JS_JITON
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Threat Level: | 90 % (High) |
Infected Computers: | 5 |
First Seen: | April 12, 2016 |
Last Seen: | September 29, 2019 |
OS(es) Affected: | Windows |
Threats designed to attack home routers are not new. There are numerous ways in which home routers may be targeted to force computer users to visit certain websites or create backdoors into the victim's computers or networks. One of the most common ways in which home routers may be attacked is by changing DNS settings (Domain Name Settings) to force computer users to visit threatening Web pages. By forcing computer users to visit phishing websites, such as fake versions of their online banking websites, third parties may gain access to the victim's banking information, credit card numbers, PINs and passwords. Since December of 2015, the JS_JITON is being used to compromise the computer users' routers. JS_JITON is spread using the victims' mobile devices. When victims access a corrupted website, a threatening JavaScript that contains the DNS changing components is downloaded. This JavaScript, detected as JS_JITON, is downloaded when the victim visits a compromised website, either with a Desktop computer or a mobile device. JS_JITONDNS is downloaded when the victim accesses the website using a mobile device. This threatening JavaScript changes the router's DNS settings. This specific attack is targeted towards computer users using a ZTE modem.
Table of Contents
JS_JITON is Infecting Computers All Around the World
When inspecting the JS_JITON code, malware analysts have found mentions of three popular router manufacturers: TP-LINK, ZTE and D-Link. These three brands are in the top 10 most popular home routers, with TP-LINK in the top spot in 2015, accounting for more than a quarter of all router sales. JS_JITON compromised websites in Asia, including Russia. However, the attack has spread around the world. The top countries affected by JS_JITON infections include Taiwan, China, Japan, France and the United States. This also may be affected by the fact that two of the home router brands targeted are Taiwanese and Chinese brands, which also influences the geographical distribution of these attacks.
JS_JITON has evasive mechanisms to carry out attacks without alerting the victim. The attacks also have changed regularly and targeted different home routers always to stay ahead of PC security researchers. Unfortunately, the JavaScript associated with JS_JITON does not cause suspicious behavior on compromised websites, making it difficult to determine exactly which websites are compromised at any given time. At one point, the JS_JITON attack included a keylogger component, which has been removed in the latest versions of this threat.
How JS_JITON may Attack a Home Router
JS_JITON contains more than 1,400 different possible login credentials, including the most commonly used passwords and default factory passwords for routers of these brands. Many computer users do not change their home router's default password, making it vulnerable to these kinds of attacks. Once the router has been compromised, its DNS settings are overwritten. Apart from these routers that are compromised using brute force attacks, JS_JITON may overwrite the DNS settings on ZTE brand routers by taking advantage of a known vulnerability, CVE-2014-2321, which is specific to these home routers. PC security researchers believe that the JS_JITON attacks may be tests for more advanced attacks to come in the future, particularly because of the high- degree of customization and the changing nature of these attacks in the last years.
Protecting Your Home Router from JS_JITON and Similar Threats
It is not unlikely that attacks against home routers will increase in the future. There are several security measures you can take to ensure that your home router is protected from these attacks. First, ensure that your router's firmware is always updated with the latest security patches. Never use the default ID and password for your router. It is worth noting that the vulnerabilities exploited by JS_JITON have been patched by the manufacturers, but many computer users have failed to update their hardware.
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.