A new version of the exploit kit called DNSChanger, which causes wireless routers to connect to malicious domains,...
uses WebRTC protocols to commit its attacks. What is WebRTC, and how does DNSChanger use it?
Web Real-Time Communications (WebRTC) is a common set of network protocols that enable real-time communication over internet connections. WebRTC protocols allow you to share the IP address of your wireless router with webpages, even when you use a VPN connection. There is no need for third-party plug-ins.
This data sharing vulnerability is exploited by the DNSChanger exploit kit to conduct network reconnaissance and then commit its attack on the domain name system (DNS) entries in routers. The DNSChanger uses WebRTC protocols via the Chrome browser to request a STUN server to discover the victim's IP address. If the victim's public IP address is already known, or if their local IP address is not in the targeted ranges, the router will be connected to a decoy path that displays an advertisement. The advertisement looks legitimate, but it is actually a fake.
Upon execution, the HTML code sends the victim back to the DNSChanger landing page. Multiple malicious functions are then loaded, including a function extracting an Advanced Encryption Standard key hidden with a small image. This key is to encrypt the suspicious traffic to DNSChanger from network administrators. The key is also used to decrypt the router's "fingerprints" and the associated commands to attack the router.
When the victim's browser detects the routers, the reconnaissance phase starts, and the exploit kit collects the router model type, firmware and other information to match it against existing router fingerprints. When this phase ends, the browser reports back to the DNSChanger home, which, in turn, gives detailed instructions to perform an attack on a specific router.
The exploit takes advantage of WebRTC protocols, so it doesn't matter what operating systems and browsers the routers use. If a router has no known flaws, the attack will attempt to use default credentials to log in. If the router has known exploits, such as the recent Netgear vulnerability, the attack will use them to modify the DNS entries in the router.
Cybersecurity company Proofpoint, which discovered the new version of DNSChanger, reported in December 2016 that the exploit kit activity appears to have ceased. However, enterprises should still make sure their router firmware is updated, and that any default credentials have been changed.
Read more on the enterprise need for WebRTC gateways
Learn about the security pros and cons of site-to-site VPNs
Discover how the 'BlackNurse' attack overwhelms firewalls
Dig Deeper on IPv6 security and network protocols security
Related Q&A from Judith Myerson
A vulnerability was found in the LG network involving remote preauthenticated commands. Learn how researchers created a malicious password to show ... Continue Reading
A warning was issued by the Department of Homeland Security regarding the exploitation of SS7 vulnerabilities by IMSI catchers. Learn how this puts ... Continue Reading
Air-gapped computers subject to PowerHammer attack: Proof-of-concept attack enables data exfiltration through control of current flow over power ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.