Cybercriminal gangs have found a new way to serve malicious ads in such a way so it is hard to get rid of them – infect your internet router rather than your web browser by silently making requests to your computer without your knowledge.

US security firm Proofpoint has discovered a new exploit kit called DNSChanger EK that aims to serve an endless series of malicious ads on every single website the user visits (known as a "malvertising campaign"). The researchers found that the affected router brands included models by Netgear, D-Link, Linksys, Pirelli, Zyxel and Comtrend.

The malvertising campaign works like this – the cybercriminals purchase ads on legitimate websites and insert malicious JavaScript code into the ad file. When the malicious ad is served on the website, it figures out the user's local IP address by quietly sending a WebRTC request to a Mozilla STUN server.

If the server determines that the user is on a small local network maintained by a home internet router, then the attack commences, otherwise the user is shown a normal ad and the server waits till it detects a suitable victim.

Once the victim is detected, the server loads a malicious ad on the webpage and the user is redirected to the attacker's malicious website, which is where the DNSChanger EK exploit is then activated. The attacker's server causes an image file to be quietly sent to the user's web browser, which contains an AES encryption key embedded in the image file.

Attackers hiding server traffic from cybersecurity researchers

Cybercriminals don't want security firms finding out what they're doing, so all the attackers' exploit web traffic is encrypted. Once the image file is sent to the user's web browser, the original malicious ad uses the AES key to decrypt anymore traffic coming from the attacker's server.

The reason for all this secrecy is because the attacker's server wants to ask the user's computer and home router questions to find out what specific model the victim is using, and to do this, it needs to send traffic that could be detected by cybersecurity researchers.

So once the malicious ad has authenticated and decrypted the web traffic, the exploit kit sends out a list of router fingerprints, asking the router to confirm its identity. Proofpoint has so far spotted that the exploit sends out router fingerprints relating to 166 different internet router models, one by one trying each fingerprint until it figures out the victim's router model.

When the attacker's server figures out the correct router model, it then selects the appropriate exploit package that then hijacks the router and changes its DNS settings so the attacker can route an endless supply of malicious ads, which will appear on any site the victim visits while on the home network, as well as on any other PC or Android smartphone that goes online at the victim's home.

Exploit kit includes multiple ways to hijack the router

This exploit kit is quite vicious because it includes exploits to suit any eventuality. If your router is one that has easy-to-guess admin credentials, then the kit hijacks your router that way. If not, it keeps cycling through vulnerabilities until it finds one that works.

And if the particular router has administration ports that can easily be manipulated, then the exploit is programmed to open the port so the attackers can control the router directly. Proofpoint's researchers discovered that this was the case with 36 of the routers on the router fingerprint list.

The specific router models that researchers identified as being affected by the malvertising campaign include: D-Link DSL-2740R, Comtrend ADSL Router CT-5367 C01_R12, Netgear WNDR3400v3 (and likely other models in this series), Pirelli ADSL2/2+ Wireless Router P.DGA4001N and Netgear R6200.

This malvertising campaign is a completely separate issue to the Netgear critical flaw enabling hackers to hijack routers that was reported by the US Computer Emergency Readiness Team (US-CERT) at Carnegie Mellon University on 9 December. Netgear is currently working on a fix for the vulnerability.