DNSChanger Exploit Kit Can Hijack over 160 Different Router Models

Internet users have yet another threat to worry about. DNSChanger, a new exploit kit being used to target over 160 different router models, is currently being spread through a dedicated malvertising campaign. Unlike what most people assumed at first, this kit does not hijack browsers but goes after the router itself. This is an unprecedented type of attack that has security researchers quite concerned.

DNSChanger Does Not Hijack Browsers

As one would expect from malware attack users at the router-level, there is hardly any major brand not susceptible to these attacks. NetGear, D-Link, and quite a few other companies all produce router hardware, most of which can be affected by this new exploit kit. At first, it was assumed that these malvertising distribution campaigns would hijack one’s browser, but it turns out that the consequences are far more worrisome.

This news comes on the heels of other exploits plaguing Netgear routes, although these are two separate threats. Gaining root access to a device controlling one’s entire internal network is very troublesome, yet there is nothing that the end user can do about these things right now. It is up to individual manufacturers to fix the vulnerabilities and push a mandatory update.

Getting infected with DNSChanger is not that difficult, unfortunately. Mainstream websites are unknowingly hosting malicious advertisements, which contain JavaScript code that reveals the visitor’s real IP address. This is achieved through a WebRTC Request, which is then broadcasted to a Mozilla STUN server.




Once the information (IP address and port of the client) is sent back from the STUN servers, it can be identified through the malicious JavaScript code. All an attacker needs is one’s local IP address to see if they are worth attacking. High-profile targets are served a malicious advertisement, whereas everyone else will see a normal one.

What is rather disconcerting is how DNSChanger uses Chrome to load different functions into a small image. Among these features are an AES Key, which is hidden in the picture through steganography. This key can cloak traffic and decrypt router fingerprints to see if the victim can be hijacked through the exploit kit.  This professional level of reconnaissance is rather disconcerting, and it shows how cybercriminals have stepped up their game in recent months.

Even though the Chrome browser is a big part of this malware scheme, the browser itself is never hijacked. It behaves correctly, yet it is used to determine vulnerabilities in the router. The browser does only what it always does, but the data stream coming back from the router is at risk. For now, it remains unclear how severe the consequences of these attacks will be.

If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.