Attacks against home routers have been going around for years—from malware that rigs routers to DNS rebinding attacks and backdoors, among others. Just last year one of our researchers reported a Domain Name System (DNS) changer malware that redirected users to malicious pages when they visited specific websites. This enabled cyber crooks to get hold of the victims’ online credentials, such as passwords and PINs.
Figure 1. The number of detection for JS_JITON (Jan 5, 2016 – April 4 2016)
Looking through the codes, we found mentions of well-known router manufacturers: D-Link, TP-LINK, and ZTE. TP-LINK accounts for 28% of router sales, making it the top router manufacturer for Q1 2015. D-Link is also included in the top 10 with its 7% market share. Given that these have significant market share globally, it’s no surprise that cybercriminals appear to target these brands.
Although the attack employed compromised websites in certain countries in Asia and in Russia, it affected various countries globally. Based on our Smart Protection Network data, the top countries affected are Taiwan, Japan, China, the United States, and France. Router makers D-Link and TP-Link are Taiwanese and Chinese brands respectively and thus can be the attributing factor for the high percentage of affected users.
Figure 3: Top 10 countries affected by JS_JITON in the past 3 months
Digging through the code
It should be noted that these DNS settings can be overwritten only when users access the compromised websites through their mobile devices. Aside from this, the codes are commented out and don’t run properly when executed. While we do not know exactly the motivation behind the addition of such features in the first place, but we can surmise that this is due to the proliferation and increase use of mobile devices. There’s also the possibility that these features are being used for testing purposes since these scripts are updated regularly.
Figure 4: The list of log-in IDs and passwords
Figure 5: Part of the scripts that modify the DNS settings via CVE-2014-2321 vulnerability
Awareness is key in the age of digitalization
Threats against home routers will likely proliferate, especially in the age of digitalization of devices. Although IoT has benefits, it also introduces security and privacy-related risks to users of home routers. In this case, we saw how attackers leveraged security gaps that may lead to information theft.
Users can arm themselves against such risks by doing the following security measures:
- Keep the firmware such as routers up-to-date with the latest patches
- Avoid using default IDs and passwords
Often times, people overlook the importance of keeping the firmware updated. Administrative devices especially in the age of IoT are vulnerable to attacks that may pose risks to both user privacy and security. It is best to know how these smart devices operate and what kind of personal identifiable information these devices may collect Knowing how secure smart devices are and the types of security risks using these may entail are some of the means in protecting yourself and your data against threats like JITON.
Trend Micro endpoint solutions such as Trend Micro Security, Smart Protection Suites, and Worry-Free Business Security can protect users and businesses from this threat by blocking all related malicious URLs and detecting the malicious files. Trend Micro Mobile Security Personal Edition and Mobile Security Solutions also block all related malicious URLs used in this attack.
Indicators of Compromise