…Because that advertising could infect you in such a way that not just your system, but every device connected to your network would get affected.
A few days ago, we reported about a new exploit kit, dubbed Stegano, that hides malicious code in the pixels of banner advertisements rotating on several high profile news websites.
Now, researchers have discovered that attackers are targeting online users with an exploit kit called DNSChanger that is being distributed via advertisements that hide malicious code in image data.
Remember DNSChanger?
So, whenever a user of an infected system looked up a website on the Internet (say, facebook.com), the malicious DNS server tells you to go to, say, a phishing site.
The most worrisome part is that hackers have combined both threats in their recent widespread malvertising campaign, where DNSChanger malware is being spread using Stegno technique, and once it hit your system, instead of infecting your PC, it takes control of your unsecured routers.
Researchers at Proofpoint have discovered this unique DNSChanger exploit kit on more than 166 router models.
Here’s How the Attack Works:
Firstly, the ads on mainstream websites hiding malicious code in image data redirects victims to web pages hosting the DNSChanger exploit kit.
Once the router is compromised, the DNSChanger malware configures itself to use an attacker-controlled DNS server, causing most computers and devices on the network to visit malicious servers, rather than those corresponding to their official domain.
STUN server then send a ping back containing the IP address and port of the client.
The malicious code eventually redirects the visitor to a web page hosting DNSChanger, which uses the Chrome browser for Windows and Android to serve a second image concealed with the router exploit code.
List of Routers Affected
The attack then cloaks traffic and compares the accessed router against 166 fingerprints used to determine if a target is using vulnerable router model.
- D-Link DSL-2740R
- NetGear WNDR3400v3 (and likely other models in this series)
- Netgear R6200
- COMTREND ADSL Router CT-5367 C01_R12
- Pirelli ADSL2/2+ Wireless Router P.DGA4001N
It is not clear at the moment that how many people have been exposed to the malicious ads or how long the campaign has been running, but Proofpoint said the attackers behind the campaign have previously been responsible for infecting more than 1 million people a day.
Proofpoint did not disclose the name of any ad network or website displaying the malicious advertisements.
Users are advised to ensure that their routers are running the latest version of the firmware and are protected with a strong password.