暑假快来了,各类打折活动即将到来,与此同时,新型的恶意软件已经上线。


DNSChanger这个名字,大家或许有所耳闻。这款恶意软件曾在2012年感染了全世界范围内数百万台电脑。

近日,ProofPoint的研究人员发现了升级版的DNSChanger EK(漏洞利用工具包),它利用恶意广告传播。在感染用户设备后,这个漏洞利用套装将修改路由器DNS服务器条目,指向攻击者控制的恶意DNS服务器。感染后,若用户想访问某个网页,恶意DNS服务器可能将用户导向钓鱼网站。攻击者还可能植入广告、重新定向搜索结果、在网站上挂马等。

据ProofPoint发表的报告,升级版DNSChanger EK从十月底开始活跃,与最近的一系列恶意广告攻击活动有关。DNSChanger EK通过用户浏览器攻击路由器,它利用的并不是浏览器或设备的漏洞,而是家用路由器中的漏洞,而且似乎囊括了众多已知的路由器exploit。DNSChanger EK一般通过Windows台式机和Android设备中的Chrome浏览器展开攻击。但是,一旦路由器被攻击之后,所有连接该路由器的用户,无论其使用哪个操作系统和浏览器,都会遭受进一步的攻击。

DNSChanger EK攻击路由器的行为似乎与最近几波恶意广告攻击活动有关。在分析其攻击模式和感染链之后,研究人员得出结论,这些行为与2015年上半年出现的“跨站请求伪造Soho网址嫁接(CSRF Soho Pharming)”为同一攻击者(或组织)所为。

不过,对比2015年的活动,研究人员发现了最近这波攻击的新特点:

  1. 内部地址的外部DNS解析

  2. 用隐写术隐藏:

    1. AES密钥,用于解密fingerprint/默认凭证和本地解析的列表

    2. 攻击目标路由器的命令的部署

  3. 新增十多个路由器exploit:现有166个fingerprint,其中有些影响了数个路由器型号,而在2015年,只有55个fingerprint。比如,针对“Comtrend
    ADSL Router CT-5367/5624”路由器的exploit几周前刚出现(2016年9月13日),而攻击大约始于10月28日。

  4. 在36个案例中,这个漏洞利用工具包修改了网络规则,使外部地址可以访问管理端口,导致路由器可遭受进一步攻击,比如被Mirai僵尸网络感染等。

  5. Android设备也已成为此类攻击的媒介。

攻击链:

攻击者通过合法网站中的恶意广告,诱捕用户的网络。

完整攻击过程如图所示:

下图展示研究人员捕获的流量:

攻击分析:

用户点击电脑端或手机端的恶意广告后,会向DNSChanger EK发送流量。

DNSChanger EK通过stun.services.mozilla[.]com向Mozilla STUN服务器发送WebRTC请求,获得用户的本地IP地址。如果用户的公共IP地址已知或者他们的本地IP不在目标范围,将向用户显示某第三方广告商发布的合法广告。否则,用户将看到一个恶意广告。JavaScript从PNG文件的注释字段中提取HTML代码,将用户重新定向至含有DNSChanger EK的页面。注意下图中的(1)图是假广告,而且并不是.jpg文件,而是PNG文件。

DNSChanger EK再次通过STUN请求核对用户的本地IP地址。随后,DNSChanger EK开始加载多个函数,并且用隐写术将一个AES密钥隐藏在一张小图片中。

这个密钥将被用于解密一个fingerprint列表,除去重复项后,该列表包含129个条目(完整列表见附件)。

用户的浏览器会尝试定位并识别网络中的路由器(上图)。浏览器运行搜索函数后,将向DNSChanger EK回传报告,DNSChanger EK将向浏览器返回指令,向路由器发起攻击。

浏览器搜索过程中发现的特定路由器模型,将决定攻击的具体方式:如果没有可用的exploit,将尝试默认登陆凭证(如admin:admin、admin:1234、admin:password、admin:12345等);如果有可用的exploit,将修改路由器中的DNS条目,如果可能的话(129个fingerprint中有36个能够做到),将向外部地址开放管理端口,可致使路由器遭受进一步攻击,比如被Mirai僵尸网络感染等。


感染后:

研究人员表示,此类修改路由器DNS攻击的目的通常无法明确,但在此案例中,他们至少确定了其中一个动机。对比了可信的公共DNS服务器和上述流氓服务器的DNS解析,研究人员发现攻击者主要目的是要盗取一些大型网页广告商的流量。

攻击者强制将对应的域解析为193.238.153[.]10或46.166.160[.]187。根据各域的不同,攻击者可能将修改广告行为,修改目标网站(比如,点击页面任意位置可弹窗),或者将原广告替换。

研究人员调查时发现,攻击者将流量导向Fogzy(a.rfgsi[.]com)和TrafficBroker,并已联系这些机构,以获得更多信息,并告知他们网络中有流量遭盗取。

影响范围

因为未能获得受害者方的fingerprint数据和相应路由器之间的关联,研究人员无法提供完整的受此威胁影响的路由器列表。但是,因为这个工具包整合了所有已知的exploit,研究人员建议用户将所有路由器的固件更新至已知的最新版本。

研究人员发现,至少有以下几种路由器受到影响:

D-Link DSL-2740RCOMTREND ADSL Router  CT-5367 C01_R12NetGear WNDR3400v3 (and likely other models in this series)Pirelli ADSL2/2+ Wireless Router P.DGA4001NNetgear R6200

此外,Netgear的R7000、R6400及其他型号的路由器曾曝出0-day exploit。ProofPoint也特别检查了DNSChanger中与这些型号有关的fingerprint,但是截止2016年12月12日,并未发现相关fingerprint。不过,研究人员依然建议用户听从US-CERT给出的建议,禁用受影响Netgear路由器上的web服务器,因为他们预计不久后上述0-day exploit也将被添加至DNSChanger EK中。Netgear也针对曝出的漏洞发布了多个beta版的固件,用户可及时下载更新。

在很多情况下,只要关闭家用路由器的远程管理功能就可以提高其安全性。但在本案例中,攻击者利用的是网络中的某个设备上的有线或无限连接。因此,不需要开启远程管理,攻击者也可以成功修改路由器设置。

缓解措施

很不幸,目前没有简单的方法可以抵御此类攻击。目前最佳的缓解方案是更新路由器至最新版本。修改默认的本地IP地址范围,可能也会起到一定保护作用。此外,一些拦截广告的浏览器插件也可起到一定作用,毕竟此类攻击始于恶意广告。

结语

当攻击者控制了某个网络中的DNS服务器,该网络中的设备可能遭遇各种恶意攻击,包括银行欺诈、中间人攻击、钓鱼、广告欺诈及其他。在这个案例中,DNSChanger EK允许攻击者利用家用网络中的唯一一个DNS服务器,也就是互联网路由器本身。总体而言,要避免此类攻击则要求路由器制造商定期修复固件,用户定期更新补丁。

附录

IoC:Domain  | IP        Comment  modificationserver.com  | 93.115.28.248        Malvertising  Step 2 in front of the EK – 2016-12  expensiveserver.com  | 46.28.67.21       Malvertising  Step 1 in front of the EK – 2016-12  immediatelyserver.com        Malvertising  in front of the EK – 2016-11  respectsserver.com  | 217.12.220.127        Malvertising  Step1  in front of the EK – 2016-10  ad.reverencegserver.com      Malvertising  Step2  in front of the EK – 2016-10  parametersserver.com|93.115.28.249       DNSChanger  EK/ RouterEK – 2016-12  phosphateserver.com     DNSChanger  EK/ RouterEK – 2016-11  cigaretteinserver.com       DNSChanger  EK/ RouterEK – 2016-10  From  46.17.102.10 up to 24     Rogue DNS  Servers  From  5.39.220.117 up to 126        Rogue DNS  Servers  From  217.12.218.114 up to 121      Rogue DNS  Servers  From  93.115.31.194 up to 244       Rogue DNS  Servers  193.238.153.10  and 46.166.160.187      Substituted  IP for targeted traffic (impersonating server)  Traffic  to that host is most probably a symptom of DNS entries modified on the  router.  pix1.payswithservers.com     External  domain for 192.168.1.1  pix2.payswithservers.com      External  domain for 192.168.8.1  pix3.payswithservers.com      External  domain for 192.168.178.1  pix4.payswithservers.com        External  domain for 192.168.0.1  pix5.payswithservers.com      External  domain for 192.168.10.1  pix6.payswithservers.com     External  domain for 192.168.137.1  pix7.payswithservers.com        External  domain for 10.10.10.1  pix8.payswithservers.com       External  domain for 192.168.100.1  pix9.payswithservers.com        External  domain for 10.1.1.1  pix10.payswithservers.com        External  domain for 10.0.0.1  pix11.payswithservers.com        External  domain for 192.168.2.1  pix12.payswithservers.com     External  domain for 192.168.254.1  pix13.payswithservers.com       External  domain for 192.168.11.1  pix14.payswithservers.com        External  domain for 192.168.3.1  sub[i].domain254.com  for   0 < i < 18      Not  resolving  sub16.domain.com        Resolving  to 66.96.162.92  sub17.domain.com        Resolving  to 66.96.162.92
部分ET签名:2023473 || ET CURRENT_EVENTS DNSChanger EK Secondary Landing Oct 31 20162021090 || ET CURRENT_EVENTS DNSChanger EK Landing May 12 20152023466 || ET EXPLOIT D-Link DSL-2740R Remote DNS Change Attempt2020487 || ET EXPLOIT Generic ADSL Router DNS Change GET Request2020488 || ET EXPLOIT Generic ADSL Router DNS Change POST Request2020854 || ET CURRENT_EVENTS DRIVEBY Router DNS Changer Apr 07 20152020856 || ET EXPLOIT TP-LINK TL-WR340G Router DNS Change GET Request2020857 || ET EXPLOIT Belkin Wireless G Router DNS Change POST Request2020858 || ET EXPLOIT Linksys WRT54GL Router DNS Change POST Request2020859 || ET EXPLOIT Netgear WNDR Router DNS Change POST Request2020861 || ET EXPLOIT Motorola SBG900 Router DNS Change GET Request2020862 || ET EXPLOIT ASUS RT N56U Router DNS Change GET Request 12020863 || ET EXPLOIT ASUS RT N56U Router DNS Change GET Request 22020871 || ET EXPLOIT ASUS RT N56U Router DNS Change GET Request 32020873 || ET EXPLOIT D-link DI604 Known Malicious Router DNS Change GET Request2020874 || ET EXPLOIT Netgear DGN1000B Router DNS Change GET Request2020875 || ET EXPLOIT Belkin G F5D7230-4 Router DNS Change GET Request2020876 || ET EXPLOIT Tenda ADSL2/2+ Router DNS Change GET Request2020877 || ET EXPLOIT Known Malicious Router DNS Change GET Request2020878 || ET EXPLOIT TP-LINK TL-WR841N Router DNS Change GET Request2020896 || ET CURRENT_EVENTS DRIVEBY Router DNS Changer Apr 07 2015 M22023467 || ET EXPLOIT COMTREND ADSL Router CT-5367 Remote DNS Change Attempt2023468 || ET EXPLOIT Unknown Router Remote DNS Change Attempt2023628 || ET EXPLOIT Netgear R7000 Command Injection Exploit2823788 || ETPRO TROJAN DNSChanger Rogue DNS Server (A Lookup)2823811 || ETPRO CURRENT_EVENTS DNSChanger EK DNS Reply Adfraud Server 1 Dec 12 20162823812 || ETPRO CURRENT_EVENTS DNSChanger EK DNS Reply Adfraud Server 2 Dec 12 2016
fingerprint列表:[-37,"/img/Netgeargenie.png",290,41,"0",0][-36,"/UILinksys.gif",165,57,"0",0][-32,"/redbull.gif",7,7,"1",0][-31,"/settings.gif",654,111,"0",0][-30,"/images/img_masthead.jpg",836,92,"0",0][-29,"/images/logo.png",183,46,"0",0][-28,"/images/top1_1.jpg",280,87,"1",0][-27,"/headlogoa.gif",370,78,"0",0][-26,"/image/logo_gn.gif",101,51,"0",0][-25,"/bg_logo.jpg",858,82,"0",0][-24,"/image/tops.gif",450,92,"0",0][-23,"/graphics/banner.png",1024,70,"1",0][-22,"/img/loading.gif",32,32,"0",0][-21,"/logo_corp.gif",95,50,"1",0][-20,"/img/banner.gif",778,60,"0",0][-19,"/down_02.jpg",133,75,"0",0][-18,"/redbull.gif",7,7,"0",0][-17,"/pic/head_01.gif",162,92,"0",0][-16,"/image/linksys_logo.png",230,30,"0",0][-15,"/file/Comtrend_banner.jpg",897,70,"1",0][-13,"/logo.gif",371,38,"1",0][-12,"/image/top/NETGEAR_Genie.png",512,60,"1",0][-11,"/img/Netgeargenie.png",290,41,"",0][-10,"/tmp.gif",700,54,"1",0][-9,"/wlan_masthead.gif",836,92,"0",0][-8,"/images/logo.png",146,38,"0",0][-6,"/image/top/logo.gif",300,38,"0",0][-4,"/button_log_in.gif",70,21,"0",0][-3,"/image/UI_Linksys.gif",166,58,"1",0][-2,"/smclg.gif",133,59,"0",0][-1,"/themes/TM04/Drift-logo.png",300,89,"0",0][0,"/graphics/topbar.jpg",900,69,"1",1][1,"/graphics/young.png",128,96,"1",0][2,"/images/bg_stripes.png",50,50,"1",0][3,"/image/logo.png",271,43,"0",0][5,"/images/logo.gif",133,59,"0",0][8,"/img/tenda-logo-big.png",199,45,"0",0][9,"/images/main_welcome.gif",850,179,"1",1][11,"/image/UI_Linksys.gif",288,58,"0",0][12,"/Images/img_masthead_red.gif",856,92,"0",0][13,"/settings.gif",750,85,"0",0][14,"/images/top-02.gif",359,78,"1",0][15,"/UI_Linksys.gif",165,57,"1",0][16,"/set_bt.gif",93,52,"0",1][18,"/images/top1_1.jpg",208,85,"1",0][19,"/graphics/head_logo.gif",121,64,"0",0][20,"/images/top1_1.jpg",280,87,"0",0][21,"/router_logo.jpg",79,50,"1",0][22,"/graphics/gui_admin_login.jpg",283,120,"0",0][23,"/ag_logo.jpg",164,91,"1",0][24,"/images/head_logo.gif",312,68,"0",0][25,"/menu-images/logo.gif",169,50,"1",0][28,"/image/UI_Linksys.gif",288,58,"1",0][29,"/Images/Logo.gif",143,33,"0",0][30,"/images/logo.gif",169,50,"0",0][31,"/pic/logo.png",287,69,"0",0][32,"/spin.gif",16,16,"1",0][33,"/icons/top_left.png",300,96,"1",0][34,"/headlogo.gif",121,64,"0",0][35,"/pictures/home.jpg",255,41,"1",0][37,"/images/new_qanner.gif",840,92,"0",0][38,"/zyxellg.gif",169,50,"0",0][39,"/imagesV/vlogo_blk.jpg",185,40,"0",0][40,"/images/New_ui/asustitle.png",218,54,"0",0][41,"/images/New_ui/asustitle_changed.png",218,54,"0",0][45,"/images/date_bg.png",71,70,"0",0][47,"/graphic/head_04.gif",836,92,"0",0][49,"/image/logo.gif",390,69,"0",0][50,"/images/data_1_voda.gif",149,28,"0",0][51,"/images/logo_wind.gif",156,28,"0",0][53,"/pic/ag_logo.jpg",164,91,"0",0][54,"/banner_s.gif",126,65,"1",0][55,"/logo.gif",270,69,"0",0][56,"/logo_320x23.png",320,23,"0",0][58,"/image/UI_Linksys.gif",165,57,"1",0][59,"/file/int_logo_4_firmware.gif",366,66,"1",0][61,"/images/header.jpg",800,70,"0",0][62,"/images/btn_apply.png",61,20,"0",0][63,"/tendalogo.gif",387,90,"0",0][64,"/file/Logo.gif",216,83,"1",0][65,"/body/logo.jpg",154,118,"0",0][68,"/head_logo_p1_encore.jpg",92,72,"0",0][69,"/images/UI_Linksys.gif",288,57,"0",0][70,"/images/title_2.gif",321,28,"1",0][71,"/home_01.gif",765,95,"0",0][74,"/wlan_masthead.gif",836,85,"0",0][75,"/settingsDGND3300.jpg",799,97,"0",0][76,"/main/banner_files/bannertxt.gif",672,40,"0",0][77,"/html/images/dsl604.jpg",765,95,"1",0][79,"/head_logo.gif",140,64,"0",0][80,"/images/logo.jpg",270,69,"0",0][81,"/images/logo_netis.png",121,31,"0",0][82,"/images/icon-Change_pencil.png",18,18,"0",0][83,"/logo1.gif",207,105,"0",0][85,"/images/icon_now.gif",14,14,"0",0][87,"/down_02.jpg",135,75,"0",0][88,"/Images/logo.gif",270,69,"1",0][89,"/UILinksys.gif",166,58,"1",0][91,"/image/UI_Linksys.gif",134,58,"1",0][92,"/logo.gif",390,69,"0",0][93,"/images/icon_now.gif",14,14,"1",0][95,"/Images/img_masthead_red.gif",836,92,"0",0][97,"/images/topbg.gif",960,66,"0",0][99,"/down_02.jpg",133,75,"1",0][102,"/images2/main_title.n704bcm.gif",758,74,"0",0][104,"/common/images/logo.gif",108,32,"0",0][105,"/Images/logo.gif",780,62,"0",0][106,"/images2/login_title.n704bcm.gif",299,62,"0",0][107,"/images2/login_title.n704a3.gif",299,62,"0",0][108,"/file/logo.gif",165,47,"1",0][110,"/images/login_title_n104t.gif",299,62,"0",0][111,"/img/redbull.gif ",7,7,"1",0][112,"/images/head_logo.gif",140,78,"0",0][114,"/img/title_RP614v4.gif",750,85,"0",0][115,"/UI_Linksys.gif ",273,44,"1",0][116,"/logo.gif",318,69,"0",1][117,"/pic/img_masthead.gif",836,92,"0",0][118,"/images/logo.gif",76,69,"0",0][119,"/images/logo_transparent.gif",156,129,"0",0][121,"/Images/bg_a1.gif",280,70,"0",0][122,"/images/index_wrapper_bg_3347.png",801,325,"0",0][123,"/images/vz_logo.gif",185,40,"0",0][124,"/file/Manhattan_Banner.png ",452,90,"1",0][125,"/Images/Logo.gif",150,47,"0",0][126,"/Images/Logo.gif",200,50,"0",0][127,"/images/corp_logo.gif",153,42,"0",0][128,"/images/logo.png",171,75,"0",0][129,"/cornerartD241.jpg",140,90,"0",0]

DNSChanger卷土重来,家用路由器当心了相关推荐

  1. 协作机器人鼻祖“重生”,卷土重来的Rethink能否给行业注入一针强心剂?

    来源:机器人大讲堂 十年之前,他横空出世,创新颠覆  2008年,美国机器人制造专家,麻省理工学院计算机科学与人工智能实验室创始主任罗德尼·布鲁克斯创建了Rethink Robotics公司,他将基于 ...

  2. 【Python】疫情卷土重来?Python可视化带你追踪疫情的最新动态

    最近疫情又开始有了卷土重来的苗头,毕竟人命关天,所以今天小编打算用Python可视化来追踪一下当下疫情的最新动态,也希望大家在外能够注意安全,戴好口罩 最新的动态 根据最新的消息,本土现有的确诊483 ...

  3. 工业级路由器和家用路由器的区别_5G工业级路由器有哪些优势

    一.5G工业级路由器比4G工业级路由器强在哪 对于消费者而言,5G的价值在于它拥有比4G LTE更快的速度(峰值速率可达几十Gbps),例如你可以在一秒钟内下载一部高清电影,而4G LTE可能要10分 ...

  4. 防止私自接交换机_防止私接家用路由器干扰DHCP功能,禁止用户手动设置IP地址-肖哥...

    如果想禁止私接家用路由器只能采用准入控制+MAC认证技术(802.1x认证.端口安全等)来实现,但是很多场景需要允许家用路由器接入企业网络(例如高校老师办公室想通过wifi上网). 此时如果某用户将家 ...

  5. 当心在Lib中定义非const全局变量

    当心在Lib中定义非const全局变量 Posted on 2011-08-15 16:33 单鱼游弋 阅读(306) 评论(0) 编辑 收藏 一般我们在全局作用域定义全局变量来进行模块间(函数之间. ...

  6. 工业级路由器和家用路由器的区别_工业路由器和普通家用路由器有什么区别啊?工业路由器好不好用啊?...

    展开全部 当然有区别的. 家用路由器相对工业级路由器来说价格相对比较便宜,有点在于适用62616964757a686964616fe78988e69d8331333365633864于大规模的企业网络 ...

  7. 【软件周刊】D语言卷土重来,Vue.js 应获 1024 个赞,小薇可以一键启动了

    2019独角兽企业重金招聘Python工程师标准>>> 一. 前端相关 1. Vue.js - Vue.js 这次的更新比较频繁,才刚刚更新完 2.0.4 版本不久,立马就更新出了 ...

  8. 如何在Java中处理ConcurrentModificationException? 在循环中从ArrayList中删除元素时要当心...

    从Java中从ArrayList中删除元素时常见的问题之一是ConcurrentModificationException. 如果您对索引使用经典的for循环或增强的for循环,并尝试使用remove ...

  9. 职场有影帝出没,屌丝们请当心!

    引子 职场有影帝出没,请当心!广大屌丝请注意危险,谨慎前往. 人生苦短,必须性感:职场如戏,要靠演技.不少公司正变成秀场,影帝层出不穷,屌丝们的辛苦努力一不小心就成了影帝的嫁衣.影帝在人前风光灿烂,而 ...

最新文章

  1. 7.MongoDB java CRUD
  2. LeetCode 2109. 向字符串添加空格
  3. vim替换字符串带斜杠_Linux vi/vim最全使用指南
  4. 惠普光影精灵拆机换屏幕_聊聊惠普游戏本大军的“先遣部队”
  5. 安装node.js、webpack、vue 和vue-cli 以及安装速度慢/不成功的解决方法
  6. linux 线程编译指令i,linux线程篇之(一):线程的创建与应用
  7. Juniper防火墙 L2TP ××× 配置
  8. Python yield 的基本概念和用法
  9. 骑士进化论RPG游戏实现
  10. 基于74系列芯片的红绿灯设计
  11. ts格式转换器android,ts格式转换器下载|ts格式转换器 v6.2-520下载站
  12. Linux tty字符终端下VIM显示混乱的解决方法
  13. 正态分布(Normal Distribution)
  14. 简析平衡树(一)——替罪羊树 Scapegoat Tree
  15. 磁盘被写保护怎么解除
  16. php银联支付接口 demo,php版银联支付接口开发简单实例详解
  17. Spring Data JPA 之 @Entity 的常用注解
  18. 【Linux】系统管理命令
  19. java execute、executeQuery和executeUpdate之间的区别
  20. 真相:为什么投简历总是没回音?

热门文章

  1. 唐山5.1级地震,IoT 物联网智能电视弹出预警
  2. 何金昌内增高鞋 专业打造专属时尚范儿网厄瓜多尔1季度皮革生产价格指数涨幅明显
  3. Oracle查询当前时间的前1个小时的数据
  4. 设计模式(10)——外观模式
  5. Linux 0.01 内存管理
  6. 潭州学院html学习(day05)
  7. 微信分享(JS-SDK权限签名算法)-Java实现
  8. 利用快手抖音做小吃培训,年入100000+
  9. 处cp显示服务器开小差,我和影帝处CP最新章节叶扶予蔺洲叶扶予小说阅读
  10. 扶不扶真人版现烟台 警察被老人问“你咋撞我”