Q
Problem solve Get help with specific problems with your technologies, process and projects.

How does DNSChanger take advantage of WebRTC protocols?

WebRTC protocols are being targeted by a new version of the DNSChanger exploit kit. Judith Myerson explains how these attacks work and what enterprises should know.

A new version of the exploit kit called DNSChanger, which causes wireless routers to connect to malicious domains,...

uses WebRTC protocols to commit its attacks. What is WebRTC, and how does DNSChanger use it?

Web Real-Time Communications (WebRTC) is a common set of network protocols that enable real-time communication over internet connections. WebRTC protocols allow you to share the IP address of your wireless router with webpages, even when you use a VPN connection. There is no need for third-party plug-ins.

This data sharing vulnerability is exploited by the DNSChanger exploit kit to conduct network reconnaissance and then commit its attack on the domain name system (DNS) entries in routers. The DNSChanger uses WebRTC protocols via the Chrome browser to request a STUN server to discover the victim's IP address. If the victim's public IP address is already known, or if their local IP address is not in the targeted ranges, the router will be connected to a decoy path that displays an advertisement. The advertisement looks legitimate, but it is actually a fake.

The victim may be unaware that this image is marked as being in JPEG format, when it is actually in PNG format. In the meantime, JavaScript extracts HTML code from the comment field in the PNG file.

Upon execution, the HTML code sends the victim back to the DNSChanger landing page. Multiple malicious functions are then loaded, including a function extracting an Advanced Encryption Standard key hidden with a small image. This key is to encrypt the suspicious traffic to DNSChanger from network administrators. The key is also used to decrypt the router's "fingerprints" and the associated commands to attack the router.

When the victim's browser detects the routers, the reconnaissance phase starts, and the exploit kit collects the router model type, firmware and other information to match it against existing router fingerprints. When this phase ends, the browser reports back to the DNSChanger home, which, in turn, gives detailed instructions to perform an attack on a specific router.

The exploit takes advantage of WebRTC protocols, so it doesn't matter what operating systems and browsers the routers use. If a router has no known flaws, the attack will attempt to use default credentials to log in. If the router has known exploits, such as the recent Netgear vulnerability, the attack will use them to modify the DNS entries in the router.

Cybersecurity company Proofpoint, which discovered the new version of DNSChanger, reported in December 2016 that the exploit kit activity appears to have ceased. However, enterprises should still make sure their router firmware is updated, and that any default credentials have been changed. 

Next Steps

Read more on the enterprise need for WebRTC gateways

Learn about the security pros and cons of site-to-site VPNs

Discover how the 'BlackNurse' attack overwhelms firewalls

This was last published in February 2017

Dig Deeper on IPv6 security and network protocols security

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What steps has your company taken to protect routers from threats like DNSChanger?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close