Evolved DNSChanger malware slings evil ads at PCs, hijacks routers Malware that spreads via evil web ads and menaces broadband routers has been discovered – and it's going to be particularly horrible for small business and home internet users, which it targets. This latest variant of the years-old DNSChanger nasty, just spotted by Californian infosec biz Proofpoint, works like this: some …
I suspect they're going the way of Goggle and Farcebook: embedding this crud in what in Facebook's case can only be jokingly referred to as "information". YouTube is already turning into YouTurd with the clickable overlays, embedded ads and other miscellaneous sh*te they can dream up, and no doubt this will soon be followed by others. Visit the BBC from abroad and every video clip has embedded ads in them (real good planning that - do you really want to have your Thompson Holidays ads embedded in the reports of another plane crash?) and it's spreading.
At present I find myself using Vimeo a LOT more than YouTube exactly because of the ads.
For users about the best that can be done seems to be removing Flash and using NoScript and AdBlockPlus and setting your PC's DNS entries to use Google's public DNS (IP addresses 8.8.8.8 and 8.8.4.4).
The fix that is needed is to for all sites to stop linking to external ad supplier networks - all ads should be hosted on the main sites website and have NO SCRIPTING of any sort. (Possibly the way to enforce this would be to make sites liable for any damage caused by their code or code from other sites that they serve to users)
(If you are on windows 10 and cannot remove Flash from the Microsoft browsers - make yourself safer by using a different brower (Firefox or Chrome) and if you have a firewall with program control (eg Norton) then block IE and Edge from all internet access.)
So is this changing the DNS server IPs handed out via the routers in built DHCP? Or is it poisoning the DNS server built into the router? Or - and I guess more likely - is the virus modifying the DNS server forwarders on the routers DNS server?
For my sins I use a Windows DNS and DHCP server at home (I know - I'm a sadist) but curious if I could be impacted by having one of my DNS forwards set to the home router..?
if router has default settings, then a script on webpage can change the DNS setting of the Router (usually your ISP) to a malicious DNS.
The LAN DHCP clients use the Router for DNS, by default, which is sensible.
Secure the router: Disable uPNP, change User name and password to decent ones you write down.
Note that the WiFi ID and passphrase are different, and ALSO should be changed from default. Don't use TKIP but WPA2.
Don't have the model number handy, but since it is in bridging mode I'm probably safe, as only trusted clients can access the subnet its interface is available on. Better yet I'd already scheduled an upgrade from DSL to fiber that should be completed by the end of the year!
There I was, wondering if our home router could be programmed to filter out nasties for all the computers here, and suddenly it is a weak link. I've been using microcomputers (as they were then called) since 1979 and dial-up melding into the Internet since 1988. Am I paranoid, or is the Internet (recently) approaching becoming too dangerous to browse? Taking into account all the websites that don't work with even fairly porous NoScript settings?
iOS devices on average are fairly benign, but do threats of this ilk make carefree iOS use a new conduit for pulling your whole network down?
Can we have an icon that communicates that questions are not rhetorical? Perhaps a big red ? on a yellow background?
Nope, no, and not really.
These are things a paranoid Windows user needs to fear. Do you run a lightly to barely protected Windows machine with IE/Chrome as your primary browser? Do you visit lots of dodgy sites, and generally install crap on a whim, or let kids install all sorts of garbage on it? If you said no, then you do not need to worry. These are things that people who are generally careless while using the Internet need to bother with. The iOS devices are going to be very secure. They emit no extra services, other than the 1st party stuff, which you can lock down. Getting your router pwned is a very, very rare event, and almost impossible if you are mostly careful about your Internet usage. I know I don't need to worry much because; 1) I can clean up whatever mess occurs, 2) I don't use Windows, 3) if I were to use it it would be with Ad Block and other JavaScript blocking enabled, 4) I know how to verify my DNS lookups at the command line and via packet capture and out-of-band, 5) I use iOS Safari for most browsing, so mostly safe again, and 6) my browsers are double-NATted, so you would have to both hijack a browser behind my Airport firewall, then out to the comtrend. Nothing is on that net except other routers, all of different manufacturer type. That's it, unless the exterior network can be bridged and the attack made there, there's no getting inside this network via advert hijacking. Ever. Pwning the router once inside would be trivial no matter how many NATs I sit behind, if they are connected and available, but they end up on weirdly numbered 10.net class C addresses, so kinda confusing to isolate it, but not impossible. Otherwise, this is not very exciting. I don't see adverts from dodgy web sites, nor any from TV anymore. I don't miss them. Sounds painful. :P
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
