back to article Evolved DNSChanger malware slings evil ads at PCs, hijacks routers

Malware that spreads via evil web ads and menaces broadband routers has been discovered – and it's going to be particularly horrible for small business and home internet users, which it targets. This latest variant of the years-old DNSChanger nasty, just spotted by Californian infosec biz Proofpoint, works like this: some …

  1. Paul Woodhouse

    and the ad industry is still wondering why we REALLY want to block their shit....

    1. Charles 9 Silver badge

      They'll just find ways to make them unblockable the way phone spam and junk mail are now (false ID'S and returned returns prevent countermeasures with the latter two).

      1. Anonymous Coward
        Anonymous Coward

        I suspect they're going the way of Goggle and Farcebook: embedding this crud in what in Facebook's case can only be jokingly referred to as "information". YouTube is already turning into YouTurd with the clickable overlays, embedded ads and other miscellaneous sh*te they can dream up, and no doubt this will soon be followed by others. Visit the BBC from abroad and every video clip has embedded ads in them (real good planning that - do you really want to have your Thompson Holidays ads embedded in the reports of another plane crash?) and it's spreading.

        At present I find myself using Vimeo a LOT more than YouTube exactly because of the ads.

  2. Drew 11

    "Unfortunately, there is no simple way to protect against these attacks"

    Errrrrrr, DNSSEC?

    1. Anonymous Coward
      Anonymous Coward

      "Unfortunately, there is no simple way to protect against these attacks"

      Yes there is, an ad blocker.

      1. Charles 9 Silver badge

        Countered with ad-blocker-blockers. Soon they'll just inline them with all the Internet content, making them part and parcel. Then it'll be the spam calls and junk mail all over again with no relief in sight.

    2. Mage Silver badge
      FAIL

      Noscript and whitelisting

      Noscript can be more useful than AV software.

      Also routers, when plugged in should serve ONLY the web admin login, with instructions and warnings about drive by DNS poison and have to have login user & pass changed.

      Also uPNP should be illegal on a router.

  3. Duncan Macdonald Silver badge

    Best protection ?

    For users about the best that can be done seems to be removing Flash and using NoScript and AdBlockPlus and setting your PC's DNS entries to use Google's public DNS (IP addresses 8.8.8.8 and 8.8.4.4).

    The fix that is needed is to for all sites to stop linking to external ad supplier networks - all ads should be hosted on the main sites website and have NO SCRIPTING of any sort. (Possibly the way to enforce this would be to make sites liable for any damage caused by their code or code from other sites that they serve to users)

    (If you are on windows 10 and cannot remove Flash from the Microsoft browsers - make yourself safer by using a different brower (Firefox or Chrome) and if you have a firewall with program control (eg Norton) then block IE and Edge from all internet access.)

    1. The Original Steve

      Re: Best protection ?

      Flash can be disabled in IE and Edge

    2. Anonymous Coward
      Anonymous Coward

      Re: Best protection ?

      "...and setting your PC's DNS entries to use Google's public DNS (IP addresses 8.8.8.8 and 8.8.4.4)."

      I don't like the idea of running my activity through Google's servers, but despite that there are plenty of places where those addresses are blocked or unusable.

    3. Mage Silver badge
      Big Brother

      Re: Best protection ?

      Do not use Google's DNS.

      Privacy issues.

      Your PCs should be using the Router/Gateway/firewall as DNS and it should either use your ISP or something trustworthy. Trustworthy includes not having your IP and all your requests logged.

  4. The Original Steve

    DNS or DHCP?

    So is this changing the DNS server IPs handed out via the routers in built DHCP? Or is it poisoning the DNS server built into the router? Or - and I guess more likely - is the virus modifying the DNS server forwarders on the routers DNS server?

    For my sins I use a Windows DNS and DHCP server at home (I know - I'm a sadist) but curious if I could be impacted by having one of my DNS forwards set to the home router..?

    1. Mage Silver badge

      Re: DNS or DHCP?

      if router has default settings, then a script on webpage can change the DNS setting of the Router (usually your ISP) to a malicious DNS.

      The LAN DHCP clients use the Router for DNS, by default, which is sensible.

      Secure the router: Disable uPNP, change User name and password to decent ones you write down.

      Note that the WiFi ID and passphrase are different, and ALSO should be changed from default. Don't use TKIP but WPA2.

  5. jMcPhee

    Ah javascript - best friend the internet criminal ever had

  6. Anonymous Coward
    Anonymous Coward

    I think I may have that Comtrend router at my business

    Don't have the model number handy, but since it is in bridging mode I'm probably safe, as only trusted clients can access the subnet its interface is available on. Better yet I'd already scheduled an upgrade from DSL to fiber that should be completed by the end of the year!

  7. GrapeBunch
    Pirate

    The family coracle is pwned

    There I was, wondering if our home router could be programmed to filter out nasties for all the computers here, and suddenly it is a weak link. I've been using microcomputers (as they were then called) since 1979 and dial-up melding into the Internet since 1988. Am I paranoid, or is the Internet (recently) approaching becoming too dangerous to browse? Taking into account all the websites that don't work with even fairly porous NoScript settings?

    iOS devices on average are fairly benign, but do threats of this ilk make carefree iOS use a new conduit for pulling your whole network down?

    Can we have an icon that communicates that questions are not rhetorical? Perhaps a big red ? on a yellow background?

    1. GrapeBunch

      Re: The family coracle is pwned

      Am I paranoid, or is the Internet (recently) approaching becoming too dangerous to browse?

      Wrong p-word. Lots of well-armed crackers are out to get me (or anybody). That's not paranoia, it's reality. What I should have written was pessimistic.

    2. Anonymous Coward
      Anonymous Coward

      Re: The family coracle is pwned

      Nope, no, and not really.

      These are things a paranoid Windows user needs to fear. Do you run a lightly to barely protected Windows machine with IE/Chrome as your primary browser? Do you visit lots of dodgy sites, and generally install crap on a whim, or let kids install all sorts of garbage on it? If you said no, then you do not need to worry. These are things that people who are generally careless while using the Internet need to bother with. The iOS devices are going to be very secure. They emit no extra services, other than the 1st party stuff, which you can lock down. Getting your router pwned is a very, very rare event, and almost impossible if you are mostly careful about your Internet usage. I know I don't need to worry much because; 1) I can clean up whatever mess occurs, 2) I don't use Windows, 3) if I were to use it it would be with Ad Block and other JavaScript blocking enabled, 4) I know how to verify my DNS lookups at the command line and via packet capture and out-of-band, 5) I use iOS Safari for most browsing, so mostly safe again, and 6) my browsers are double-NATted, so you would have to both hijack a browser behind my Airport firewall, then out to the comtrend. Nothing is on that net except other routers, all of different manufacturer type. That's it, unless the exterior network can be bridged and the attack made there, there's no getting inside this network via advert hijacking. Ever. Pwning the router once inside would be trivial no matter how many NATs I sit behind, if they are connected and available, but they end up on weirdly numbered 10.net class C addresses, so kinda confusing to isolate it, but not impossible. Otherwise, this is not very exciting. I don't see adverts from dodgy web sites, nor any from TV anymore. I don't miss them. Sounds painful. :P

  8. Mage Silver badge

    Windows?

    Without properly setup NoScript, and properly configured Router, your OS and browser might be irrelevant.

  9. FlamingDeath Silver badge

    NoScript FTW

    If you don't currently use NoScript, you should change that

    Even with javascript globally allowed in the browser using NoScript, you are still protected by ABE against this kind of attack

    https://noscript.net/abe/

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021