DNSChanger EK, first discovered by researchers at Proofpoint, is used to take control and change the settings of small office and home routers. In 2015, DNSChanger used cross-site request forgery (CSRF) attacks to hijack routers. This campaign largely affected users in the U.S., Australia, Turkey, Russia, Brazil, India, Argentina, Morocco, and Italy. As of December 2016, the EK was using a malvertising campaign to deliver exploit code to infected routers in order to insert ads into every site the user visits. The attackers buy ads on legitimate websites and inject malicious JavaScript code that will then determine the user’s local IP address. Based on the IP address, the code can determine if they are using a small home router. If so, the users receive a malicious advertisement (malvertisement) that redirects them to the DNSChanger EK homepage, where the exploitation will begin. The attackers use steganography to send an image file to the victim’s browser that contains an AES encryption algorithm key embedded in it. The key is used to decrypt additional traffic it receives from the DNSChanger EK that they had encrypted to prevent security researchers from viewing their traffic. After it receives the encryption key, it sends each victim a list of router fingerprints – 166 as of December 2016. The malicious code uses the fingerprints to test the victim’s router type. The EK replies with exploit packages that can control the router and change the DNS settings to relay traffic to the attacker’s server. Attackers can sometimes open the router’s administration ports to external connections, giving them direct control of the routers. Researchers at Proofpoint have witnessed attackers opening administration ports for 36 of the 166 router fingerprints. Once the attacker has control of the router, the attackers can replace legitimate ads with malicious ads. DNSChanger EK targets Google Chrome users on both desktops and mobile devices. Attackers have replaced ads from advertising networks including AdSupply, OutBrain, Popcash, Propellerads, and Taboola. Users should update their Chrome browser and router’s firmware to the most recent versions to protect against vulnerabilities that can be exploited by the DNSChanger EK.


Technical Details

  • Proofpoint provides technical details on DNSChanger EK, here

One example of the DNSChanger Exploit Kit. Image Source: Proofpoint