Malware that hijacks router DNS settings is not new. However, exploits developed in recent years that enable hijacking through the use of Javascript alone are making this a widespread problem. Sentrant has uncovered a new ad-fraud scheme where fraudsters are using hijacked router DNS settings to intercept Google Analytics tags and replace them with pornography and other ads. For victims whose router has been compromised this has the effect of injecting ads and pornography into every site that they browse that uses Google Analytics. In this article, we will expose the fraud scheme and explain how you can protect yourself.

A Short History of Router DNS Hijacking

Malware that changes router DNS settings has been around for a while. In 2013 Team-Cymru published an excellent paper detailing some of these attacks. In 2014 other attacks were documented that used Javascript to guess default router authentication credentials and change the router’s DNS. These scripts are now common, some taking advantage of newly found router exploits and others simply attempting to guess default credentials.

Subsequently there have been some excellent reports on these router DNS attacks from Sucuri, Kaspersky, and Malwarebytes, but despite the exposure the problem persists. In fact, router DNS hijacking has become so prevalent that if we look at D-link router reviews on Amazon, the first one that pops up is a complaint about the router being hacked and displaying popup ads.

Routers and DNS

DNS is like a telephone directory for the internet; you lookup the name of the site you want to connect to and receive a number (IP) where you can reach them. For example, we can use DNS to lookup the IP addresses that are assigned to the domain www.google.com. DNS replies with a list of IPs in the 173.194.43.0/24 range. If we select one of those IPs and connect to it then we will be connecting to a server that is hosting Google.

When one of these router DNS hijacks are successful, the DNS settings on the router are changed to point to a rogue DNS server controlled by the attackers. By default, most common operating systems (Windows, OSX, iOS, Android, Ubuntu) are configured to automatically retrieve their DNS settings from the router when they connect to a network (via DHCP). This means that when a device connects to a compromised router’s network it will be automatically configured to use the same rogue DNS settings as router.

If an attacker controls the DNS server that you are using to lookup an IP they can substitute the correct IP for the IP of a server that is under their control. Then you might connect to this IP thinking that you are connecting to a certain domain when in fact you are connecting to a server controlled by the attacker.

Google Analytics

Google Analytics is a service that provides the ability to track and analyze website traffic. Webmasters enable Google Analytics by embedding the analytics tag on their website.

When a viewer loads the webpage the Google Analytics tag downloads and runs some Javascript which reports the view. The webmaster can then log into their Google Analytics account and get reports on their site’s traffic.

Google Analytics is currently the most widely used traffic analytics service. Since this tag is embedded on the majority of websites who are tracking traffic it is a perfect target for the fraudsters to inject into.

Google Analytics Interception and Ad Injection

In previous cases of router DNS hijacking the criminals have used the rogue DNS server to spoof the location of banking websites in an attempt to intercept banking traffic. In this case, the fraudsters are using the hijacked DNS to intercept requests to the google-analytics.com domain, then directing the victim to a fake Google Analytics site. When the victim requests the Google Analytics javascript from the fake site they are served malicious Javascript that injects ads into the site they are browsing. This is not a vulnerability with Google Analytics itself, the service was simply targeted due to its widespread use.

In the fraud scheme investigated by the Sentrant team the criminals are using a rogue DNS server located at 91.194.254.105. During a successful router hijacking this DNS server is configured as the router’s primary DNS while Google’s DNS sever (8.8.8.8) is configured as the secondary. The DNS server at 91.194.254.105 refuses to resolve most domains forcing the victim to rely on the secondary DNS server (Google) for most domain lookups. However, when a lookup is attempted for the Google Analytics domain google-analytics.com the rogue DNS server responds with the ip 195.238.181.169, which is most certainly NOT a google server. It is a rogue Google Analytics server.

When the victim browses to a site that is using Google Analytics and attempts to retrieve the standard Google Analytics scripts from 195.238.181.169 the rogue server responds with malicious Javascript that injected ads into the website that is hosting the Google Analytics tag. Sometimes the malicious Javascript is bundled inside an altered version of the Google Analytics script to help disguise it.

Exchange Attribution – The Ad Suppliers

The malicious Javascript that is served by the rogue Google Analytics server alternates between a simple iframe injection script and a more complex script that injects multiple ad tags. In the section above we have shown the simple iframe injection script. The first two iframes in the script load pornographic websites directly; adultyum.info and adultcameras.info. We have redacted the domain injected in the third iframe as it is part of on on-going investigation.

The other, more complex, script that is injected via the rogue Google Analytics server is heavily obfuscated to hide its intentions.

Once the script has been de-obfuscated it is clear that it’s responsible for injecting multiple ad tags into the websites that load it.

The following domains are identified as hosting the injected ad tags: zinzimo.info, ektezis.ru, and patifil.com. These are all shell domains that direct traffic to the PopUnder ad exchange. We can confirm this by examining the SSL certificates that have been issued to these domains.

PopUnder specializes in ads that disrupt the normal browsing of the user in an attempt to force them click on the ad (ie. pop-up ads). It is through this exchange that the majority of the explicit pornographic ads are sourced, as well as the online game ads displayed in the video we captured.

Protecting Yourself as a Consumer

As we have seen above the router DNS hijacking malware is taking advantage of default credentials on the routers, and bugs that allow unauthenticated configuration requests to be sent to the routers. The best protection available is to ensure the firmware on your router is fully patched, and to change the default credentials.

Protecting Yourself as an Advertiser

Unfortunately, as we identified in our analysis above, some of the traffic sourced by these exchanges comes from iframes that are injected into websites using routers with hijacked DNS settings. As an advertiser you don’t want your ads being pushed through hacked routers nor do you want your ads displayed on publishers’ sites who source traffic through hacked routers.

Due to the nature of this scheme there is no technology that is going to detect this automatically, you need to rely on intelligence. Here at Sentrant our bot detection platform is driven by the intelligence we develop. We identify, investigate, and track these fraud schemes and the exchanges, publishers, and ad networks who support them. We deliver intelligence product that allows you to make informed decisions about where to place your ads. If you would like to know more feel free to contact us.