Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

New malware that spreads via evil web ads has been discovered

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

December 20, 2016

New malware that spreads via evil web ads and menaces broadband routers has been discovered today, and it's going to be damaging for small businesses and home internet users which it directly targets.

This latest variant of the years-old DNS Changer virus, just spotted by the Californian firm Proofpoint works like this-- some JavaScript code is hidden in web advertisements placed on mainstream sites via some ad networks.

The code – which prefers Chrome on Windows and Android – checks for the local IP address of the browser visiting the site using a WebRTC request to a Mozilla STUN server.

If the target isn't in the desired IP range for the attacker, a legitimate advert is fetched and displayed, and nothing further happens. If the IP address is within the same range, the JS code downloads a bogus ad in the form of a PNG image, and extracts HTML from the comment field of the picture.

The HTML is then rendered in the page and it redirects the browser to another website that hosts the DNSChanger Exploit Kit. Sounds nasty? It gets worse...

Evil JavaScript on that webpage then fetches an AES key, concealed in an image using steganography, that is then used to decrypt a separate payload that contains more code, a bunch of default username and passwords used in broadband routers, and no less than 166 fingerprints used to identify the victim's router.

Next, the exploit kit, running within the browser using the decrypted data, tries to figure out the router being used from the list of possible fingerprints. If there's a match, it fetches the necessary code to run to exploit security vulnerabilities in that particular gateway to hijack it.

If there is no match, it tries out all the default login credentials, and if those don't work, it tries to run a load of exploits against common security vulnerabilities in some of the devices.

The ultimate goal here would appear to try to connect to the broadband router on the local network from the victim's browser and abuse security shortcomings such as known default passwords or programming errors to commandeer the gateway and then change its DNS settings to rogue name servers.

Then when computers join the local network, they may, depending on their configuration, pick up the bad DNS settings from the router and run domain-name lookups through hacker-controlled name servers.

Whoever controls those servers can make people's browsers connect to malevolent systems masquerading as legitimate websites that rob login information; inject more malware onto the victim's PCs by redirecting downloads; serve them fake ads rather than real ones the browser was supposed to display; and so on and so forth.

If all this sounds complicated, it's because it is. Someone obviously went through a lot of trouble to do this. And some in the industry are wondering exactly why.

What makes it worse is that some of the infection exploits also start up vulnerable services on the routers that bad stuff like the Mirai botnet can attack the gateway.

The trouble and pain that some hackers and miscreants will go through never cease to amaze us. Worse, it looks like this is a growing trend, and internet users need to be extremely vigilant in such an environment.

Source: ProofPoint Internet Security.

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.


Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer