dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2424
85160670 (banned)
"If U know neither the enemy nor yoursel
join:2013-09-17
Edmonton, AB

1 recommendation

85160670 (banned)

Member

Attackers change routers DNS settings via malicious code injected in ads

Yuck...."Sucuri Security researchers have unearthed a malvertising campaign aimed at changing the DNS settings of home routers in order to lead users questionable and potentially malicious websites.

The attackers have embedded the malicious code in question directly into an ad hosted on the googlesyndication.com network, the researchers claim, and the ad has been served to a variety of websites that use that particular ad service"...[ »www.net-security.org/mal ··· ?id=2891 ]
Frodo
join:2006-05-05

Frodo

Member

This kind of problem has occurred to me in the past. What I do is hardcode the DNS address on the computer directly, and not have the computer pick up DNS settings via DHCP from the router.

For IPv4, what can be done on Windows 7 is bring up network connections, rightclick and select properties for the network card, select TCP/IPV4, click the properties button which will bring up a screen as shown below. There, the IP address can be hard coded.


Kilroy
MVM
join:2002-11-21
Saint Paul, MN

Kilroy to 85160670

MVM

to 85160670
A little bit more information on the attack would be nice. How does it access the router's DNS settings for instance? Does not having the default password defeat the attack?

Pjr
Don't Panic
join:2005-12-11
UK

2 recommendations

Pjr

Member

said by Kilroy:

A little bit more information on the attack would be nice. How does it access the router's DNS settings for instance? Does not having the default password defeat the attack?

There's a little more here.

See »blog.sucuri.net/wp-conte ··· URLs.png for all the requests the script makes.

To me it looks like it would only work on routers without passwords and only on specific makes of routers; though I could be wrong on the last bit.
Nanaki (banned)
aka novaflare. pull punches? Na
join:2002-01-24
Akron, OH

Nanaki (banned)

Member

your very right on the last bit for sure. It uses the url for your routers dns page. Meaning for each brand targeted they need another line/lines of code to change the settings.

It is also hard coded meaning if a person finds a way to change the php file name for the dns page the script will fall flat as the script targets the url specifically. It also requires the routers ip to be default.

Note the »192.168.0.1 etc lines in this image and the get request.

»blog.sucuri.net/wp-conte ··· URLs.png

as for needing the password to be default or no pass that i don't know. I know some routers would display a error page if you tried going to them with out logging in but at least 1 router i had with a older firm ware would display and in fact allow you to change settings with out entering the password so long as you knew the exact url. That was a old junker smc barricade router i had a long time ago. I lost my password and did not want to factory reset the router but was able to get at the password etc settings page going directly to it.

Simple more perm fix change your routers default ip to something that is not in the norm eg 192.168.111.12. That one simple change will cripple this malware ad.

Not sure but i do not think that there would be any way to code this malware ad in a way that it would not need to target a specific ip plus get request.

dslcreature
Premium Member
join:2010-07-10
Seattle, WA

dslcreature to 85160670

Premium Member

to 85160670
http(s) access on modems and routers are perpetually ridden with bugs and non-existent security.

I always use an access list preventing everything including myself from accessing management pages unless I have a specific need.

A little annoying but better than playing whackamole in an unwinnable war against inexcusable vendor stupidity.

NOYB
St. John 3.16
Premium Member
join:2005-12-15
Forest Grove, OR

NOYB

Premium Member

»pfSense.org

Installed on an old repurposed notebook makes a very good router.

planet
join:2001-11-05
Oz

1 recommendation

planet to 85160670

Member

to 85160670
Would ABP or ABE mitigate this threat?

Doctor Four
My other vehicle is a TARDIS
Premium Member
join:2000-09-05
Dallas, TX

2 recommendations

Doctor Four

Premium Member

said by planet:

Would ABP or ABE mitigate this threat?

Probably. So would NoScript.

Ever since installing that in Firefox I have never gotten hit by a malvertisement.

norwegian
Premium Member
join:2005-02-15
Outback

norwegian to 85160670

Premium Member

to 85160670

Routers are the flavor of the month aren't they..

Thanks for the link.
85160670 (banned)
"If U know neither the enemy nor yoursel
join:2013-09-17
Edmonton, AB

85160670 (banned)

Member

My pleasure ..... indeed "Malvertising Payload Targets Home Routers" they try many ways to probe home user defence {{{ GRIN }}}

planet
join:2001-11-05
Oz

1 recommendation

planet to Doctor Four

Member

to Doctor Four
said by Doctor Four:

Probably. So would NoScript.

Ditto. NoScript and ABP or ABE on Fx are a must on my pc.

Sarick
It's Only Logical
Premium Member
join:2003-06-03
USA

Sarick to 85160670

Premium Member

to 85160670
Wouldn't having the router intercept DNS port 53 help against this? Unless the exploit redirects through another port everything that is sent to DNS is redirected to the routers DNS servers.

Even if I try to use another DNS the router always calls OpenDNS servers.

208.67.222.222, 208.67.220.220 and 208.67.220.128

norwegian
Premium Member
join:2005-02-15
Outback

norwegian

Premium Member

said by Sarick:

Wouldn't having the router intercept DNS port 53 help against this?

Gamers might not like a router's feature to do that due to game lag.
Or networking that doesn't want a router to play dns.
You can think that a good feature but is it worth it?

It's an internal thing.
I think that means just allow udp on port 53 internally outwards.
Block externally coming in.
Then you have services as well to consider.
A hardware firewall guru can tell you more.
Just speculation though.

Sarick
It's Only Logical
Premium Member
join:2003-06-03
USA

3 edits

Sarick

Premium Member

Doesn't the router's internal DNS cache solve this issue?

I'm sure that there is an easy way around the routers DNS by local proxy or VPNing through a middleman type attack.

When I ran,
»www.grc.com/dns/benchmark.htm

Using my router as the primary server without interception allowing external DNS servers my DNS response speeds DECREASED.

When the test used the DNS server from the routers internal DNS speeds increased

When I turned on intercept DNS all DNS quarries increased to nearly identical speeds.

I'm no expert but the DNS benchmark ranked my router as the fastest for cached DNS and only slightly slower for non-cached.

What I'm seeing from this topic is the adware overwrites the DCHP DNS servers. If my router intercepts those DNS request and using it's internal listed opendns sevrer no matter what I is requested these DNS request will still be the same even if 192.168.X.X DNS in my DNS settings is changed.

I found info on this site.
»Tomato: Use "Internal DNS" or not?

Also saw it here.
»en.wikibooks.org/wiki/To ··· eference

Under..
Use Internal DNS
intercept DNS port (UDP 53)

That's what I'm asking. Does this give a little added security or not?

EDIT:
Reading more, the exploit alters the DNS o the router directly. I use custom open source router firmware with a long password. I know that if I try to access the pages without logging on it will deny access. Unless there is a hole in the open source firmware that is directly targeting this firmware I doubt it could overwrite my DNS settings without some type of brute force. If the malware does successfully change the router settings DNS intercept may make the issue worse.

I'd be more worried about my localhost file being redirected then the router's DNS being changed.

Chubbzie
join:2014-02-11
Greenville, NC
Hitron CDA3
(Software) OpenBSD + pf

1 recommendation

Chubbzie to Nanaki

Member

to Nanaki
said by Nanaki:

Simple more perm fix change your routers default ip to something that is not in the norm eg 192.168.111.12

The linked capture image also contains get requests to 10.x.x.x.
said by dslcreature:

I always use an access list preventing everything including myself from accessing management pages unless I have a specific need.

Why not just disable the interface all together?
Nanaki (banned)
aka novaflare. pull punches? Na
join:2002-01-24
Akron, OH

Nanaki (banned)

Member

Yeh i just wan't going to type out all the ips. But the method would work on the 10 x ips just as well as the 192 x ips etc. So long as the routers ip (gateway ip) is not the default for the router it will stop a hard wired attack. And i honestly don't think there is a way to do this type of attack with any thing but a hard wired ip. The author of the attack would need to hard wire in all possible ip variants. I think and feel free to correct me if im wrong. But you can use any ip in the 192 and 10 ip range and maybe a couple others eg 10.0.0.0 to 10.255.255.255 and 192.0.0.0 to 192.255.255.255 meaning the attacker would need one hell of allot of lines of code to cover them all. For some higher end routers you can edit file names etc with work or flash your own firmware. Meaning some one with a little knowledge could rename all the files for the router gui. Meaning instead of for example if the dns page was dnssettings.php you could rename it and links pointing to it to sometotalrandomnonsensicalcrap.php
This would again stop the attack dead in its track. It simply could not access the page for dns settings password or none.

I ran a very vulnerable pws web server back in windows 98 days. And stoped all manner of worms etc just by renaming the php etc files and directories and re pointing every thing.

Back in the day i use to hang out on various hackers newsgroups and was in good with many there. I set up a windows 98 box for a hack the box challenge with a unpatched pws server running. They never did get in and compromise it least not through pws. They attacked it in the end using a vulnerability in windows 98 it self and was able to rename a few directories and files back to the normal using default admin shares which was the full contents of my drives. At that point they were able to reconfigure the server to the win condition. Which was a typical web site deface. I still have the replacement page on cd some where hehe.

Point is i on a unpatched windows 98 running a unpatched pws server was able to flat out prevent them from hacking the very easy to hack pws server via the servers own files. If i can do that with a few edits about a dozen. Rendering a router secure against this is going to be a much easier affair.

Sarick
It's Only Logical
Premium Member
join:2003-06-03
USA

1 edit

Sarick

Premium Member

Are you sure?

If the system knows the LAN computers IP address the router is usually on the same sub-net. If I recall right most browsers have this local info stored in them that can be retrieved by a simple external script. This is unless you have privacy turned up in settings.

I remember running browser testing a while back to see what system/network info the browser was giving out. This was a long long time ago so chances are it might have already been patched.

I'm not sure but a simple script should be able to retrieve the default gateway router information on a networked computer without needing to do a brute force of every known private address.

Ipconfig can display internal info fairly easily but that uses an external executable to access. If there is a way to exploit the browser to transmit the router's gateway IP then with a directed attack on a non-harderned specific router would be the question.
Nanaki (banned)
aka novaflare. pull punches? Na
join:2002-01-24
Akron, OH

Nanaki (banned)

Member

Depends on what the exploit in question uses to inject the code and how much information is leaked to the attack page. From the way this thing looks least what i looked at it just injects via a exploit and does so with every visit. so basically it would be like me setting up a lazer trip wire that fires guns across a doorway at 6 feet. Every one walking through it will be shot at only the ones 6 foot or over will get hit.

Same thing here only people using a router with these specific things will be effected. These are the ip and the urls that are requested by get.

Chubbzie
join:2014-02-11
Greenville, NC
Hitron CDA3
(Software) OpenBSD + pf

Chubbzie to Sarick

Member

to Sarick
said by Sarick:

I'm not sure but a simple script should be able to retrieve the default gateway router information

This particular code base is rather rudimentary (the one in the article). It would be a trivial task to create a javascript variable that can capture the gateway IP (normally the router's IP) & get or post to that gateway IP via some conditional statements.
Nanaki (banned)
aka novaflare. pull punches? Na
join:2002-01-24
Akron, OH

Nanaki (banned)

Member

Right least possibly. Now the second method i mentioned the renaming of files for those who have that as a option would stop the attack dead in it's tracks. That is information that is not so easy to come by.

The only way it could be done via a script would be to brute force the name to maximum file name length for the given target server/router. I think it requires in some cases 2 php etc pages to change the settings um yeh would take a very long time to brute force it.

So you might end up needing to brute force a password and the files responsible for setting dns.

I would think it would be possible for a router on first boot to randomly generate file names and links for all php files related to the gui. Meaning each routers settings page would be different. This could even be done for the index page. As that page is assigned in servers settings. You can name your index page and home page any thing you like so long as you change it in for examples apaches configuration. Same goes for a router which does have some web server or another installed.

Now this is something that would have to be done via a firmware upgrade. But there's no reason it can not be done in the next firm ware for each router out on the market.

Sarick
It's Only Logical
Premium Member
join:2003-06-03
USA

1 edit

1 recommendation

Sarick

Premium Member

Not in my experience. If I load a page reboot some routers with the pages still up I can change settings without loading reloading a page. In some cases you don't need access to the internal script or view the routers html web interface. Just send the right data code to the device.

Explanation in spoiler.
I've done this before. I took stripped routers that had pages and scripts removed from their interface and altered them. I was able change modem settings that where completely hidden/disabled in the firmware using html pages I had stored on my local HDD.

I created a modified web administration interface pages (sourced from unlocked firmware versions) These had everything unlocked in the interface. These allowed me to make charges to the modem router without even accessing the the web interface pages stored on the router! Simply put, these external pages allowed me the ability to alter disabled features like port forwarding etc without pulling the code from the router.

The only problem I had with them is I had to manually put in the routers IP address because the actual pages on the router pulled internal variables every time the page was loaded. This because my pages weren't retrieved from router but from an external directory on my computer so these scripts etc needed this information.

My bet is this exploit doesn't even need to call up the web interface pages. It can just send strings directly to the routers interface and make changes sometimes even if administration requires a password.


Keep in mind.
Most routers also have telnet,ftp ssh back doors that may not be secured. These don't need to access he web interface. Fortunately this exploit is only for the web interface.

My apology if this was a bit long, I feel this information is helpful to the subject.
Nanaki (banned)
aka novaflare. pull punches? Na
join:2002-01-24
Akron, OH

1 recommendation

Nanaki (banned)

Member

True enough. This is why there are programs that let you change settings with out using the web interface. But as for this exploit it can be stopped dead with what i mentioned. I know about other exploits out there that effect ssh ftp telnet etc. Now theres some nasty stuff doable via those as well. A little social engineering work get a person to install a bit of malware that mods their router settings and you can screw them over but good. Even if they find the original malware that did the mod they may never know the mod happened. I could think of dozens of ways this could be done and used to cause all sorts of trouble. File dump installed later on on the pc bank account info theft id theft in general etc. All sorts of evil stuff.

What is worrisome about this current exploit is this looks like a set up period. Change as many routers with it as possible then craft phish pages and point the hacker controlled dns to those pages. Now the ones who found this have im sure reported the rouge dns to the proper people. But they found 1 out of xxxxx* who knows how many variants of the malware ad exist could be 1 only or 1000. With all the different personal dns servers out and all the high speed internet connection fios to the home in many countries and some parts of the us and static ips etc we could be looking at a dns net work of a few 1000 infected machines all ready to serve bogus copies of bank sites paypal ebay newegg etc all.

You don't want to know how much damage i my self could do with just a few dns servers and a method to point peoples computers to them. Cached log in page mod cached page to post the info to a file on a server or to my email or phone via txt. Yeh bad news...