Ad-Fraud Malware Hijacks Router DNS – Injects Ads Via Google Analytics
A Short History of Router DNS Hijacking
Subsequently there have been some excellent reports on these router DNS attacks from Sucuri, Kaspersky, and Malwarebytes, but despite the exposure the problem persists. In fact, router DNS hijacking has become so prevalent that if we look at D-link router reviews on Amazon, the first one that pops up is a complaint about the router being hacked and displaying popup ads.
Routers and DNS
DNS is like a telephone directory for the internet; you lookup the name of the site you want to connect to and receive a number (IP) where you can reach them. For example, we can use DNS to lookup the IP addresses that are assigned to the domain http://www.google.com. DNS replies with a list of IPs in the 126.96.36.199/24 range. If we select one of those IPs and connect to it then we will be connecting to a server that is hosting Google.
When one of these router DNS hijacks are successful, the DNS settings on the router are changed to point to a rogue DNS server controlled by the attackers. By default, most common operating systems (Windows, OSX, iOS, Android, Ubuntu) are configured to automatically retrieve their DNS settings from the router when they connect to a network (via DHCP). This means that when a device connects to a compromised router’s network it will be automatically configured to use the same rogue DNS settings as router.
If an attacker controls the DNS server that you are using to lookup an IP they can substitute the correct IP for the IP of a server that is under their control. Then you might connect to this IP thinking that you are connecting to a certain domain when in fact you are connecting to a server controlled by the attacker.
Google Analytics is a service that provides the ability to track and analyze website traffic. Webmasters enable Google Analytics by embedding the analytics tag on their website.
Google Analytics is currently the most widely used traffic analytics service. Since this tag is embedded on the majority of websites who are tracking traffic it is a perfect target for the fraudsters to inject into.
Google Analytics Interception and Ad Injection
In the fraud scheme investigated by Ara Labs the criminals are using a rogue DNS server located at 188.8.131.52. During a successful router hijacking this DNS server is configured as the router’s primary DNS while Google’s DNS sever (184.108.40.206) is configured as the secondary. The DNS server at 220.127.116.11 refuses to resolve most domains forcing the victim to rely on the secondary DNS server (Google) for most domain lookups. However, when a lookup is attempted for the Google Analytics domain google-analytics.com the rogue DNS server responds with the ip 18.104.22.168, which is most certainly NOT a google server. It is a rogue Google Analytics server.
Exchange Attribution – The Ad Suppliers
The other, more complex, script that is injected via the rogue Google Analytics server is heavily obfuscated to hide its intentions.
Once the script has been de-obfuscated it is clear that it’s responsible for injecting multiple ad tags into the websites that load it.
The following domains are identified as hosting the injected ad tags: zinzimo.info, ektezis.ru, and patifil.com. These are all shell domains that direct traffic to the PopUnder ad exchange. We can confirm this by examining the SSL certificates that have been issued to these domains.
PopUnder specializes in ads that disrupt the normal browsing of the user in an attempt to force them click on the ad (ie. pop-up ads). It is through this exchange that the majority of the explicit pornographic ads are sourced, as well as the online game ads displayed in the video we captured.
Protecting Yourself as a Consumer
As we have seen above the router DNS hijacking malware is taking advantage of default credentials on the routers, and bugs that allow unauthenticated configuration requests to be sent to the routers. The best protection available is to ensure the firmware on your router is fully patched, and to change the default credentials.