Skip to main content

92.168.o.1 – Malvertisement attack to home routers

DNSChanger is a malware that infected millions of computers across the world in 2012 which functions by changing DNS server entries in infected computers to point to malicious machines under the control of the attackers, rather than the DNS servers provided by ISP. You can change them using 192.168.1.1 address with Router Admin page.

Therefore, every time a user attempts to start a website, the malicious DNS server respond with the address of (as an example) of the phishing site.

Researchers at Proofpoint can see a fresh widespread malvertising plan, in which a new type of DNSChanger spyware is being spread using a steganography method to be able to conceal malicious code in image data.

Once it hit one’s body, instead of infecting your personal Computer, it requires control of your unsecured modems. Proofpoint has discovered the DNSChanger manipulate system on over 166 router types: it targets routers that run unpatched firmware or are attached to weak admin accounts. Based on analysts, a number of the vulnerable routers include:

  • D-Link DSL 2740R
  • NetGear WNDR3400v3
  • Netgear R6200
  • COMTREND ADSL Router CT-5367 C01_R12
  • Pirelli ADSL2/2+ Wireless Router P.DGA4001N

To make your router secure, you have to set security protocols and key that allow users to access router admin page. Different routers have different login address.  192.168.1.1 is default router address to access most of the routers.

What can be done via 192.168.1.1?

The best part about 192.168.1.1 is that it can be used as many times as you want. In fact, more than one user can use it, provided there are different networks. One device might be using 192.168.o.1 login  and other network devices can use the same IP address.

There’s a mitigation? Proofpoint says:

Unfortunately, there’s no easy method to drive back these problems. Implementing the latest switch changes stays the easiest way to prevent exploits. Changing the standard local IP range, within this specific case, might also provide some protection. Neither of the solutions, though, can be a common activity performed by common people of SOHO routers. Because of this, it’s also incumbent upon modem makers to produce mechanisms for simple, user-friendly revisions to their hardware.
Moreover, while we realize that promotion can be an important component of the web publishing ecosystem, in some cases, AdBlocking browser add-ons might stop such problems when they develop through malvertising.

However, there is no simple approach to protecting against these problems. Applying the newest switch updates remains the simplest way to prevent exploits. Changing the standard local IP range, in this specific situation, might also provide some protection. Neither of those answers, though, is a normal activity conducted by common consumers of SOHO routers. Consequently, it’s also incumbent upon router makers to produce mechanisms for simple, userfriendly revisions for their equipment.

Furthermore, while we recognize that promotion can be an important element of the Internet publishing environment, sometimes, ad-blocking browser add-ons might stop these kinds of problems when they develop through malvertising.

Miss Flik

Miss Flik is a blogger, business owner, and life lover. She escaped the 9-5 and created a life that she loves, and she wants to help you do the same! Miss Flik loves to blog about life, positivity, self empowerment, business, marketing, and graphic design. When Miss Flik isn't blogging, you'll find her working at her design business Flik Graphic Design and operating her online store called Miss Flik Miss Flik also loves to hula hoop, roller skate, and post pictures of her puppies on instagram. You can find more of her blog posts over at Google+