Router and DNS hijacking malware: CNS Group explains what you need to know
After a number of emergency responses in the last couple of months coupled with the recent news of variants of malware targeting DNS settings within home/business routers, it is perhaps a good time to reflect on the impacts of such attacks and explain briefly how they are working.
DNS is one of those lifeblood protocols of the Internet, at its most basic it essentially maps human readable names to IP addresses. In short a DNS server will contain large numbers of these mappings and are generally trusted by network devices and users alike.
Details of the local networks preferred DNS server/s (in home networks in particular) are often passed on from the router via a DHCP service when first connecting to the network. Alternatively it can also be set manually within the operating system at a later date on an individual basis.
What has become increasingly popular (although at the same time - nothing new) is the hijacking of a given systems DNS settings in order to redirect unsuspecting users browsing to legitimate sites to an alternative malicious host.
DNS servers themselves can be standalone local network services, or more commonly in home setups can be outsourced to “trusted” upstream DNS servers such as the ISP’s own DNS servers or a trusted third parties such as googles at IP address 188.8.131.52.
If an attacker were to hijack a device that provides DNS information to network clients (such as a home router for example) they would be able to control which DNS servers were being used by devices connected to the network.
As an example on a legitimate DNS server the host name cnsgroup.co.uk may well point to an IP address 184.108.40.206, a malicious DNS server could have a hostname entry that corresponds to a completely unrelated IP address and as a result browsing to cnsgroup.co.uk on a compromised machine may well direct you to a host at IP address 220.127.116.11 and of course, the content being served up by that host. The content could be an illegitimate website clone or an entirely different malicious website altogether aimed at performing numerous nefarious actions.
Either way a user with their DNS settings set to that of the malicious DNS server would be redirected to a location they were not expecting or to a location that looks similar to the one they were expecting, which – for example – could conveniently ask the user to “log in again because your session has timed out.”.
It was noted recently that malware dubbed Roaming Mantis was targeting various routers, in particular one manufacturer of note was Draytek, a large Taiwanese network device manufacturer.
To read more, visit CNS Group's article.