carloscastilla - Fotolia

How does DNSChanger take advantage of WebRTC protocols?

WebRTC protocols are being targeted by a new version of the DNSChanger exploit kit. Judith Myerson explains how these attacks work and what enterprises should know.

A new version of the exploit kit called DNSChanger, which causes wireless routers to connect to malicious domains, uses WebRTC protocols to commit its attacks. What is WebRTC, and how does DNSChanger use it?

Web Real-Time Communications (WebRTC) is a common set of network protocols that enable real-time communication over internet connections. WebRTC protocols allow you to share the IP address of your wireless router with webpages, even when you use a VPN connection. There is no need for third-party plug-ins.

This data sharing vulnerability is exploited by the DNSChanger exploit kit to conduct network reconnaissance and then commit its attack on the domain name system (DNS) entries in routers. The DNSChanger uses WebRTC protocols via the Chrome browser to request a STUN server to discover the victim's IP address. If the victim's public IP address is already known, or if their local IP address is not in the targeted ranges, the router will be connected to a decoy path that displays an advertisement. The advertisement looks legitimate, but it is actually a fake.

The victim may be unaware that this image is marked as being in JPEG format, when it is actually in PNG format. In the meantime, JavaScript extracts HTML code from the comment field in the PNG file.

Upon execution, the HTML code sends the victim back to the DNSChanger landing page. Multiple malicious functions are then loaded, including a function extracting an Advanced Encryption Standard key hidden with a small image. This key is to encrypt the suspicious traffic to DNSChanger from network administrators. The key is also used to decrypt the router's "fingerprints" and the associated commands to attack the router.

When the victim's browser detects the routers, the reconnaissance phase starts, and the exploit kit collects the router model type, firmware and other information to match it against existing router fingerprints. When this phase ends, the browser reports back to the DNSChanger home, which, in turn, gives detailed instructions to perform an attack on a specific router.

The exploit takes advantage of WebRTC protocols, so it doesn't matter what operating systems and browsers the routers use. If a router has no known flaws, the attack will attempt to use default credentials to log in. If the router has known exploits, such as the recent Netgear vulnerability, the attack will use them to modify the DNS entries in the router.

Cybersecurity company Proofpoint, which discovered the new version of DNSChanger, reported in December 2016 that the exploit kit activity appears to have ceased. However, enterprises should still make sure their router firmware is updated, and that any default credentials have been changed. 

Next Steps

Read more on the enterprise need for WebRTC gateways

Learn about the security pros and cons of site-to-site VPNs

Discover how the 'BlackNurse' attack overwhelms firewalls

Dig Deeper on Network security

Enterprise Desktop
  • Understanding how GPOs and Intune interact

    Group Policy and Microsoft Intune are both mature device management technologies with enterprise use cases. IT should know how to...

  • Comparing MSI vs. MSIX

    While MSI was the preferred method for distributing enterprise applications for decades, the MSIX format promises to improve upon...

  • How to install MSIX and msixbundle

    IT admins should know that one of the simplest ways to deploy Windows applications across a fleet of managed desktops is with an ...

Cloud Computing