Malware that targets computers are rather common but malware that targets routers are a completely different thing. Researchers from the security firm Proofpoint have discovered that the way it operates is similar to the recently discovered Stegano malware.
The malware is called DNSChanger, and it spreads via malware-laced ads that are served by large ad networks. DNSChanger will first check the visitor’s IP address to see if it is within the range. If the address doesn’t fall within the target range, DNSChanger will set up decoy ads that are clean.
On the other hand, if the address falls within a range, the malware would publish a fake ad that hides exploit code in the metadata of a PNG image.
Once the malicious code manages to sneak its way into the target’s PC, it causes the target to connect to a page that hosts DNSChanger. The website will conduct yet another scan to ensure that the target’s IP address is within the targeted range, and when it’s confirmed, the site would display a second image that contains the exploit code.
What happens next depends on the router model that DNSChanger is attacking. If the router model has known exploits, DNSChanger will utilize these exploits to modify the DNS entries in the router. When possible, make administration ports available from external addresses.
If the router has no known exploits, DNSChanger would attempt to use default credentials to gain access to the router. If the router has no known exploits and no known passwords, the malware would then abandon the attack.
Assuming it manages to get access to the router, DNSChanger is able to force connected computers to connect to impostor sites that are visually identical to the real one.
Proofpoint has found out that the malware appears to be falsifying IP addresses in order to divert traffic from ad agencies in favor of ad networks known as Fogzy and TrafficBroker.
At the moment, Proofpoint has mentioned that it is impossible to name all the routers that are susceptible to DNSChanger. However, Proofpoint did inform the five router models that can be compromised by this particular malware.
In order to protect yourself from DNSChanger, Proofpoint has recommended that your routers are updated to the latest available firmware and is protected with a long, randomly-generated password. Additionally, disabling remote administration and changing the router’s default local IP address is an effective preventive measure.