圣诞节快来了,各类打折活动即将到来,与此同时,新型的恶意软件已经上线。
下图展示研究人员捕获的流量
DNSChanger这个名字,大家或许有所耳闻。这款恶意软件曾在2012年感染了全世界范围内数百万台电脑。
近日,ProofPoint的研究人员发现了升级版的DNSChanger EK(漏洞利用工具包),它利用恶意广告传播。在感染用户设备后,这个漏洞利用套装将修改路由器DNS服务器条目,指向攻击者控制的恶意DNS服务器。感染后,若用户想访问某个网页,恶意DNS服务器可能将用户导向钓鱼网站。攻击者还可能植入广告、重新定向搜索结果、在网站上挂马等。
据ProofPoint发表的报告,升级版DNSChanger EK从十月底开始活跃,与最近的一系列恶意广告攻击活动有关。DNSChanger EK通过用户浏览器攻击路由器,它利用的并不是浏览器或设备的漏洞,而是家用路由器中的漏洞,而且似乎囊括了众多已知的路由器exploit。DNSChanger EK一般通过Windows台式机和Android设备中的Chrome浏览器展开攻击。但是,一旦路由器被攻击之后,所有连接该路由器的用户,无论其使用哪个操作系统和浏览器,都会遭受进一步的攻击。
DNSChanger EK攻击路由器的行为似乎与最近几波恶意广告攻击活动有关。在分析其攻击模式和感染链之后,研究人员得出结论,这些行为与2015年上半年出现的“跨站请求伪造Soho网址嫁接(CSRF Soho Pharming)”为同一攻击者(或组织)所为。
不过,对比2015年的活动,研究人员发现了最近这波攻击的新特点:
- 1. 内部地址的外部DNS解析
- 2. 用隐写术隐藏:
- 1) AES密钥,用于解密fingerprint/默认凭证和本地解析的列表
- 2) 攻击目标路由器的命令的部署
- 3. 新增十多个路由器exploit:现有166个fingerprint,其中有些影响了数个路由器型号,而在2015年,只有55个fingerprint。比如,针对“Comtrend ADSL Router CT-5367/5624”路由器的exploit几周前刚出现(2016年9月13日),而攻击大约始于10月28日。
- 4. 在36个案例中,这个漏洞利用工具包修改了网络规则,使外部地址可以访问管理端口,导致路由器可遭受进一步攻击,比如被Mirai僵尸网络感染等。
- 5. Android设备也已成为此类攻击的媒介。
攻击链:
攻击者通过合法网站中的恶意广告,诱捕用户的网络。
完整攻击过程如图所示:
下图展示研究人员捕获的流量
攻击分析:
用户点击电脑端或手机端的恶意广告后,会向DNSChanger EK发送流量。
DNSChanger EK通过stun.services.mozilla[.]com向Mozilla STUN服务器发送WebRTC请求,获得用户的本地IP地址。如果用户的公共IP地址已知或者他们的本地IP不在目标范围,将向用户显示某第三方广告商发布的合法广告。否则,用户将看到一个恶意广告。JavaScript从PNG文件的注释字段中提取HTML代码,将用户重新定向至含有DNSChanger EK的页面。注意下图中的(1)图是假广告,而且并不是.jpg文件,而是PNG文件。
DNSChanger EK再次通过STUN请求核对用户的本地IP地址。随后,DNSChanger EK开始加载多个函数,并且用隐写术将一个AES密钥隐藏在一张小图片中。
这个密钥将被用于解密一个fingerprint列表,除去重复项后,该列表包含129个条目(完整列表见附件)。
用户的浏览器会尝试定位并识别网络中的路由器(上图)。浏览器运行搜索函数后,将向DNSChanger EK回传报告,DNSChanger EK将向浏览器返回指令,向路由器发起攻击。
浏览器搜索过程中发现的特定路由器模型,将决定攻击的具体方式:如果没有可用的exploit,将尝试默认登陆凭证(如admin:admin、admin:1234、admin:password、admin:12345等);如果有可用的exploit,将修改路由器中的DNS条目,如果可能的话(129个fingerprint中有36个能够做到),将向外部地址开放管理端口,可致使路由器遭受进一步攻击,比如被Mirai僵尸网络感染等。
感染后:
研究人员表示,此类修改路由器DNS攻击的目的通常无法明确,但在此案例中,他们至少确定了其中一个动机。对比了可信的公共DNS服务器和上述流氓服务器的DNS解析,研究人员发现攻击者主要目的是要盗取一些大型网页广告商的流量。
攻击者强制将对应的域解析为193.238.153[.]10或46.166.160[.]187。根据各域的不同,攻击者可能将修改广告行为,修改目标网站(比如,点击页面任意位置可弹窗),或者将原广告替换。
研究人员调查时发现,攻击者将流量导向Fogzy(a.rfgsi[.]com)和TrafficBroker,并已联系这些机构,以获得更多信息,并告知他们网络中有流量遭盗取。
影响范围
因为未能获得受害者方的fingerprint数据和相应路由器之间的关联,研究人员无法提供完整的受此威胁影响的路由器列表。但是,因为这个工具包整合了所有已知的exploit,研究人员建议用户将所有路由器的固件更新至已知的最新版本。
研究人员发现,至少有以下几种路由器受到影响:
- D-Link DSL-2740R
- COMTREND ADSL Router CT-5367 C01_R12
- NetGear WNDR3400v3 (and likely other models in this series)
- Pirelli ADSL2/2+ Wireless Router P.DGA4001N
- Netgear R6200
此外,Netgear的R7000、R6400及其他型号的路由器曾曝出0-day exploit。ProofPoint也特别检查了DNSChanger中与这些型号有关的fingerprint,但是截止2016年12月12日,并未发现相关fingerprint。不过,研究人员依然建议用户听从US-CERT给出的建议,禁用受影响Netgear路由器上的web服务器,因为他们预计不久后上述0-day exploit也将被添加至DNSChanger EK中。Netgear也针对曝出的漏洞发布了多个beta版的固件,用户可及时下载更新。
在很多情况下,只要关闭家用路由器的远程管理功能就可以提高其安全性。但在本案例中,攻击者利用的是网络中的某个设备上的有线或无限连接。因此,不需要开启远程管理,攻击者也可以成功修改路由器设置。
缓解措施
很不幸,目前没有简单的方法可以抵御此类攻击。目前最佳的缓解方案是更新路由器至最新版本。修改默认的本地IP地址范围,可能也会起到一定保护作用。此外,一些拦截广告的浏览器插件也可起到一定作用,毕竟此类攻击始于恶意广告。
结语
当攻击者控制了某个网络中的DNS服务器,该网络中的设备可能遭遇各种恶意攻击,包括银行欺诈、中间人攻击、钓鱼、广告欺诈及其他。在这个案例中,DNSChanger EK允许攻击者利用家用网络中的唯一一个DNS服务器,也就是互联网路由器本身。总体而言,要避免此类攻击则要求路由器制造商定期修复固件,用户定期更新补丁。
附录
IoC:
| Domain | IP | Comment |
|---|---|
| modificationserver.com | 93.115.28.248 | Malvertising Step 2 in front of the EK – 2016-12 |
| expensiveserver.com | 46.28.67.21 | Malvertising Step 1 in front of the EK – 2016-12 |
| immediatelyserver.com | Malvertising in front of the EK – 2016-11 |
| respectsserver.com | 217.12.220.127 | Malvertising Step1 in front of the EK – 2016-10 |
| ad.reverencegserver.com | Malvertising Step2 in front of the EK – 2016-10 |
| parametersserver.com|93.115.28.249 | DNSChanger EK/ RouterEK – 2016-12 |
| phosphateserver.com | DNSChanger EK/ RouterEK – 2016-11 |
| cigaretteinserver.com | DNSChanger EK/ RouterEK – 2016-10 |
| From 46.17.102.10 up to 24 | Rogue DNS Servers |
| From 5.39.220.117 up to 126 | Rogue DNS Servers |
| From 217.12.218.114 up to 121 | Rogue DNS Servers |
| From 93.115.31.194 up to 244 | Rogue DNS Servers |
| 193.238.153.10 and 46.166.160.187 | Substituted IP for targeted traffic (impersonating server) Traffic to that host is most probably a symptom of DNS entries modified on the router. |
| pix1.payswithservers.com | External domain for 192.168.1.1 |
| pix2.payswithservers.com | External domain for 192.168.8.1 |
| pix3.payswithservers.com | External domain for 192.168.178.1 |
| pix4.payswithservers.com | External domain for 192.168.0.1 |
| pix5.payswithservers.com | External domain for 192.168.10.1 |
| pix6.payswithservers.com | External domain for 192.168.137.1 |
| pix7.payswithservers.com | External domain for 10.10.10.1 |
| pix8.payswithservers.com | External domain for 192.168.100.1 |
| pix9.payswithservers.com | External domain for 10.1.1.1 |
| pix10.payswithservers.com | External domain for 10.0.0.1 |
| pix11.payswithservers.com | External domain for 192.168.2.1 |
| pix12.payswithservers.com | External domain for 192.168.254.1 |
| pix13.payswithservers.com | External domain for 192.168.11.1 |
| pix14.payswithservers.com | External domain for 192.168.3.1 |
| sub[i].domain254.com for 0 < i < 18 | Not resolving |
| sub16.domain.com | Resolving to 66.96.162.92 |
| sub17.domain.com | Resolving to 66.96.162.92 |
部分ET签名:
2023473 || ET CURRENT_EVENTS DNSChanger EK Secondary Landing Oct 31 2016 2021090 || ET CURRENT_EVENTS DNSChanger EK Landing May 12 2015 2023466 || ET EXPLOIT D-Link DSL-2740R Remote DNS Change Attempt 2020487 || ET EXPLOIT Generic ADSL Router DNS Change GET Request 2020488 || ET EXPLOIT Generic ADSL Router DNS Change POST Request 2020854 || ET CURRENT_EVENTS DRIVEBY Router DNS Changer Apr 07 2015 2020856 || ET EXPLOIT TP-LINK TL-WR340G Router DNS Change GET Request 2020857 || ET EXPLOIT Belkin Wireless G Router DNS Change POST Request 2020858 || ET EXPLOIT Linksys WRT54GL Router DNS Change POST Request 2020859 || ET EXPLOIT Netgear WNDR Router DNS Change POST Request 2020861 || ET EXPLOIT Motorola SBG900 Router DNS Change GET Request 2020862 || ET EXPLOIT ASUS RT N56U Router DNS Change GET Request 1 2020863 || ET EXPLOIT ASUS RT N56U Router DNS Change GET Request 2 2020871 || ET EXPLOIT ASUS RT N56U Router DNS Change GET Request 3 2020873 || ET EXPLOIT D-link DI604 Known Malicious Router DNS Change GET Request 2020874 || ET EXPLOIT Netgear DGN1000B Router DNS Change GET Request 2020875 || ET EXPLOIT Belkin G F5D7230-4 Router DNS Change GET Request 2020876 || ET EXPLOIT Tenda ADSL2/2+ Router DNS Change GET Request 2020877 || ET EXPLOIT Known Malicious Router DNS Change GET Request 2020878 || ET EXPLOIT TP-LINK TL-WR841N Router DNS Change GET Request 2020896 || ET CURRENT_EVENTS DRIVEBY Router DNS Changer Apr 07 2015 M2 2023467 || ET EXPLOIT COMTREND ADSL Router CT-5367 Remote DNS Change Attempt 2023468 || ET EXPLOIT Unknown Router Remote DNS Change Attempt 2023628 || ET EXPLOIT Netgear R7000 Command Injection Exploit 2823788 || ETPRO TROJAN DNSChanger Rogue DNS Server (A Lookup) 2823811 || ETPRO CURRENT_EVENTS DNSChanger EK DNS Reply Adfraud Server 1 Dec 12 2016 2823812 || ETPRO CURRENT_EVENTS DNSChanger EK DNS Reply Adfraud Server 2 Dec 12 2016
fingerprint列表:
[-37,"/img/Netgeargenie.png",290,41,"0",0] [-36,"/UILinksys.gif",165,57,"0",0] [-32,"/redbull.gif",7,7,"1",0] [-31,"/settings.gif",654,111,"0",0] [-30,"/images/img_masthead.jpg",836,92,"0",0] [-29,"/images/logo.png",183,46,"0",0] [-28,"/images/top1_1.jpg",280,87,"1",0] [-27,"/headlogoa.gif",370,78,"0",0] [-26,"/image/logo_gn.gif",101,51,"0",0] [-25,"/bg_logo.jpg",858,82,"0",0] [-24,"/image/tops.gif",450,92,"0",0] [-23,"/graphics/banner.png",1024,70,"1",0] [-22,"/img/loading.gif",32,32,"0",0] [-21,"/logo_corp.gif",95,50,"1",0] [-20,"/img/banner.gif",778,60,"0",0] [-19,"/down_02.jpg",133,75,"0",0] [-18,"/redbull.gif",7,7,"0",0] [-17,"/pic/head_01.gif",162,92,"0",0] [-16,"/image/linksys_logo.png",230,30,"0",0] [-15,"/file/Comtrend_banner.jpg",897,70,"1",0] [-13,"/logo.gif",371,38,"1",0] [-12,"/image/top/NETGEAR_Genie.png",512,60,"1",0] [-11,"/img/Netgeargenie.png",290,41,"",0] [-10,"/tmp.gif",700,54,"1",0] [-9,"/wlan_masthead.gif",836,92,"0",0] [-8,"/images/logo.png",146,38,"0",0] [-6,"/image/top/logo.gif",300,38,"0",0] [-4,"/button_log_in.gif",70,21,"0",0] [-3,"/image/UI_Linksys.gif",166,58,"1",0] [-2,"/smclg.gif",133,59,"0",0] [-1,"/themes/TM04/Drift-logo.png",300,89,"0",0] [0,"/graphics/topbar.jpg",900,69,"1",1] [1,"/graphics/young.png",128,96,"1",0] [2,"/images/bg_stripes.png",50,50,"1",0] [3,"/image/logo.png",271,43,"0",0] [5,"/images/logo.gif",133,59,"0",0] [8,"/img/tenda-logo-big.png",199,45,"0",0] [9,"/images/main_welcome.gif",850,179,"1",1] [11,"/image/UI_Linksys.gif",288,58,"0",0] [12,"/Images/img_masthead_red.gif",856,92,"0",0] [13,"/settings.gif",750,85,"0",0] [14,"/images/top-02.gif",359,78,"1",0] [15,"/UI_Linksys.gif",165,57,"1",0] [16,"/set_bt.gif",93,52,"0",1] [18,"/images/top1_1.jpg",208,85,"1",0] [19,"/graphics/head_logo.gif",121,64,"0",0] [20,"/images/top1_1.jpg",280,87,"0",0] [21,"/router_logo.jpg",79,50,"1",0] [22,"/graphics/gui_admin_login.jpg",283,120,"0",0] [23,"/ag_logo.jpg",164,91,"1",0] [24,"/images/head_logo.gif",312,68,"0",0] [25,"/menu-images/logo.gif",169,50,"1",0] [28,"/image/UI_Linksys.gif",288,58,"1",0] [29,"/Images/Logo.gif",143,33,"0",0] [30,"/images/logo.gif",169,50,"0",0] [31,"/pic/logo.png",287,69,"0",0] [32,"/spin.gif",16,16,"1",0] [33,"/icons/top_left.png",300,96,"1",0] [34,"/headlogo.gif",121,64,"0",0] [35,"/pictures/home.jpg",255,41,"1",0] [37,"/images/new_qanner.gif",840,92,"0",0] [38,"/zyxellg.gif",169,50,"0",0] [39,"/imagesV/vlogo_blk.jpg",185,40,"0",0] [40,"/images/New_ui/asustitle.png",218,54,"0",0] [41,"/images/New_ui/asustitle_changed.png",218,54,"0",0] [45,"/images/date_bg.png",71,70,"0",0] [47,"/graphic/head_04.gif",836,92,"0",0] [49,"/image/logo.gif",390,69,"0",0] [50,"/images/data_1_voda.gif",149,28,"0",0] [51,"/images/logo_wind.gif",156,28,"0",0] [53,"/pic/ag_logo.jpg",164,91,"0",0] [54,"/banner_s.gif",126,65,"1",0] [55,"/logo.gif",270,69,"0",0] [56,"/logo_320x23.png",320,23,"0",0] [58,"/image/UI_Linksys.gif",165,57,"1",0] [59,"/file/int_logo_4_firmware.gif",366,66,"1",0] [61,"/images/header.jpg",800,70,"0",0] [62,"/images/btn_apply.png",61,20,"0",0] [63,"/tendalogo.gif",387,90,"0",0] [64,"/file/Logo.gif",216,83,"1",0] [65,"/body/logo.jpg",154,118,"0",0] [68,"/head_logo_p1_encore.jpg",92,72,"0",0] [69,"/images/UI_Linksys.gif",288,57,"0",0] [70,"/images/title_2.gif",321,28,"1",0] [71,"/home_01.gif",765,95,"0",0] [74,"/wlan_masthead.gif",836,85,"0",0] [75,"/settingsDGND3300.jpg",799,97,"0",0] [76,"/main/banner_files/bannertxt.gif",672,40,"0",0] [77,"/html/images/dsl604.jpg",765,95,"1",0] [79,"/head_logo.gif",140,64,"0",0] [80,"/images/logo.jpg",270,69,"0",0] [81,"/images/logo_netis.png",121,31,"0",0] [82,"/images/icon-Change_pencil.png",18,18,"0",0] [83,"/logo1.gif",207,105,"0",0] [85,"/images/icon_now.gif",14,14,"0",0] [87,"/down_02.jpg",135,75,"0",0] [88,"/Images/logo.gif",270,69,"1",0] [89,"/UILinksys.gif",166,58,"1",0] [91,"/image/UI_Linksys.gif",134,58,"1",0] [92,"/logo.gif",390,69,"0",0] [93,"/images/icon_now.gif",14,14,"1",0] [95,"/Images/img_masthead_red.gif",836,92,"0",0] [97,"/images/topbg.gif",960,66,"0",0] [99,"/down_02.jpg",133,75,"1",0] [102,"/images2/main_title.n704bcm.gif",758,74,"0",0] [104,"/common/images/logo.gif",108,32,"0",0] [105,"/Images/logo.gif",780,62,"0",0] [106,"/images2/login_title.n704bcm.gif",299,62,"0",0] [107,"/images2/login_title.n704a3.gif",299,62,"0",0] [108,"/file/logo.gif",165,47,"1",0] [110,"/images/login_title_n104t.gif",299,62,"0",0] [111,"/img/redbull.gif ",7,7,"1",0] [112,"/images/head_logo.gif",140,78,"0",0] [114,"/img/title_RP614v4.gif",750,85,"0",0] [115,"/UI_Linksys.gif ",273,44,"1",0] [116,"/logo.gif",318,69,"0",1] [117,"/pic/img_masthead.gif",836,92,"0",0] [118,"/images/logo.gif",76,69,"0",0] [119,"/images/logo_transparent.gif",156,129,"0",0] [121,"/Images/bg_a1.gif",280,70,"0",0] [122,"/images/index_wrapper_bg_3347.png",801,325,"0",0] [123,"/images/vz_logo.gif",185,40,"0",0] [124,"/file/Manhattan_Banner.png ",452,90,"1",0] [125,"/Images/Logo.gif",150,47,"0",0] [126,"/Images/Logo.gif",200,50,"0",0] [127,"/images/corp_logo.gif",153,42,"0",0] [128,"/images/logo.png",171,75,"0",0] [129,"/cornerartD241.jpg",140,90,"0",0]
原创文章,作者:奋斗,如若转载,请注明出处:https://blog.ytso.com/55272.html