Use of malware to hijack router DNS and then subsequently inject ads and pornographic content onto all websites a user is surfing isn’t a new kind of hack, but hijacking routers using Javascript alone is making this a widespread problem and a new report by Ara Labs just reaffirms this.
According to Ara Labs, a new strain of malware is misusing routers to inject ads and pornographic content into websites, and once a router is compromised, the malware will load third-party content onto almost any website visited by the user.
The attack alternates between loading ads and directly loading content from pornographic websites. In both cases, it’s functioning as a basic adware attack, redirecting targets as a pay of generating paid traffic for a client.
According to the investigation carried out by the security company, the attack works by targeting the DNS system. Since DNS information is typically communicated through the router, the attackers used the hacked routers to reroute requests to their own bogus IP addresses.
The fraudsters are using the hijacked DNS to intercept requests to the google-analytics.com domain, then directing the victim to a fake Google Analytics site. When the victim requests the Google Analytics javascript from the fake site they are served malicious Javascript that injects ads into the site they are browsing. This is not a vulnerability with Google Analytics itself, the service was simply targeted due to its widespread use.
The report further adds that in this particular mechanism of fraud, criminals are using a rogue DNS server located at 91.194.254.105. During a successful router hijacking this DNS server is configured as the router’s primary DNS while Google’s DNS sever (8.8.8.8) is configured as the secondary.
The DNS server at 91.194.254.105 refuses to resolve most domains forcing the victim to rely on the secondary DNS server (Google) for most domain lookups. However, when a lookup is attempted for the Google Analytics domain google-analytics.com the rogue DNS server responds with the ip 195.238.181.169, which is most certainly NOT a google server. It is a rogue Google Analytics server.
When the victim browses to a site that is using Google Analytics and attempts to retrieve the standard Google Analytics scripts from 195.238.181.169 the rogue server responds with malicious Javascript that injected ads into the website that is hosting the Google Analytics tag. Sometimes the malicious Javascript is bundled inside an altered version of the Google Analytics script to help disguise it.
Routers are less powerful and harder to patch than computers, so they are much more vulnerable. This had made them a common target for hackers, who use them to launch denial of service attacks or spoof banking sites to steal login credentials.
The compromise is specific to the router and it won’t be detected by traditional antivirus tools, which may lead many victims to assume the ads are legitimate.
