- Posted by Sergei Frankoff 25 Mar
- 0 Comments
A Short History of Router DNS Hijacking
Subsequently there have been some excellent reports on these router DNS attacks from Sucuri, Kaspersky, and Malwarebytes, but despite the exposure the problem persists. In fact, router DNS hijacking has become so prevalent that if we look at D-link router reviews on Amazon, the first one that pops up is a complaint about the router being hacked and displaying popup ads.
Routers and DNS
DNS is like a telephone directory for the internet; you lookup the name of the site you want to connect to and receive a number (IP) where you can reach them. For example, we can use DNS to lookup the IP addresses that are assigned to the domain www.google.com. DNS replies with a list of IPs in the 220.127.116.11/24 range. If we select one of those IPs and connect to it then we will be connecting to a server that is hosting Google.
When one of these router DNS hijacks are successful, the DNS settings on the router are changed to point to a rogue DNS server controlled by the attackers. By default, most common operating systems (Windows, OSX, iOS, Android, Ubuntu) are configured to automatically retrieve their DNS settings from the router when they connect to a network (via DHCP). This means that when a device connects to a compromised router’s network it will be automatically configured to use the same rogue DNS settings as router.
If an attacker controls the DNS server that you are using to lookup an IP they can substitute the correct IP for the IP of a server that is under their control. Then you might connect to this IP thinking that you are connecting to a certain domain when in fact you are connecting to a server controlled by the attacker.
Google Analytics is a service that provides the ability to track and analyze website traffic. Webmasters enable Google Analytics by embedding the analytics tag on their website.
Google Analytics is currently the most widely used traffic analytics service. Since this tag is embedded on the majority of websites who are tracking traffic it is a perfect target for the fraudsters to inject into.
Google Analytics Interception and Ad Injection
In the fraud scheme investigated by the Sentrant team the criminals are using a rogue DNS server located at 18.104.22.168. During a successful router hijacking this DNS server is configured as the router’s primary DNS while Google’s DNS sever (22.214.171.124) is configured as the secondary. The DNS server at 126.96.36.199 refuses to resolve most domains forcing the victim to rely on the secondary DNS server (Google) for most domain lookups. However, when a lookup is attempted for the Google Analytics domain google-analytics.com the rogue DNS server responds with the ip 188.8.131.52, which is most certainly NOT a google server. It is a rogue Google Analytics server.
Exchange Attribution – The Ad Suppliers
The other, more complex, script that is injected via the rogue Google Analytics server is heavily obfuscated to hide its intentions.
Once the script has been de-obfuscated it is clear that it’s responsible for injecting multiple ad tags into the websites that load it.
The following domains are identified as hosting the injected ad tags: zinzimo.info, ektezis.ru, and patifil.com. These are all shell domains that direct traffic to the PopUnder ad exchange. We can confirm this by examining the SSL certificates that have been issued to these domains.
PopUnder specializes in ads that disrupt the normal browsing of the user in an attempt to force them click on the ad (ie. pop-up ads). It is through this exchange that the majority of the explicit pornographic ads are sourced, as well as the online game ads displayed in the video we captured.
Protecting Yourself as a Consumer
As we have seen above the router DNS hijacking malware is taking advantage of default credentials on the routers, and bugs that allow unauthenticated configuration requests to be sent to the routers. The best protection available is to ensure the firmware on your router is fully patched, and to change the default credentials.
Protecting Yourself as an Advertiser
Unfortunately, as we identified in our analysis above, some of the traffic sourced by these exchanges comes from iframes that are injected into websites using routers with hijacked DNS settings. As an advertiser you don’t want your ads being pushed through hacked routers nor do you want your ads displayed on publishers’ sites who source traffic through hacked routers.
Due to the nature of this scheme there is no technology that is going to detect this automatically, you need to rely on intelligence. Here at Sentrant our bot detection platform is driven by the intelligence we develop. We identify, investigate, and track these fraud schemes and the exchanges, publishers, and ad networks who support them. We deliver intelligence product that allows you to make informed decisions about where to place your ads. If you would like to know more feel free to contact us.