11 Apr 2016

Mobile Devices Used to Execute DNS Malware Against Home Routers

Attacks against home routers have been going around for years—from malware that rigs routers to DNS rebinding attacks and backdoors, among others.  Just last year one of our researchers reported a Domain Name System (DNS) changer malware that redirected users to malicious pages when they visited specific websites. This enabled cyber crooks to get hold of the victims’ online credentials, such as passwords and PINs.

We recently came across an attack that proves how the Internet of Things (IoT) can be an entry point for cybercriminal activities. In this attack, which has been going on since December 2015, it requires users to access malicious websites hosting the JavaScript via their mobile devices. Accessing these sites via mobile devices enable the JavaScript to download another JavaScript with DNS changing routines.
Detected as JS_JITON, this JavaScript can be downloaded whether users are accessing compromised websites via their computers or mobile devices. However, the infection chain differs depending on the medium employed by users. For instance, JS_JITON downloads JS_JITONDNS that only infects mobile devices and triggers the DNS changing routine. JITON only exploits the vulnerability if the affected users have ZTE modems.
JITON_fig1
Figure 1. The number of detection for JS_JITON (Jan 5, 2016 – April 4 2016)
JITON_fig2
Figure 2: Malicious obfuscated JavaScript hosted in the legitimate websites
Looking through the codes, we found mentions of well-known router manufacturers: D-Link, TP-LINK, and ZTE. TP-LINK accounts for 28% of router sales, making it the top router manufacturer for Q1 2015. D-Link is also included in the top 10 with its 7% market share. Given that these have significant market share globally, it’s no surprise that cybercriminals appear to target these brands.
Although the attack employed compromised websites in certain countries in Asia and in Russia, it affected various countries globally. Based on our Smart Protection Network data, the top countries affected are Taiwan, Japan, China, the United States, and France. Router makers D-Link and TP-Link are Taiwanese and Chinese brands respectively and thus can be the attributing factor for the high percentage of affected users.
JITON_Fig3
Figure 3: Top 10 countries affected by JS_JITON in the past 3 months
Cybercriminals behind this incident employ evasive mechanism to go off the radar and continue its attack without rousing any suspicion from affected users. Such tactics include regularly updating the JavaScript codes to fix errors and constantly changing targeted home routers. The compromised websites are difficult to pinpoint due to the lack of any suspicious behavior. We also observed during the course of our investigation that it has a keylogging function that allows this threat to gather typed contents in the specific sites. However, as of this writing, this function has been already removed.
Digging through the code
These malicious JavaScripts contain more than 1,400 combinations of login information. Using these lists of commonly used passwords, the DNS setting of the home routers can be overwritten. Most of the lists, however, have been commented out, meaning it doesn’t work properly.  As such, the affected routers may be limited. There are codes within certain scripts that can overwrite DNS settings via the CVE-2014-2321 vulnerability that exists in ZTE. When successfully exploited, attackers can remotely send any arbitrary commands with admin privileges.
It should be noted that these DNS settings can be overwritten only when users access the compromised websites through their mobile devices. Aside from this, the codes are commented out and don’t run properly when executed. While we do not know exactly the motivation behind the addition of such features in the first place, but we can surmise that this is due to the proliferation and increase use of mobile devices. There’s also the possibility that these features are being used for testing purposes since these scripts are updated regularly.
JITION_fig4
Figure 4: The list of log-in IDs and passwords
JITON_fig5
Figure 5: Part of the scripts that modify the DNS settings  via CVE-2014-2321 vulnerability
Awareness is key in the age of digitalization
Threats against home routers will likely proliferate, especially in the age of digitalization of devices. Although IoT has benefits, it also introduces security and privacy-related risks to users of home routers. In this case, we saw how attackers leveraged security gaps that may lead to information theft.
Users can arm themselves against such risks by doing the following security measures:
  • Keep the firmware such as routers up-to-date with the latest patches
  • Avoid using default IDs and passwords
Often times, people overlook the importance of keeping the firmware updated. Administrative devices especially in the age of IoT are vulnerable to attacks that may pose risks to both user privacy and security. It is best to know how these smart devices operate and what kind of personal identifiable information these devices may collect  Knowing how secure smart devices are and the types of security risks using these may entail are some of the means in protecting yourself and your data against threats like JITON.
Trend Micro endpoint solutions such as Trend Micro Security, Smart Protection Suites, and Worry-Free Business Security  can protect users and businesses from this threat by blocking all related malicious URLs and detecting the malicious files. Trend Micro Mobile Security Personal Edition and Mobile Security Solutions also block all related malicious URLs used in this attack.
Indicators of Compromise
Type Indicator
JS_JITON SHA1 4b75a94613b7bf238948104092fe9fd4107fbf97
JS_JITON SHA1 da19d2b503932bfb7b0ccf6c40b9f0b0d19282fb
JS_JITON SHA1 f7d9dbc1c198de25512cb15f3c19827a2b2188df
JS_JITON SHA1 545c71b9988d6df27eae31e8738f28da7caae534
JS_JITON SHA1 67c28c29ebef9a57657e84dce83d458225447ae9
JS_JITON SHA1 1f6e45204a28d9da16777d772eddf7e8d10e588a
JS_JITON SHA1 331441f69ceae4d9f3a78f4b4b46bdc64c11bd4a
JS_JITON SHA1 2f48f1c75f0984d722395b47cd10af9c15ea142f
JS_JITON SHA1 b6c423ff0c91fa65b63a37a136ca6bbe29fce34d
JS_JITON SHA1 9d37dcf8f87479545adf78d44ca97464491fe39a
JS_JITON SHA1 af3ececf550f9486d90fca6f7bb7c735318d50cd
JS_JITON SHA1 ce034e437b20dce84e75a90ed2b3a58532ebcbb9
JS_JITON SHA1 acb1f8caa3d2babe37ea21014e0c79ce6c18f8a2
JS_JITON SHA1 b62ea64db9643fe0a4331f724d234e19c149cabf
Malicious website hxxp://lib[.]tongjii[.]us/tj[.]js
Malicious website hxxp://lib[.]tongjii[.]us/tongji[.]js
Malicious website hxxp://cn[.]tongjii[.]us/show[.]js
Malicious website hxxp://cn[.]tongjii[.]us/show1[.]js
Malicious website hxxp://dns[.]tongjj[.]info/dns/dlink[.]js
Malicious website hxxp://dns[.]tongjj[.]info/dns/tplink[.]js
Malicious website hxxp://dns[.]tongjj[.]info/dns/zte[.]js
Malicious website hxxp://dns[.]tongjj[.]info/dns/china/dlink[.]js
Malicious website hxxp://dns[.]tongjj[.]info/dns/china/tplink[.]js
Malicious website hxxp://dns[.]tongjj[.]info/dns/china/zte[.]jstrendmicro