[Cryptography] DNSChanger in ad malware attacks home routers

[Jerry Leichter]

> My (hbaker's) comments:
> 
> While this attack somehow modifies the home router to change the way it handles DNS, it isn't clear whether the problem can be solved through a better DNS system.
> 
> Also, I would imagine that browsers configured to somehow handle their own DNS queries should be able to bypass the router's own settings.  Also, any computer which connects to the router but ignores the router's DHCP DNS recommendation should also be ok, is this correct?
That article is way below Ars's usual standards - approaching clickbait.  The stuff about steganography - while true as far as it goes - is a way of making the whole thing look more scary:  There can be an attack *hidden invisibly inside a picture!*  Well, no ... there can be some data used by an attack that's carried along inside a picture thus making the job of scanners harder - but scanners are pretty much a lost cause today anyway.

And, oh my goodness, it will use a STUN attack!  Kind of like a stun gun.  Very scary.  Well, no, STUN is simply a Secure TUNnel protocol.

The Proofpoint article has a bit of this as well, but at least it gives actual details.  Yes, it's a pretty sophisticated package of attacks against a variety of home routers.  It tries to avoid attacking systems used by those likely to notice and analyze the attack - though the fact that this article exists shows that it got noticed, grabbed, and analyzed anyway.  It also follows a pattern we first saw in "military grade" attacks in which an initial download does reconnaissance, sends the information back home to an attack server, and receives a downloaded attack that knows how to deal with its specific router.

What exactly they do to infected routers gets a bit vague.  Home routers could get involved in DNS in one of three ways:

1.  Providing a DNS server address as part of DHCP.
2.  Providing a local DNS cache.
3.  Re-routing specific known DNS resolver addresses someplace else.

Method 1 is pretty much universal, and the vast majority of home devices are configured to get their DNS server information this way.  Most ISP's configure routers to direct DNS queries to *their* routers.  Obviously, if you take over a router you can send DNS queries where you like.

Most "larger" devices allow you to override the DHCP settings and send the queries wherever you like.  Realistically, few people want to do this, much less now how.  And I'm not sure IoT devices even allow you to play with this.  So ... if this is the whole attack, sophisticated users can protect their PC-class devices and some phones (the iPhone seems to provide a setting, though you have to dig down pretty deep).  But in practice, even this is asking too much of most users.

At least some of these routers can be configured as the local DNS server, sending out their own local address with DHCP.  I actually do that on my home network - but I don't use my ISP's (Frontier) router to do it, but rather my own WiFi access point, which in turn points not to the ISP DNS offered to it by the router's DHCP to to resolvers of my own choosing.  Obviously, if the router is such a configuration is compromised, the individual devices on the network will all look just fine - they'll all continue to use the local resolver - but that will be compromised to go to the attackers resolver.

And I suppose, since the number of commonly used top resolvers isn't that long (and in any case the initial reconnaissance can determine what the victim is using), the router could invisibly re-direct traffic intended for a "known good" resolver to the attacker's resolver.  If I were crafting an attack of this sort, this is what I'd do:  It would leave nothing at all visible within the network itself without some pretty careful analysis.

The article is a bit vague about what's actually being done.  It almost seems to imply that the router interposes itself into DNS queries and alters them.  While this would be possible in theory, it would be an unnecessarily roundabout and and complex way to do things.
                                                        -- Jerry