Attacks on routers, malicious modifications to DNS addresses

Last attacks on home routers gain strength. Yesterday we wrote about the Moose (see. Worm Moose threatens routers and equipment IoT worldwide) that infecting the device with an open telnet service on the "outside", today that information on the Exploit Kita (Sweet Orange), which is responsible for the first step to change the DNS settings of the router.


French Explorer security Kafeine with Malware don't need Cofee discovered a new Exploit Kit'a, which takes the objectives usually users of Chrome and Chromium. Malware on your computer may redirect the user to a malicious page, on which the effective attack AFFI XED on a browser may change the DNS settings of the router.


The attack starts even from the popular malvertising'u, which is the malicious ads that redirect the victim to a page where the criminals using the Exploit Kit Seet Orange and attack drive-by download force the browser to download malicious the software.

What is the Exploit Kit?

Exploit Kit is a set of tools that automates the use of client-side vulnerabilities by forcing the browser to transparent downloads (drive-by download) malicious backdoor, spyware, Trojan or other malicious software. The victim of the Exploit Kit'ów most are popular programs such as browsers, software from Adobe, Oracle and Microsoft. A key feature of the Kit'ów Exploit is easy to handle them, take advantage of it can people who do not have specialized knowledge of programming and security. The attacker does not need to even know how to create the exploit, you will benefit from the shared and friendly graphical user interface, which helps you keep track of your campaign.

The attack on routers

French scientist discovered that criminals with the help of Sweet Orange (s) began to massively attack Windows computers by forcing the browser to perform some unauthorized action (CRSF attack, Sekurak.pl, see. What is a CSRF vulnerability?). In the most "hot" point, the amount of malicious traffic in the criminal campaign reached a value of about one million unique visitors.






The victim of the malicious campaign most are users of Chrome and Chromium. Both these browsers, as well as Firefox and many others, using tools such as WebRTC-IPS is presentable local and public IP addresses. Webrtc-IPS allows browsers and mobile apps to communicate in real time via the API.


Malicious websites are not always specifically prepared for this type of operation. The attacks are often involved random sites that have been victims of malvertising'u and unwittingly divert your visitors to malicious sites. According to the Frenchman, the list of already infected routers are pretty big. From: ASUS, BELKIN, D'LINK, EDIMAX, LINKSYS, NETGEAR, TRENDNET, until the ZYXEL.


[collapse collapsed title = "detailed list"]

  • ASUS AC68U
  • ASUS ASUS ASUS & RTN10P & RTN56U-RTN66U & ASUS-RT56-66-10-12
  • Asus RTG32
  • BELK-PHILIPS (?)
  • BELKIN F5D7230 wireless-4
  • BELKIN F5D8236-4V2
  • BELKIN F9k1105V2
  • Belkin-F5D7231-4
  • BELKIN F5D7234-4
  • D'LINK DIR-600
  • D'LINK DIR-604
  • D'LINK DIR-645
  • D'LINK DIR-810L & DIR-826L & DIR-615 & DIR-651 & DIR-601 & WBR1310 & D2760
  • D'LINK DSLG604T
  • D'LINK-DIR-2740R
  • EDIMAX BR6208AC
  • LINKSYS BEFW11S4 V4
  • LINKSYS L120
  • LINKSYS WRT54GSV7
  • LINKSYS BEFW11S4-V4
  • LINKSYS-LWRT54GLV4
  • LINKSYS-WRT54GV8
  • LINKSYS-X 3000
  • LINSYS L000
  • Medialink WAPR300N
  • Microsoft MN-500
  • NETGEAR DGN1000B & DG834v3 & DGN2200
  • NETGEAR WNDR3400
  • NETGEAR DGN1000 NETGEAR DGN2200-&-
  • NETGEAR-WNR834Bv2
  • NETGEAR-WPN824v3
  • WF2414 A NETIS
  • WF2414 A Netis
  • TENDA 11N
  • TPLI ALL
  • TPLI-WR940N & WR941ND Wins & WR700
  • TRENDNET E300-150
  • Trip-TM01
  • Trip-TM04
  • Trendnet TW100S4W1CA
  • ZYXEL MVR102
  • ZYXEL NBG416
  • ZYXEL NBG334W-

[/collapse] In attack of the NDS addresses are changed on the primary 185 [.] 82 [.] 216 [.] 86 or 217 [.] 12 [.] 202 [93] and the secondary always uses DNS from Google. If you do not zmienialiście default configuration of your router now is a good time. Secure access to the configuration panel by changing the default login and password and check the DNS addresses.



Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.