Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Malware Changes Router DNS Settings via Mobile Devices

Researchers have come across a piece of JavaScript malware that is capable of changing the DNS settings of home routers from mobile devices.

Researchers have come across a piece of JavaScript malware that is capable of changing the DNS settings of home routers from mobile devices.

The malware, dubbed by Trend Micro JS_JITON, has been distributed via compromised websites in Russia and various Asian countries. When these compromised sites are visited from a mobile device, JS_JITON is delivered and it downloads a threat detected as JS_JITONDNS, which is designed to change the DNS settings of the router the infected device is connected to.

According to Trend Micro, the campaign started in December 2015 and has mainly affected users in Taiwan (27%), Japan (19%), China (12%), the United States (8%) and France (4%). Infections have also been spotted in Canada, Australia, Korea, Hong Kong, the Netherlands and other countries.

An analysis of JS_JITON’s code revealed that the malware includes 1,400 combinations of common credentials that can be used to access a router’s administration interface, which can allow attackers to access the device and change its DNS settings. Experts also discovered the use of an old exploit, CVE-2014-2321, which allows remote attackers to obtain admin access to some ZTE modems.

While the malware includes code for targeting the products of several top router manufacturers, including D-Link and TP-Link, Trend Micro says most of the code has been commented out. For the time being, only the ZTE modem exploit appears to be active and it only works if the malware is executed from a mobile device.

Researchers noted that the compromised websites also serve JS_JITON when accessed from a desktop computer, but the infection chain is different.

Trend Micro noticed that the malicious scripts have been regularly updated by the malware authors — at one point they also included keylogger functionality to steal data entered on specified websites — which could indicate that the threat is still being tested.

“Cybercriminals behind this incident employ evasive mechanism to go off the radar and continue its attack without rousing any suspicion from affected users. Such tactics include regularly updating the JavaScript codes to fix errors and constantly changing targeted home routers,” Trend Micro’s Chisato Rokumiya explained in a blog post.

Related: Quanta Routers Plagued by Many Unpatched Flaws

Related: New Remaiten Malware Builds Botnet of Linux-Based Routers

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Vulnerabilities identified in TP-Link and NetComm router models could be exploited to achieve remote code execution (RCE).