JS_JITON

Threats designed to attack home routers are not new. There are numerous ways in which home routers may be targeted to force computer users to visit certain websites or create backdoors into the victim's computers or networks. One of the most common ways in which home routers may be attacked is by changing DNS settings (Domain Name Settings) to force computer users to visit threatening Web pages. By forcing computer users to visit phishing websites, such as fake versions of their online banking websites, third parties may gain access to the victim's banking information, credit card numbers, PINs and passwords. Since December of 2015, the JS_JITON is being used to compromise the computer users' routers. JS_JITON is spread using the victims' mobile devices. When victims access a corrupted website, a threatening JavaScript that contains the DNS changing components is downloaded. This JavaScript, detected as JS_JITON, is downloaded when the victim visits a compromised website, either with a Desktop computer or a mobile device. JS_JITONDNS is downloaded when the victim accesses the website using a mobile device. This threatening JavaScript changes the router's DNS settings. This specific attack is targeted towards computer users using a ZTE modem.

JS_JITON is Infecting Computers All Around the World

When inspecting the JS_JITON code, malware analysts have found mentions of three popular router manufacturers: TP-LINK, ZTE and D-Link. These three brands are in the top 10 most popular home routers, with TP-LINK in the top spot in 2015, accounting for more than a quarter of all router sales. JS_JITON compromised websites in Asia, including Russia. However, the attack has spread around the world. The top countries affected by JS_JITON infections include Taiwan, China, Japan, France and the United States. This also may be affected by the fact that two of the home router brands targeted are Taiwanese and Chinese brands, which also influences the geographical distribution of these attacks.

JS_JITON has evasive mechanisms to carry out attacks without alerting the victim. The attacks also have changed regularly and targeted different home routers always to stay ahead of PC security researchers. Unfortunately, the JavaScript associated with JS_JITON does not cause suspicious behavior on compromised websites, making it difficult to determine exactly which websites are compromised at any given time. At one point, the JS_JITON attack included a keylogger component, which has been removed in the latest versions of this threat.

How JS_JITON may Attack a Home Router

JS_JITON contains more than 1,400 different possible login credentials, including the most commonly used passwords and default factory passwords for routers of these brands. Many computer users do not change their home router's default password, making it vulnerable to these kinds of attacks. Once the router has been compromised, its DNS settings are overwritten. Apart from these routers that are compromised using brute force attacks, JS_JITON may overwrite the DNS settings on ZTE brand routers by taking advantage of a known vulnerability, CVE-2014-2321, which is specific to these home routers. PC security researchers believe that the JS_JITON attacks may be tests for more advanced attacks to come in the future, particularly because of the high- degree of customization and the changing nature of these attacks in the last years.

Protecting Your Home Router from JS_JITON and Similar Threats

It is not unlikely that attacks against home routers will increase in the future. There are several security measures you can take to ensure that your home router is protected from these attacks. First, ensure that your router's firmware is always updated with the latest security patches. Never use the default ID and password for your router. It is worth noting that the vulnerabilities exploited by JS_JITON have been patched by the manufacturers, but many computer users have failed to update their hardware.