Routers hijacked via malvertising attacks on Windows and Android browsers

News by Rene Millman

A new variant of the DNSChanger exploit kit is using malvertising to infect internet routers through the web browser

Security researchers have discovered a variant of the DNSChanger exploit kit (EK) that is being used to infect internet routers through web browsers.

Instead of attacking a user's computer, the malware is changing DNS settings on routers instead, exploiting vulnerabilities there.

According to Proofpoint, DNSChanger is targeting routers made by D-Link, Netgear as well as routers for the SOHO market such as Pirelli and Comtrend.

“Most often, DNSChanger works through the Chrome browser on Windows desktops and Android devices. However, once routers are compromised, all users connecting to the router, regardless of their operating system or browser, are vulnerable to attack and further malvertising,” said the researchers in a blog post.

The attack happens when a hacker buys legitimate ad space on a website and then inserts malicious JavaScript code. This code makes a Web Real-Time Communication (WebRTC) request directed at a Mozilla STUN (Session Traversal Utilities for NAT) server that will be able to deliver the victim's local IP address.

If the victim's public IP is already known or their local IP is not in the targeted ranges, they will be directed to a decoy path where a legitimate advertisement from a third-party ad agency is displayed.

“If the client passes this check then a fake advertisement will be displayed to the victim. JavaScript extracts HTML code from the comment field on the PNG file, redirecting victims to the landing of the DNSChanger EK,” said the researchers.

The DNSChanger EK will once again check the victim's local IP address via STUN requests. It then loads multiple functions and an AES key concealed with steganography in a small image, according to Proofpoint.

“Once it performs the reconnaissance functions, the browser will report back to the DNSChanger EK which returns the proper instructions to perform an attack on the router,” said the researchers.

The hackers appear to be changing DNS settings in order to steal revenues from legitimate ad agencies by replacing genuine ads with their own.

The firm said that users can mitigate the problem by updating router firmware, disabling remote administration on SOHO routers, and changing the local IP range used by the router.

“Router vulnerabilities affect not only users on the network but potentially others outside the network if the routers are compromised and used in a botnet. While users must take responsibility for firmware updates, device manufacturers must also make security straightforward and baked in from the outset, especially on equipment designed for the SOHO market,” the researchers said.

Alex Mathews, lead security evangelist at Positive Technologies, told SC Media UK that if you can live without video chats based on webRTC, this should be turned off.

“However, this measure won't make you bulletproof. In this attack, webRTC is used to check the local IP address, but in fact, local gateways are often assigned to known addresses ( or That's why an attacker can skip the use of webRTC: the rate of successful attacks will be lower but many of them will hit the targets anyway,” he said.

 Gavin Millard, EMEA technical director at Tenable Network Security, told SC that gaining control of a DNS server on a network can lead to many different types of exploitation and compromise, not just malvertising.

“For example, it would be incredibly easy to modify the DNS records of a victim's internet banking portal, denying access and prompting the victim to call the “helpdesk" to rectify the issue. With the victim calling the “bank” rather than an unsolicited call, social engineering the victim to disclose their credentials would be trivial,” he said.

Paul Ducklin, senior technologist at Sophos, told SC that a lot of home routers come with well known default passwords, and lists of those defaults are commonly used by malware, including DNSChanger. Security-oriented routers and firewalls generally don't have fixed defaults.

“So, companies that have a router/firewall that was designed as a security product will therefore usually be much safer all round against this sort of attack,” he said. "Your best mitigation against automated 'router reconfiguration' attacks like DNSChanger is to get the basics right: apply router patches promptly, and pick a proper password. Never settle for default passwords just because it saves you 30 seconds when you're setting up a new device or account. A default password is like leaving a spare key under the doormat and hoping no one will think to look there first."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews