Home routers under attack in ongoing malvertisement blitz

(credit: Gionnico)

As you read these words, malicious ads on legitimate websites are targeting visitors with malware. But that malware doesn't infect their computers, researchers said. Instead, it causes unsecured routers to connect to fraudulent domains.

Using a technique known as steganography, the ads hide malicious code in image data. The hidden code then redirects targets to webpages hosting DNSChanger, an exploit kit that infects routers running unpatched firmware or are secured with weak administrative passwords. Once a router is compromised, DNSChanger configures it to use an attacker-controlled domain name system server. This causes most computers on the network to visit fraudulent servers, rather than the servers corresponding to their official domain.

Patrick Wheeler, director of threat intelligence for security firm Proofpoint, told Ars:

Read 7 remaining paragraphs | Comments

Don’t Be a Victim of DNSChanger Before July 9

Following up on a post from my colleague Jim Walter some months ago about DNSChanger, it is now time to act!

For a more detailed description of the threat, check out Jim’s post and our Knowledge Center entry about detection and remediation of DNSChanger. Here is a brief recap: DNSChanger is malware that a gang of criminals use to redirect the computers of infected users to DNS servers run by the gang. To achieve this, the malware changes the DNS settings on the infected machine. And what’s worse: it also changes the settings on home routers with no or default passwords.

The DNS Changer Working Group (DCWG) has been working hard with ISPs worldwide to get as many victims as possible remediated before the rogue DNS servers are switched off on July 9 (which effectively means the loss of Internet connection for the victims), but there are still some hundreds of thousands machines affected. Data released by the DCWG show some 300,000 unique IP address as of June 11. Based on these figures, it’s hard to say how many victims there really are. Some may be dialing in with new IP addresses several times a day; in other cases it could be small business networks behind affected routers. DCWG has more data here.

Make sure you are not a victim, and spread the word to your friends. You can run a quick check by connecting to http://www.dns-ok.us/. This is not fully foolproof, as some ISPs are rerouting the DNS queries for their infected customers; but at least this means you will still be able to access the Internet after July 9.

To really make sure you’re not a victim, check out our document detailing the threat and showing how to use a special version of our Stinger tool to detect and remediate an infected system.

DNSChanger Fraud Ring Busted

Here’s a money making idea: find some advertisers and tell them you can put their ads on billboards at half the going rate. You don't own any billboards? No problem, just go paste the ads over the ones on someone else's billboards.

This idea has not really caught on in the real world—it's impractical to run around town, climbing up poles, and plastering ads on someone else's billboard. You’re also limited to the billboards you can physically reach. Plus it's illegal.

The Internet is another story. There are no physical limitations, no climbing, and some people don't have an issue with doing illegal things, especially when they don't think they'll get caught. The good news is they do get caught, but we'll come back to that.

So what is the equivalent of a billboard on the Internet? A website. Getting people to visit a website and view ads on it is big business. This attracts cyber criminals who try to figure out how they can manipulate this aspect of the Internet for their own gain, and they can. They do it with something called DNSChanger.

What's DNSChanger? The FBI has information on it on their website. It's really nice to see a clear description of such a complicated fraud. Even nicer, the FBI just caught an international fraud ring responsible for compromising millions of computers with malware and defrauding Internet advertisers.

How much could a bad guy possibly make doing this? The ones the FBI just took down made at least 14 million dollars—big money. It took a large number of compromised computers to get all this money: four million computers in more than 100 countries. My bet is that most of those computers didn't have good security software, or didn't keep it up-to-date. That's pretty sad, because this makes life easy for the bad guys. The cyber criminals use malware like Zlob or Tidserv to get DNSChanger on a computer. We have multiple protection technologies that detect these threats, but you have to use the technology in order to be protected.

The FBI has provided some great information to help potential victims identify if their computer has been subjected to the attack. Symantec can help too. If you feel you may have been compromised, even if you're not one of our customers, you can make use of Norton Power Eraser to further analyze and remove any malware on your computer. We can't rely solely on the FBI, we all need to do our part to stop these criminals.