Computer Security Massive Malvertisement Campaign in Major Ad Vendor Use to...

Massive Malvertisement Campaign in Major Ad Vendor Use to Modify Router DNS Settings

malvertising campaign change router dnsAdvertising is a necessary evil that webmasters and site owners must consider in order to survive considering it is how most websites earn money. Just about any and every reputable website has some form of advertising, which as of lately, utilize large ad vendors to distribute proper ads to any given site. In recent exploits of advertising networks and vendors, cybercrooks have managed to leverage ads from third-party services to display ads that are malicious eventually serving up a nasty cocktail of malware for users who click on them.

Malvertising, a relatively new term that has become synonymous with describing malicious advertisements on the internet, is the in-thing for cybercrooks in their abilities to attack ad vendors and networks with malicious third-party ads. These advertising campaigns have varied from one extreme to the other, and the most recent malvertising exploits are ones that are delivering a malicious payload that changes router DNS settings.

This recent malvertising scheme, observed by internet security company Sucuri, the perpetrators were found to inject a payload directly into the advertisements that they serve, which are later delivered to websites through the googlesyndication.com domain. The delivery method is rather clever and for obvious reasons, there is nothing in place to immediately detect the malicious ads through this delivery method and it is through a trusted source - googlesyndication.com.

In Analyzing the URL of the malicious ads, Sucuri found that the author encoded the code to hide its threats. The task of decoding the malicious ads' code took the task of going through 2,716 blank characters before finding anything malicious. This daunting task was evident of the malicious ad's authors blatantly attempting to evade detection.

Digging into the code, it is revealed where the malicious payload has the tendency to change a computer user's home router's DNS settings and force a reboot. Performing that process may allow remote access to force the affected system to serve arbitrary content over the internet. In any case, manipulation and change of DNS settings through a home router could lead to many issues that a computer user is unaware until damage has been done.

The location of the DNS server used in this recent attack was found to be located in Los Angeles, California. At the time of identification, it was not actively serving malicious IPs, which may mean it is awaiting use by cybercrooks. Still, when clicking on advertisements no matter the site, it is best that computer users utilize caution and retain an updated antivirus or antispyware application.

Loading...