- Jan 24, 2011
- 9,378
A malicious campaign deployed by cybercriminals aims at changing the Domain Name System (DNS) server settings in router configuration, responsible for retrieving the correct web pages from legitimate web servers.
An attacker changing these settings can point to malicious locations, exposing the victim to a wide range of risks varying from credential stealing and ad-fraud to traffic interception and malware delivery.
Google public DNS address used as a failover
Cybercriminals behind this campaign rely on a technique called cross-site request forgery (CSRF), which allows malicious requests from a website to be executed by the browser on a different page, without user consent.
Independent security researcher Kafeine found that on May 18 the operation targeted 43 router models from different vendors, like D-Link, Netgear, Asus, Belkin, Edimax, Zyxel, TP-Link, Linksys.
However, the list is constantly updated and it has grown to more than 55 router models from a dozen vendors, the researcher says.
The attack is deployed when a Google Chrome user visits a compromised website and is redirected to a server that delivers a malicious script designed to check the router model used and to replace the DNS servers’ IP addresses.
Kafeine says that, as precaution, one IP is left to point to Google DNS, as a fail-back measure. This way, if the rogue server cannot complete the redirect (it can be offline for a brief while), the correct website is still loaded and no alarm goes off.
Read more: http://news.softpedia.com/news/Exploit-Kit-Delivers-DNS-Changer-to-Thousands-of-Routers-482223.shtml
An attacker changing these settings can point to malicious locations, exposing the victim to a wide range of risks varying from credential stealing and ad-fraud to traffic interception and malware delivery.
Google public DNS address used as a failover
Cybercriminals behind this campaign rely on a technique called cross-site request forgery (CSRF), which allows malicious requests from a website to be executed by the browser on a different page, without user consent.
Independent security researcher Kafeine found that on May 18 the operation targeted 43 router models from different vendors, like D-Link, Netgear, Asus, Belkin, Edimax, Zyxel, TP-Link, Linksys.
However, the list is constantly updated and it has grown to more than 55 router models from a dozen vendors, the researcher says.
The attack is deployed when a Google Chrome user visits a compromised website and is redirected to a server that delivers a malicious script designed to check the router model used and to replace the DNS servers’ IP addresses.
Kafeine says that, as precaution, one IP is left to point to Google DNS, as a fail-back measure. This way, if the rogue server cannot complete the redirect (it can be offline for a brief while), the correct website is still loaded and no alarm goes off.
Read more: http://news.softpedia.com/news/Exploit-Kit-Delivers-DNS-Changer-to-Thousands-of-Routers-482223.shtml