[Cryptography] DNSChanger in ad malware attacks home routers

[Henry Baker]

FYI --

http://arstechnica.com/security/2016/12/home-routers-under-attack-in-ongoing-malvertisement-blitz/

https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices

Home routers under attack in ongoing malvertisement blitz

DNSChanger causes network computers to visit fraudulent domains.

Dan Goodin - Dec 16, 2016 9:42 pm UTC

As you read these words, malicious ads on legitimate websites are targeting visitors with malware.  But that malware doesn't infect their computers, researchers said.  Instead, it causes unsecured routers to connect to fraudulent domains.

...

... they serve a fake ad that hides exploit code in the metadata of a PNG image.  The code, in turn, causes the visitor to connect to a page hosting DNSChanger, ... the malicious site serves a second image concealed with the router exploit code.

...

DNSChanger uses a set of real-time communications protocols known as webRTC to send so-called STUN server requests used in VoIP communications.  The exploit is ultimately able to funnel code through the Chrome browser for Windows and Android to reach the network router.  The attack then compares the accessed router against 166 fingerprints of known vulnerable router firmware images.

...

DNS servers translate domain names such as arstechnica.com into IP addresses such as 50.31.151.33, which computers need to find and access the site.  By changing router settings to use an attacker-controlled server, DNSChanger can cause most, if not all, connected computers to connect to impostor sites that look just like the real ones.  So far, the malicious DNS server used by DNSChanger appears to be falsifying IP addresses to divert traffic from large ad agencies in favor of ad networks known as Fogzy and TrafficBroker.  But the server could be updated at any time to falsify lookups for Gmail.com, bankofamerica.com, or any other site.  In such a scenario, fortunately, HTTPS protections would flag the impostor.

----
My (hbaker's) comments:

While this attack somehow modifies the home router to change the way it handles DNS, it isn't clear whether the problem can be solved through a better DNS system.

Also, I would imagine that browsers configured to somehow handle their own DNS queries should be able to bypass the router's own settings.  Also, any computer which connects to the router but ignores the router's DHCP DNS recommendation should also be ok, is this correct?