Google Chrome and Internet Explorer configure routers with malicious malware!

Browser based attack tool was recently technically improvised by cyber criminals to hijack routers on a large scale when users visit compromised websites or view malicious advertisements via browser. The goal of these attacks is to replace the DNS servers configured on routers with rogue ones controlled by attackers to allow hackers to intercept traffic, spoof websites, hijack search queries, inject rogue ads on web pages and more.

According to a research report available from Kaspersky, this modernized browser based attack tool was formulated early this year and was affecting users using Google Chrome and Internet Explorer 7, 8 and 9 the most.

A DNS Server is nothing but a system which translates domain names, which are easy for people to remember into IP addresses that computers use to communicate with each other.

The work function of a DNS server is as follows- As soon as a user types a website name in a browser and punches enter, the browser asks the operating system for that website’s IP address. The operating system loaded on the user PC then contacts the local router, which then enquires with the DNS servers configured to it. The DNS server is the one which works at the ISP end. The chain continues until the particular request reaches the authoritative server for the domain name in question or until a server provides that information from its cache.

If a rogue address is inserted in this chain, then the local router starts communicating with the rogue IP address. So, this will divert the user to a different server hosting a fake website which can host a fake version designed to steal the user’s credentials.

In a recent revelation, it was observed that drive-by-drive attacks launched from compromised websites were redirecting users to an unusual web-based exploit kit that was specifically designed to compromise users. It was also found in this revelation that users using Google Chrome and IE browsers with outdated browser plug-ins like Flash Player, Java, Adobe Reader or silverlight were more prone to such events. Their goal is to install malware on computers that don’t have the latest patches for popular software.

Lucy Attenborough, an independent researcher who also works for Kaspersky technically elaborated this vulnerability in the following way. Malicious code is injected into compromised websites or included in rogue ads which automatically redirect users’ browser to an attack server that determines their OS, geographical location, IP address, browser type, installed plug-ins and other technical details. Based on these parameters, the server then selects an exploit from its arsenal that is most likely to succeed and then injects it into the request.

This web based attack is possible through a technique called Cross-Site Request Forgery (CSRF) that allows a malicious website to force a user’s browser to execute rogue actions on a different website. The target website can be a router’s configuration web page that’s only accessible via the local network.

Though, many websites on the internet have implemented defenses against CSRF, the routers lack such protection in general.

DLink, Belkin, Asustek, Edimax, Linksys, Media Link, Microsoft, Netgear, Shenzen Tenda technology, TP Link, Netis, Trendnet, ZyXEL are some of the router names which are prone to such browser based attacks and the list may prolong further.

Although, some companies have released firmware updates after knowing about this issue, some router models need to be updated manually through a process that requires some technical skill which is not that easy to do for a normal user.

It is revealed that during the first week of May 2015, the attack server got around 250,000 unique visitors a day. The most impacted were the users from countries like US, Russia, Australia, Brazil and India.

The best way to protect from such attacks is to periodically check the manufactures website for firmware updates for their router models and if anything available should be downloaded and updated.

If the router allows, the users should also restrict access to the admin interface to an IP address that no device normally uses, but which can be manually assigned to their computers when they need to make changes to the router’s settings.

And last but not the least, keep your browser up-to-date and dump all the old versions like IE 7 and 8 as soon as possible.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.