Securing business data

Blog Item

Router and DNS Hijacking Malware- What you need to know..

/>

shutterstock_705458965
After a number of emergency responses in the last couple of months coupled with the recent news of variants of malware targeting DNS settings within home/business routers, it is perhaps a good time to reflect on the impacts of such attacks and explain briefly how they are working.

DNS is one of those lifeblood protocols of the Internet, at its most basic it essentially maps human readable names to IP addresses. In short a DNS server will contain large numbers of these mappings and are generally trusted by network devices and users alike.

Details of the local networks preferred DNS server/s (in home networks in particular) are often passed on from the router via a DHCP service when first connecting to the network. Alternatively it can also be set manually within the operating system at a later date on an individual basis.

What has become increasingly popular (although at the same time - nothing new) is the hijacking of a given systems DNS settings in order to redirect unsuspecting users browsing to legitimate sites to an alternative malicious host.

DNS servers themselves can be standalone local network services, or more commonly in home setups can be outsourced to “trusted” upstream DNS servers such as the ISP’s own DNS servers or a trusted third parties such as googles at IP address 8.8.8.8.

If an attacker were to hijack a device that provides DNS information to network clients (such as a home router for example) they would be able to control which DNS servers were being used by devices connected to the network.

As an example on a legitimate DNS server the host name cnsgroup.co.uk may well point to an IP address 12.34.56.78, a malicious DNS server could have a hostname entry that corresponds to a completely unrelated IP address and as a result browsing to cnsgroup.co.uk on a compromised machine may well direct you to a host at IP address 87.65.43.21 and of course, the content being served up by that host. The content could be an illegitimate website clone or an entirely different malicious website altogether aimed at performing numerous nefarious actions. 

Either way a user with their DNS settings set to that of the malicious DNS server would be redirected to a location they were not expecting or to a location that looks similar to the one they were expecting, which, for example could conveniently ask the user to “log in again because your session has timed out.”.

It was noted recently that malware dubbed Roaming Mantis was targeting various routers, in particular one manufacturer of note was Draytek, a large Taiwanese network device manufacturer.

The malware targets what was at the time a zero day flaw in the devices firmware allowing the malware to reset DNS settings on the target routers. More worryingly this affects a large number of routers, including those aimed at home use, the published list includes the following models:

  • Vigor2133, version 3.8.8.2
  • Vigor2120, version 3.8.8.2
  • Vigor2760D, version 3.8.8.2
  • Vigor2762, version 3.8.8.2
  • Vigor2832, version 3.8.8.2
  • Vigor2860, version 3.8.8
  • Vigor2862, version 3.8.8.2
  • Vigor2862B, version 3.8.8.2
  • Vigor2912, version 3.8.8.2
  • Vigor2925, version 3.8.8.2
  • Vigor2926, version 3.8.8.2
  • Vigor2952, version 3.8.8.2
  • Vigor3200, version 3.8.8.2
  • Vigor3220, version 3.8.8.2
  • VigorBX2000, version 3.8.1.9
  • Vigor2830nv2, version 3.8.8.2
  • Vigro2830, version 3.8.8.2
  • Vigor2850, version 3.8.8.2
  • Vigor2920, version 3.8.8.2
  • Vigor2700, version 2.8.6
  • Vigor2700ge, version 2.8.6
  • Vigor2820, version 3.7.2
  • Vigor120_V2, version 3.7.2
  • Vigor2110, version 3.7.2
  • Vigor2710, version 3.7.2
  • Vigor2710e, version 3.7.2
  • Vigor2710ne, version 3.7.2

To quickly sum up unaffected devices as well in the product range: VigorAP wireless access points, VigorSwitch network switches, and the following Vigor routers: 2950, 2955, 2960, 3900, and 3300 all remain unaffected.

The manufacturer advised users to check their routers DNS settings to ensure the settings are set correct. The following rogue DNS server was identified as being in widespread use by the malware: 38.134.121.95 although one should note this is unlikely to be the be all and end all.

Draytek released a recent firmware upgrade to address the vulnerability as well as the advice of using reputable DNS servers such as googles (8.8.8.8) or other trusted external DNS servers.

Further advise can be found on the manufacturers website as well:

https://www.draytek.co.uk/support/security-advisories/kb-advisory-csrf-and-dns-dhcp-web-attacks

DrayTek

It is also worth noting the numbers of devices involved here, a quick shodan search for interfaces with “Vigor” in the headers this morning reveals ~767k devices with the UK being the location with the highest concentration of Draytek Vigor devices by far; a quick look at the organisations relating to hosts within this search for devices revels the following and explains this figure nicely:

BT  - 71,726

T-Mobile Thuis BV - 43,350

HiNet  - 43,047

Vietnam Posts and Telecommunications(VNPT)  - 40,269

T-Mobile Thuis B.V.  - 32,891

World Map

 



CL_20170302_CNS_Andy_Swift-24

Author: Andy Swift - Head of Testing at CNS Group


 

Andy Swift is, Head of Testing at CNS Group and has written countless articles on information security. He has a particular speciality in Malware and Virus Analysis. Andy holds Global Industrial Cyber Security Professional (GICSP) status, certifying his expertise in ICS Security Essentials for Engineering, Operating Technology and Cyber.


















                       

                                                                                                                                                                                                               

 

 










CL_20170302_CNS_Andy_Swift-24

Author: Andy Swift - Head of Testing at CNS Group


 

Andy Swift is, Head of Testing at CNS Group and has written countless articles on information security. He has a particular speciality in Malware and Virus Analysis. Andy holds Global Industrial Cyber Security Professional (GICSP) status, certifying his expertise in ICS Security Essentials for Engineering, Operating Technology and Cyber.


















                       

                                                                                                                                                                                                               

 

 










CL_20170302_CNS_Andy_Swift-24

Author: Andy Swift - Head of Testing at CNS Group


 

Andy Swift is, Head of Testing at CNS Group and has written countless articles on information security. He has a particular speciality in Malware and Virus Analysis. Andy holds Global Industrial Cyber Security Professional (GICSP) status, certifying his expertise in ICS Security Essentials for Engineering, Operating Technology and Cyber.


















                       

                                                                                                                                                                                                               

 

 










CL_20170302_CNS_Andy_Swift-24

Author: Andy Swift
Head of Offensive Security
CNS Group


 

Andy Swift is, Head of Testing at CNS Group and has written countless articles on information security. He has a particular speciality in Malware and Virus Analysis. Andy holds Global Industrial Cyber Security Professional (GICSP) status, certifying his expertise in ICS Security Essentials for Engineering, Operating Technology and Cyber.


















                       

                                                                                                                                                                                                               

 

 















call us

Get in touch

Talk to our experts today +44 (0) 20 7592 8800

Send us a message

We'll get back to you Send us a message

Connect with us

See what we're saying elsewhere