JavaScript-Based Malware Attacks Your Router's DNS Settings

[Batu69]

Malware brute-forces your router with hardcoded credentials

 Top countries affected by JS_JITON

 

Trend Micro researches discovered a new JavaScript-based malware that infects not only mobile devices but also attacks your home router, altering its DNS (Domain Name System) settings.

Named JS_JITON, this new threat was first spotted in attacks at the end of December 2015, continuing to infect devices up until this day, hitting its peak in February 2016, with over 1,500 infections per day.

JS_JITON spreads from infected Russian and Asian websites

The malware's infection chain is simple. According to Trend Micro researchers, attackers place malicious code on compromised websites and wait for users to visit these pages using mobile devices.

Once this happens, the malware is downloaded to the user's mobile device and executes, trying to connect to the local home network's router IP using a series of admin and passwords combos hardcoded in the JS_JITON malware source code.

Over 1,400 credentials are included, and once the malware authenticates on the device, it will change the router's DNS settings.

JS_JITON is still a work in progress, evolves each week

It is unknown why the malware executes this routine, but taking into account that at one point it also included malicious code that executed from desktop computers, Trend Micro researchers believe this is a "work in progress," with its creators still exploring their attack's capabilities.

This conclusion is also reinforced by the fact that attackers regularly update JS_JITON's source code, changing small details here and there, fine tuning their attacks. Additionally, at one point, the JS_JITON source code also included a keylogging component.

Researchers noted that JS_JITON could attack D-Link and TP-Link routers, but it also included a special exploit to take advantage of CVE-2014-2321, an older vulnerability in ZTE modems.

Most of the malicious JS_JITON code is hosted on infected sites in Russia and Asian countries, but this hasn't stopped attackers from making victims all over the world. Most infected devices are found in Taiwan (27%), Japan (20%), China (13%), the US (8%), and France (5%).

Article source

[Kalju]

All can be so as in article, but only one thing is strange - the first article was published only yesterday, and the only one, who knows anything about this weird case, is the Trend Micro.

[straycat19]

Not to worry, you do have a strong password to login to your router to change settings, don't you?

[Kalju]

Password does not protect in any way such things.
Password protects only your children and grandmother, they simply can not escape in the network if password is strong. Hackers don't need any password.

[DKT27]

I remember, one of the first few things my ASUS WAN router asked me to do was to change it's username and password. Now, coming from a person who has always been on an ADSL router / line, this was a bit surprising.

 

Now, I'm not sure if other router makers follow this practice, if they do not, they should do so.