injected the payload directly in the advertisement, which is delivered to websites through the googlesyndication.com domain, owned by Google to store and load advertisement content and resources for Google AdSense.

Analyzing the URL to malicious ad, Sucuri’s Fioravante Souza found that the author had encoded the code to hide the threat. However, the researchers managed to decode it, only to bump into a new obstacle delaying the identification of the bad code.

“Decoding the malicious content, I went through 2,716 blank characters before I found something malicious. It’s hard to tell if this was intentional to evade detection, but the code is there, and it is trying to change your home routers DNS settings and force a reboot,” said Souza in a blog post.

A DNS server is designed to translate the IP address of a website into human-readable input. By switching to a different server interpreting the addresses and providing the domain name, an attacker could convert a different IP into the domain required by the victim, serving arbitrary content.

Sucuri located in Los Angeles the DNS server used in this attack, but it was not serving any malicious IPs, which could mean that it was not yet used by the bad actors.