{
	"id": "675eab8f-7ead-4d09-8084-890a391b882c",
	"created_at": "2026-04-06T00:10:14.258864Z",
	"updated_at": "2026-04-10T03:21:38.17428Z",
	"deleted_at": null,
	"sha1_hash": "2ccfa679b0dc30f872b46c2f3b95e37b8e3d681f",
	"title": "Home Routers Under Attack via DNSChanger Malware US | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3622028,
	"plain_text": "Home Routers Under Attack via DNSChanger Malware US |\r\nProofpoint US\r\nBy December 13, 2016 Kafeine\r\nPublished: 2016-12-13 · Archived: 2026-04-02 10:48:16 UTC\r\n[Updated December 19, 2016 to reflect additional data received from one of the affected traffic brokers and\r\ndetected by our own infrastructure. Thanks to Fogzy for providing data on this malicious activity and their prompt\r\naction to shut down the activity affecting their network.]\r\nOverview\r\nProofpoint researchers have reported frequently this year on the decline in exploit kit (EK) activity. EKs, though,\r\nare still vital components of malvertising operations, exposing large numbers of users to malware via malicious\r\nads. Since the end of October, we have seen an improved version of the “DNSChanger EK” [1] used in ongoing\r\nmalvertising campaigns. DNSChanger malware attacks internet routers via potential victims’ web browsers; the\r\nEK does not rely on browser or device vulnerabilities but rather vulnerabilities in the victims' home or small office\r\n(SOHO) routers. Most often, a router malware attack like DNSChanger works through the Chrome browser on\r\nWindows desktops and Android devices. However, once routers are compromised, all users connecting to the\r\nrouter, regardless of their operating system or browser, are vulnerable to attack and further malvertising.\r\nThe router attacks appear to happen in waves that are likely associated with ongoing malvertising campaigns\r\nlasting several days. The DNSChanger malware attack pattern and infection chain similarities led us to conclude\r\nthat the actor behind these campaigns was also responsible for the “CSRF (Cross-Site Request Forgery) Soho\r\nPharming” operations in the first half of 2015 [1].\r\nHowever, we uncovered several improvements in the implementation of these attacks, including:\r\nExternal DNS resolution for internal addresses\r\nSteganography to conceal\r\nAn AES encryption key to decrypt the list of fingerprints / default credentials and local resolutions\r\nThe layout for the commands sent to attack the targeted routers\r\nThe addition of dozens of recent router exploits: There are now 166 fingerprints, some working for several\r\nrouter models, versus 55 fingerprints in 2015. For example, some like the exploit targeting “Comtrend\r\nADSL Router CT-5367/5624\" were a few weeks old  (September 13, 2016) when the attack began around\r\nOctober 28.\r\nWhen possible (in 36 cases) the exploit kit modifies the network rules to make the administration ports\r\navailable from external addresses, exposing the router to additional attacks like those perpetrated by the\r\nMirai botnets [2]\r\nThe malvertising chain is now accepting Android devices as well.\r\nDNSChanger Malware Attack chain:\r\nhttps://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices\r\nPage 1 of 20\n\nThe attack chain ensnares victim networks though legitimate web sites hosting malicious advertisements\r\nunknowingly distributed via legitimate ad agencies. The complete attack chain is shown in Figure 1.\r\nFigure 1: Illustration of the complete attack chain\r\nFigure 2 shows an example of captured traffic associated with this attack:\r\nhttps://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices\r\nPage 2 of 20\n\nFigure 2: Traffic associated with the DNSChanger EK attack on a SOHO (Small Office/Home Office) router.\r\nAttack Analysis:\r\nMalvertising encountered on both desktop and mobile devices sends traffic to the DNSChanger EK. We were able\r\nto confirm that the attack is carried out properly on Google Chrome for Windows as well as for Android.\r\nDNSChanger will use webRTC to request a STUN server via stun.services.mozilla[.]com and determine the\r\nvictim's local IP address. If the victim's public IP is already known or their local IP is not in the targeted ranges,\r\nthey will be directed to a decoy path where a legitimate advertisement from a third party ad agency is displayed.\r\nIf the client passes this check then a fake advertisement will be displayed to the victim. JavaScript extracts HTML\r\ncode from the comment field on the PNG file, redirecting victims to the landing of the DNSChanger EK. Note that\r\nthe image listed in (1) in Figure 3 is a fake and not actually a .jpg; rather it is a PNG file.\r\nhttps://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices\r\nPage 3 of 20\n\nFigure 3: Fake advertisement containing code which extracted allow redirection to the DNSChanger EK\r\n(November 2016)\r\nThe DNSChanger EK will once again check the victim's local IP address via STUN requests. It then loads\r\nmultiple functions and an AES key concealed with steganography in a small image.\r\nFigure 4: Function extracting the AES key and using it to decode the fingerprints and associated commands\r\nThis key will be used to decrypt the list of fingerprints which can be deduplicated to 129 items (see appendix for\r\nthe complete list).\r\nhttps://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices\r\nPage 4 of 20\n\nFigure 5: Functions used to determine available routers in victims' homes/offices\r\nThe victim’s browser will then try to locate and identify the router used in the network (Fig. 5).\r\nOnce it performs the reconnaissance functions, the browser will report back to the DNSChanger EK which returns\r\nthe proper instructions to perform an attack on the router.\r\nhttps://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices\r\nPage 5 of 20\n\nFigure 6: Attack layout once extracted from the image and AES-decoded\r\nFigure 7: Example attack command\r\nThis attack is determined by the particular router model that is detected during the reconnaissance phase. If there\r\nis no known exploit, the attack will attempt to use default credentials; otherwise, it will use known exploits to\r\nmodify the DNS entries in the router and, when possible (observed for 36 fingerprints out of the 129 available), it\r\nwill try to make administration ports available from external addresses. In this way, it will expose the router to\r\nadditional attacks like those performed by the Mirai [2] botnets.\r\nhttps://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices\r\nPage 6 of 20\n\nFigure 8: Example of port mapping instructions once decoded\r\nFigure 9: DNSChanger EK attempting to map the telnet administration port to external TCP 8780 as captured in\r\nthe traffic\r\nPost Infection:\r\nWhile the goals of such an attack - changing DNS records on a router - are not always clear, in this case we were\r\nable to determine at least one motivating factor. We studied discrepancies in DNS resolution results between a\r\npublic, reliable DNS server and some rogue servers identified in these campaigns and found that the attackers\r\nwere primarily interested in stealing traffic from some large web ad agencies including:\r\nAgency Via Alexa Rank\r\nPropellerads onclickads.net 32\r\nPopcash popcash.net 170\r\nTaboola cdn.taboola.com 278\r\nOutBrain widgets.outbrain.com 146\r\nhttps://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices\r\nPage 7 of 20\n\nAdSuppy\r\ncdn.engine.4dsply.com\r\ncdn.engine.phn.doublepimp.com\r\n362\r\n245\r\nThe attackers force resolution of the corresponding domain to 193.238.153[.]10 or 46.166.160[.]187. Depending\r\non the domains, they might use it to change advertising behavior and target website (for instance, any click on the\r\npage might trigger a popup) or perform ad Substitution.\r\nFigure 10: Advertisement calls modified by attackers\r\nAt the time of our examination, they were redirecting the traffic to Fogzy (a.rfgsi[.]com) and TrafficBroker. We\r\ncontacted both of these agencies to get additional information and let them know about the stolen traffic on their\r\nnetworks.\r\nAffected Routers and Mitigation Steps\r\nIt is not possible to provide a definitive list of affected routers as there is no longer an obvious victim-side\r\nrelationship between the fingerprint data and the associated routers; this clear association was removed from\r\nDNSChanger EK in mid-2015 and a deeper investigation was outside the scope of this analysis. However, the\r\nmost secure approach for end users is to consider that all known exploits are integrated in this kind of exploit kit,\r\nand thus all routers should be updated to the last known firmware.\r\nWe were able to identify several newly added vulnerable routers:\r\nD-Link DSL-2740R\r\nCOMTREND ADSL Router  CT-5367 C01_R12\r\nNetGear WNDR3400v3 (and likely other models in this series)\r\nPirelli ADSL2/2+ Wireless Router P.DGA4001N\r\nNetgear R6200\r\nA zero-day exploit for the Netgear R7000, R6400 [4] and others was recently documented by other researchers.\r\nWe checked for fingerprints associated with these models in DNSChanger but did not find any as of December 12,\r\n2016. Nevertheless we strongly advise users to follow the instructions from US-CERT [5] to disable the web\r\nhttps://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices\r\nPage 8 of 20\n\nserver on affected Netgear routers [6] as we can expect this exploit to be added quite soon in this EK. Netgear has\r\nalso made beta versions of firmware available to users that may address these vulnerabilities [8].\r\nIn many cases, simply disabling remote administration on SOHO routers can improve their security. In this case,\r\nthough, attackers use either a wired or wireless connection from a device on the network. As a result, the attackers\r\ndo not need the remote administration to be turned on to successfully change the router settings.\r\nUnfortunately, there is no simple way to protect against these attacks. Applying the latest router updates remains\r\nthe best way to avoid exploits. Changing the default local IP range, in this specific case, may also provide some\r\nprotection. Neither of these solutions, though, is a typical action performed by average users of SOHO routers. As\r\na result, it is also incumbent upon router manufacturers to develop mechanisms for simple, user-friendly updates\r\nto their hardware.\r\nMoreover, while we understand that advertising is an important component of the web publishing ecosystem, in\r\nsome cases, ad-blocking browser add-ons might prevent these kinds of attacks when they originate through\r\nmalvertising.\r\nConclusion:\r\nWhen attackers control the DNS server on a network, they open up the possibility of carrying out a wide range of\r\nmalicious actions on devices connecting to the network. These can include banking fraud, man-in-the-middle\r\nattacks, phishing [7], ad fraud, and more. In this case, the DNSChanger exploit kit allows attackers to leverage\r\nwhat is often the only DNS server on a SOHO network - the internet router itself. In general, avoiding these\r\nattacks requires router manufacturers to regularly patch their firmware and users to regularly apply these patches.\r\nRouter vulnerabilities affect not only users on the network but potentially others outside the network if the routers\r\nare compromised and used in a botnet. While users must take responsibility for firmware updates, device\r\nmanufacturers must also make security straightforward and baked in from the outset, especially on equipment\r\ndesigned for the SOHO market.\r\n[Update, December 19, 2016]\r\nAs of December 16, it appears that the malvertising campaigns driving distribution of DNSChanger EK have\r\nceased and DNSChanger EK appears to be offline. However, all routers that have previously been compromised\r\nare potentially still under attacker control. At this time, a minimum of 56,000 routers have been compromised, but\r\nwe expect that number is considerably higher. Based on data provided by one of the affected traffic brokers that\r\nthe attackers were using to steal advertising streams, we can see that the campaigns were, in fact, widely\r\ndistributed internationally (Figure A). Note that the percentages in each of the charts below reflect the distribution\r\nof traffic from routers that have been compromised by DNSChanger EK. Also note that only one of the two\r\naffected traffic brokers made their data available to us at the time of publication so the aggregate data from all\r\ncompromised routers may lead to different distributions.\r\nhttps://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices\r\nPage 9 of 20\n\nFigure A: Geographic distribution of traffic from routers compromised by DNSChanger EK\r\nFigure B shows the distribution of traffic by type of device accessing the local network behind compromised\r\nrouters:\r\nFigure B: Traffic by hardware platform\r\nIt is worth noting that almost 74% of the traffic from compromised routers originated from the Google Chrome\r\nweb browser. However, this may simply reflect broader adoption trends for Google Chrome instead of particular\r\ntargeting; Chrome has a majority market share on both mobile and desktop platforms, both of which are included\r\nin this chart.\r\nhttps://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices\r\nPage 10 of 20\n\nFigure C: Traffic by web browser\r\nFinally, among mobile devices hitting the traffic broker from compromised routers, we see considerable spread\r\nacross mobile operating systems.\r\nFigure D: Traffic by mobile OS\r\nWe will continue to monitor this actor group and exploit kit for further activity.\r\nReferences\r\n[1] http://malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html\r\n[2] https://www.malwaretech.com/2016/10/mapping-mirai-a-botnet-case-study.html\r\n[3] https://www.kb.cert.org/vuls/id/582384\r\n[4] http://thehackernews.com/2016/12/netgear-router-hacking.html\r\nhttps://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices\r\nPage 11 of 20\n\n[5] https://www.kb.cert.org/vuls/id/582384\r\n[6] http://www.sj-vs.net/a-temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/\r\n[7] https://www.proofpoint.com/us/threat-insight/post/Phish-Pharm\r\n[8] http://kb.netgear.com/000036386/CVE-2016-582384\r\nIndicators of Compromise\r\nDomain | IP Comment\r\nmodificationserver.com |\r\n93.115.28.248\r\nMalvertising Step 2 in front of the EK - 2016-12\r\nexpensiveserver.com | 46.28.67.21 Malvertising Step 1 in front of the EK - 2016-12\r\nimmediatelyserver.com Malvertising in front of the EK - 2016-11\r\nrespectsserver.com | 217.12.220.127 Malvertising Step1  in front of the EK - 2016-10\r\nad.reverencegserver.com Malvertising Step2  in front of the EK - 2016-10\r\nparametersserver.com|93.115.28.249 DNSChanger EK/ RouterEK - 2016-12\r\nphosphateserver.com DNSChanger EK/ RouterEK - 2016-11\r\ncigaretteinserver.com DNSChanger EK/ RouterEK - 2016-10\r\nFrom 46.17.102.10 up to 24 Rogue DNS Servers\r\nFrom 5.39.220.117 up to 126 Rogue DNS Servers\r\nhttps://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices\r\nPage 12 of 20\n\nFrom 217.12.218.114 up to 121 Rogue DNS Servers\r\nFrom 93.115.31.194 up to 244 Rogue DNS Servers\r\n193.238.153.10 and 46.166.160.187\r\nSubstituted IP for targeted traffic (impersonating server)\r\nTraffic to that host is most probably a symptom of DNS entries\r\nmodified on the router.\r\npix1.payswithservers.com External domain for 192.168.1.1\r\npix2.payswithservers.com External domain for 192.168.8.1\r\npix3.payswithservers.com External domain for 192.168.178.1\r\npix4.payswithservers.com External domain for 192.168.0.1\r\npix5.payswithservers.com External domain for 192.168.10.1\r\npix6.payswithservers.com External domain for 192.168.137.1\r\npix7.payswithservers.com External domain for 10.10.10.1\r\npix8.payswithservers.com External domain for 192.168.100.1\r\npix9.payswithservers.com External domain for 10.1.1.1\r\npix10.payswithservers.com External domain for 10.0.0.1\r\npix11.payswithservers.com External domain for 192.168.2.1\r\nhttps://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices\r\nPage 13 of 20\n\npix12.payswithservers.com External domain for 192.168.254.1\r\npix13.payswithservers.com External domain for 192.168.11.1\r\npix14.payswithservers.com External domain for 192.168.3.1\r\nsub[i].domain254.com for   0 \u003c i \u003c 18 Not resolving\r\nsub16.domain.com Resolving to 66.96.162.92\r\nsub17.domain.com Resolving to 66.96.162.92\r\nSelect ET signatures\r\n2023473 || ET CURRENT_EVENTS DNSChanger EK Secondary Landing Oct 31 2016\r\n2021090 || ET CURRENT_EVENTS DNSChanger EK Landing May 12 2015\r\n2023466 || ET EXPLOIT D-Link DSL-2740R Remote DNS Change Attempt\r\n2020487 || ET EXPLOIT Generic ADSL Router DNS Change GET Request\r\n2020488 || ET EXPLOIT Generic ADSL Router DNS Change POST Request\r\n2020854 || ET CURRENT_EVENTS DRIVEBY Router DNS Changer Apr 07 2015\r\n2020856 || ET EXPLOIT TP-LINK TL-WR340G Router DNS Change GET Request\r\n2020857 || ET EXPLOIT Belkin Wireless G Router DNS Change POST Request\r\n2020858 || ET EXPLOIT Linksys WRT54GL Router DNS Change POST Request\r\n2020859 || ET EXPLOIT Netgear WNDR Router DNS Change POST Request\r\n2020861 || ET EXPLOIT Motorola SBG900 Router DNS Change GET Request\r\n2020862 || ET EXPLOIT ASUS RT N56U Router DNS Change GET Request 1\r\n2020863 || ET EXPLOIT ASUS RT N56U Router DNS Change GET Request 2\r\n2020871 || ET EXPLOIT ASUS RT N56U Router DNS Change GET Request 3\r\nhttps://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices\r\nPage 14 of 20\n\n2020873 || ET EXPLOIT D-link DI604 Known Malicious Router DNS Change GET Request\r\n2020874 || ET EXPLOIT Netgear DGN1000B Router DNS Change GET Request\r\n2020875 || ET EXPLOIT Belkin G F5D7230-4 Router DNS Change GET Request\r\n2020876 || ET EXPLOIT Tenda ADSL2/2+ Router DNS Change GET Request\r\n2020877 || ET EXPLOIT Known Malicious Router DNS Change GET Request\r\n2020878 || ET EXPLOIT TP-LINK TL-WR841N Router DNS Change GET Request\r\n2020896 || ET CURRENT_EVENTS DRIVEBY Router DNS Changer Apr 07 2015 M2\r\n2023467 || ET EXPLOIT COMTREND ADSL Router CT-5367 Remote DNS Change Attempt\r\n2023468 || ET EXPLOIT Unknown Router Remote DNS Change Attempt\r\n2023628 || ET EXPLOIT Netgear R7000 Command Injection Exploit\r\n2823788 || ETPRO TROJAN DNSChanger Rogue DNS Server (A Lookup)\r\n2823811 || ETPRO CURRENT_EVENTS DNSChanger EK DNS Reply Adfraud Server 1 Dec 12 2016\r\n2823812 || ETPRO CURRENT_EVENTS DNSChanger EK DNS Reply Adfraud Server 2 Dec 12 2016\r\nFingerprint list :\r\n[-37,\"/img/Netgeargenie.png\",290,41,\"0\",0]\r\n[-36,\"/UILinksys.gif\",165,57,\"0\",0]\r\n[-32,\"/redbull.gif\",7,7,\"1\",0]\r\n[-31,\"/settings.gif\",654,111,\"0\",0]\r\n[-30,\"/images/img_masthead.jpg\",836,92,\"0\",0]\r\n[-29,\"/images/logo.png\",183,46,\"0\",0]\r\n[-28,\"/images/top1_1.jpg\",280,87,\"1\",0]\r\n[-27,\"/headlogoa.gif\",370,78,\"0\",0]\r\n[-26,\"/image/logo_gn.gif\",101,51,\"0\",0]\r\n[-25,\"/bg_logo.jpg\",858,82,\"0\",0]\r\n[-24,\"/image/tops.gif\",450,92,\"0\",0]\r\n[-23,\"/graphics/banner.png\",1024,70,\"1\",0]\r\nhttps://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices\r\nPage 15 of 20\n\n[-22,\"/img/loading.gif\",32,32,\"0\",0]\r\n[-21,\"/logo_corp.gif\",95,50,\"1\",0]\r\n[-20,\"/img/banner.gif\",778,60,\"0\",0]\r\n[-19,\"/down_02.jpg\",133,75,\"0\",0]\r\n[-18,\"/redbull.gif\",7,7,\"0\",0]\r\n[-17,\"/pic/head_01.gif\",162,92,\"0\",0]\r\n[-16,\"/image/linksys_logo.png\",230,30,\"0\",0]\r\n[-15,\"/file/Comtrend_banner.jpg\",897,70,\"1\",0]\r\n[-13,\"/logo.gif\",371,38,\"1\",0]\r\n[-12,\"/image/top/NETGEAR_Genie.png\",512,60,\"1\",0]\r\n[-11,\"/img/Netgeargenie.png\",290,41,\"\",0]\r\n[-10,\"/tmp.gif\",700,54,\"1\",0]\r\n[-9,\"/wlan_masthead.gif\",836,92,\"0\",0]\r\n[-8,\"/images/logo.png\",146,38,\"0\",0]\r\n[-6,\"/image/top/logo.gif\",300,38,\"0\",0]\r\n[-4,\"/button_log_in.gif\",70,21,\"0\",0]\r\n[-3,\"/image/UI_Linksys.gif\",166,58,\"1\",0]\r\n[-2,\"/smclg.gif\",133,59,\"0\",0]\r\n[-1,\"/themes/TM04/Drift-logo.png\",300,89,\"0\",0]\r\n[0,\"/graphics/topbar.jpg\",900,69,\"1\",1]\r\n[1,\"/graphics/young.png\",128,96,\"1\",0]\r\n[2,\"/images/bg_stripes.png\",50,50,\"1\",0]\r\n[3,\"/image/logo.png\",271,43,\"0\",0]\r\n[5,\"/images/logo.gif\",133,59,\"0\",0]\r\n[8,\"/img/tenda-logo-big.png\",199,45,\"0\",0]\r\n[9,\"/images/main_welcome.gif\",850,179,\"1\",1]\r\nhttps://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices\r\nPage 16 of 20\n\n[11,\"/image/UI_Linksys.gif\",288,58,\"0\",0]\r\n[12,\"/Images/img_masthead_red.gif\",856,92,\"0\",0]\r\n[13,\"/settings.gif\",750,85,\"0\",0]\r\n[14,\"/images/top-02.gif\",359,78,\"1\",0]\r\n[15,\"/UI_Linksys.gif\",165,57,\"1\",0]\r\n[16,\"/set_bt.gif\",93,52,\"0\",1]\r\n[18,\"/images/top1_1.jpg\",208,85,\"1\",0]\r\n[19,\"/graphics/head_logo.gif\",121,64,\"0\",0]\r\n[20,\"/images/top1_1.jpg\",280,87,\"0\",0]\r\n[21,\"/router_logo.jpg\",79,50,\"1\",0]\r\n[22,\"/graphics/gui_admin_login.jpg\",283,120,\"0\",0]\r\n[23,\"/ag_logo.jpg\",164,91,\"1\",0]\r\n[24,\"/images/head_logo.gif\",312,68,\"0\",0]\r\n[25,\"/menu-images/logo.gif\",169,50,\"1\",0]\r\n[28,\"/image/UI_Linksys.gif\",288,58,\"1\",0]\r\n[29,\"/Images/Logo.gif\",143,33,\"0\",0]\r\n[30,\"/images/logo.gif\",169,50,\"0\",0]\r\n[31,\"/pic/logo.png\",287,69,\"0\",0]\r\n[32,\"/spin.gif\",16,16,\"1\",0]\r\n[33,\"/icons/top_left.png\",300,96,\"1\",0]\r\n[34,\"/headlogo.gif\",121,64,\"0\",0]\r\n[35,\"/pictures/home.jpg\",255,41,\"1\",0]\r\n[37,\"/images/new_qanner.gif\",840,92,\"0\",0]\r\n[38,\"/zyxellg.gif\",169,50,\"0\",0]\r\n[39,\"/imagesV/vlogo_blk.jpg\",185,40,\"0\",0]\r\n[40,\"/images/New_ui/asustitle.png\",218,54,\"0\",0]\r\nhttps://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices\r\nPage 17 of 20\n\n[41,\"/images/New_ui/asustitle_changed.png\",218,54,\"0\",0]\r\n[45,\"/images/date_bg.png\",71,70,\"0\",0]\r\n[47,\"/graphic/head_04.gif\",836,92,\"0\",0]\r\n[49,\"/image/logo.gif\",390,69,\"0\",0]\r\n[50,\"/images/data_1_voda.gif\",149,28,\"0\",0]\r\n[51,\"/images/logo_wind.gif\",156,28,\"0\",0]\r\n[53,\"/pic/ag_logo.jpg\",164,91,\"0\",0]\r\n[54,\"/banner_s.gif\",126,65,\"1\",0]\r\n[55,\"/logo.gif\",270,69,\"0\",0]\r\n[56,\"/logo_320x23.png\",320,23,\"0\",0]\r\n[58,\"/image/UI_Linksys.gif\",165,57,\"1\",0]\r\n[59,\"/file/int_logo_4_firmware.gif\",366,66,\"1\",0]\r\n[61,\"/images/header.jpg\",800,70,\"0\",0]\r\n[62,\"/images/btn_apply.png\",61,20,\"0\",0]\r\n[63,\"/tendalogo.gif\",387,90,\"0\",0]\r\n[64,\"/file/Logo.gif\",216,83,\"1\",0]\r\n[65,\"/body/logo.jpg\",154,118,\"0\",0]\r\n[68,\"/head_logo_p1_encore.jpg\",92,72,\"0\",0]\r\n[69,\"/images/UI_Linksys.gif\",288,57,\"0\",0]\r\n[70,\"/images/title_2.gif\",321,28,\"1\",0]\r\n[71,\"/home_01.gif\",765,95,\"0\",0]\r\n[74,\"/wlan_masthead.gif\",836,85,\"0\",0]\r\n[75,\"/settingsDGND3300.jpg\",799,97,\"0\",0]\r\n[76,\"/main/banner_files/bannertxt.gif\",672,40,\"0\",0]\r\n[77,\"/html/images/dsl604.jpg\",765,95,\"1\",0]\r\n[79,\"/head_logo.gif\",140,64,\"0\",0]\r\nhttps://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices\r\nPage 18 of 20\n\n[80,\"/images/logo.jpg\",270,69,\"0\",0]\r\n[81,\"/images/logo_netis.png\",121,31,\"0\",0]\r\n[82,\"/images/icon-Change_pencil.png\",18,18,\"0\",0]\r\n[83,\"/logo1.gif\",207,105,\"0\",0]\r\n[85,\"/images/icon_now.gif\",14,14,\"0\",0]\r\n[87,\"/down_02.jpg\",135,75,\"0\",0]\r\n[88,\"/Images/logo.gif\",270,69,\"1\",0]\r\n[89,\"/UILinksys.gif\",166,58,\"1\",0]\r\n[91,\"/image/UI_Linksys.gif\",134,58,\"1\",0]\r\n[92,\"/logo.gif\",390,69,\"0\",0]\r\n[93,\"/images/icon_now.gif\",14,14,\"1\",0]\r\n[95,\"/Images/img_masthead_red.gif\",836,92,\"0\",0]\r\n[97,\"/images/topbg.gif\",960,66,\"0\",0]\r\n[99,\"/down_02.jpg\",133,75,\"1\",0]\r\n[102,\"/images2/main_title.n704bcm.gif\",758,74,\"0\",0]\r\n[104,\"/common/images/logo.gif\",108,32,\"0\",0]\r\n[105,\"/Images/logo.gif\",780,62,\"0\",0]\r\n[106,\"/images2/login_title.n704bcm.gif\",299,62,\"0\",0]\r\n[107,\"/images2/login_title.n704a3.gif\",299,62,\"0\",0]\r\n[108,\"/file/logo.gif\",165,47,\"1\",0]\r\n[110,\"/images/login_title_n104t.gif\",299,62,\"0\",0]\r\n[111,\"/img/redbull.gif \",7,7,\"1\",0]\r\n[112,\"/images/head_logo.gif\",140,78,\"0\",0]\r\n[114,\"/img/title_RP614v4.gif\",750,85,\"0\",0]\r\n[115,\"/UI_Linksys.gif \",273,44,\"1\",0]\r\n[116,\"/logo.gif\",318,69,\"0\",1]\r\nhttps://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices\r\nPage 19 of 20\n\n[117,\"/pic/img_masthead.gif\",836,92,\"0\",0]\r\n[118,\"/images/logo.gif\",76,69,\"0\",0]\r\n[119,\"/images/logo_transparent.gif\",156,129,\"0\",0]\r\n[121,\"/Images/bg_a1.gif\",280,70,\"0\",0]\r\n[122,\"/images/index_wrapper_bg_3347.png\",801,325,\"0\",0]\r\n[123,\"/images/vz_logo.gif\",185,40,\"0\",0]\r\n[124,\"/file/Manhattan_Banner.png \",452,90,\"1\",0]\r\n[125,\"/Images/Logo.gif\",150,47,\"0\",0]\r\n[126,\"/Images/Logo.gif\",200,50,\"0\",0]\r\n[127,\"/images/corp_logo.gif\",153,42,\"0\",0]\r\n[128,\"/images/logo.png\",171,75,\"0\",0]\r\n[129,\"/cornerartD241.jpg\",140,90,\"0\",0]\r\nSource: https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices\r\nhttps://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices\r\nPage 20 of 20\n\npix13.payswithservers.com pix14.payswithservers.com  External domain External domain for 192.168.11.1 for 192.168.3.1 \nsub[i].domain254.com for 0 \u003c i \u003c 18 Not resolving  \nsub16.domain.com  Resolving to 66.96.162.92 \nsub17.domain.com  Resolving to 66.96.162.92 \nSelect ET signatures    \n2023473 || ET CURRENT_EVENTS  DNSChanger EK Secondary Landing Oct 31 2016\n2021090 || ET CURRENT_EVENTS  DNSChanger EK Landing May 12 2015\n2023466 || ET EXPLOIT D-Link DSL-2740R Remote DNS Change Attempt \n2020487 || ET EXPLOIT Generic ADSL Router DNS Change GET Request \n2020488 || ET EXPLOIT Generic ADSL Router DNS Change POST Request \n2020854 || ET CURRENT_EVENTS  DRIVEBY Router DNS Changer Apr 07 2015\n2020856 || ET EXPLOIT TP-LINK TL-WR340G Router DNS Change GET Request\n2020857 || ET EXPLOIT Belkin Wireless G Router DNS Change POST Request\n2020858 || ET EXPLOIT Linksys WRT54GL Router DNS Change POST Request\n2020859 || ET EXPLOIT Netgear WNDR Router DNS Change POST Request \n2020861 || ET EXPLOIT Motorola SBG900 Router DNS Change GET Request\n2020862 || ET EXPLOIT ASUS RT N56U Router DNS Change GET Request 1\n2020863 || ET EXPLOIT ASUS RT N56U Router DNS Change GET Request 2\n2020871 || ET EXPLOIT ASUS RT N56U Router DNS Change GET Request 3\n  Page 14 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices"
	],
	"report_names": [
		"home-routers-under-attack-malvertising-windows-android-devices"
	],
	"threat_actors": [],
	"ts_created_at": 1775434214,
	"ts_updated_at": 1775791298,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2ccfa679b0dc30f872b46c2f3b95e37b8e3d681f.pdf",
		"text": "https://archive.orkl.eu/2ccfa679b0dc30f872b46c2f3b95e37b8e3d681f.txt",
		"img": "https://archive.orkl.eu/2ccfa679b0dc30f872b46c2f3b95e37b8e3d681f.jpg"
	}
}