As you read these words, malicious ads on legitimate websites are targeting visitors with malware. But that malware doesn't infect their computers, researchers said. Instead, it causes unsecured routers to connect to fraudulent domains.
Using a technique known as steganography, the ads hide malicious code in image data. The hidden code then redirects targets to webpages hosting DNSChanger, an exploit kit that infects routers running unpatched firmware or are secured with weak administrative passwords. Once a router is compromised, DNSChanger configures it to use an attacker-controlled domain name system server. This causes most computers on the network to visit fraudulent servers, rather than the servers corresponding to their official domain.
Patrick Wheeler, director of threat intelligence for security firm Proofpoint, told Ars:
These findings are significant because they demonstrate clearly that ubiquitous and often-overlooked devices are being actively attacked, and once compromised, these devices can affect the security of every device on the network, opening them up to further attacks, pop-ups, malvertising, etc. Thus, the potential footprint of this kind of attack is high and the potential impact is significant.
Lots of moving parts
The ads first check if a visitor's IP address is within a targeted range, a behavior that is typical of many malvertising campaigns, which aim to remain undetected for as long as possible. If the address isn't one the attackers want to target, they serve a decoy ad with no exploit code in it. In the event the IP address is one the attackers want to infect, they serve a fake ad that hides exploit code in the metadata of a PNG image. The code, in turn, causes the visitor to connect to a page hosting DNSChanger, which once again checks the visitor's IP address to ensure it's within the targeted range. Once the check passes, the malicious site serves a second image concealed with the router exploit code.
"This attack is determined by the particular router model that is detected during the reconnaissance phase," a Proofpoint researcher who uses the moniker Kafeine wrote in a blog post. "If there is no known exploit, the attack will attempt to use default credentials." In the event there are no known exploits and no default passwords, the attack aborts.
arstechnica.com/security/2016/12/home-routers-under-attack-in-ongoing-malvertisement-blitz/Read more here: