Secret: router black industrial chain

Secret: router black industrial chain

The survey found that many products of major router brands such as TP-Link, D-Link, Tenda, and Netware used flawed firmware and weak password settings, resulting in hackers being able to easily obtain administrator privileges. Behind the hijacking of routers, a gray industrial chain that gathered hackers, third-party platforms, and advertisers has quietly formed.

The Internet has encountered advertisement pop-ups, webpages have been switched to gambling websites, and QQ e-banking has been stolen for no reason... Many people do not know that the source of these evil acts started from the small router at home. The reporters found that TP-Link, D-Link, Tenda, Netware, and other mainstream router brands all use flawed firmware and weak password settings, which makes it easy for hackers to gain administrator privileges. Behind the hijacking of routers, a gray industrial chain that gathered hackers, third-party platforms, and advertisers has quietly formed.

â—† The password was stolen. Who's been there?

User complaints: Internet behavior was "kidnapped," and Baidu opened up to pop up a yellow website.

Technical Expert: A router is hijacked. One reason is that the password is set too simple, and the other is that the router has a back door.

“After opening Baidu, Jingdong automatically became a yellow website. It took several times to restart the router. It was even more frantic at night, as long as there was a pop-up browser on the computer, and only the cable was pulled!” Xiaoyong told reporters Complained, according to the online method to re-set the router, with the broadband operators reflected no effect, even a few days ago even QQ account was stolen. "On the Internet, it is DNS hijacking, but my router is setting up a long password with a mixture of numbers and letters. How can it be easily stolen?"

In fact, Xiao Yong encountered this kind of situation, it is hackers use the loopholes in the router, enter the background to tamper with the DNS address, the user to visit the normal page hijacked to their own server, steal online banking, QQ and other important personal information.

Beijing knew that Chuang Yu, research director of Chuangyu Information Technology Co., Ltd., told reporters that there are two main reasons why routers are hijacked. “One is that the password of the user's router management interface is too simple, and the other is that the firmware of the router of the manufacturer exists in the back door. The hackers can bypass the password verification of the management interface and directly intrude into the background to tamper with the DNS address."

Due to the existence of these two vulnerabilities, it is difficult for users to face malicious hijacking: hackers first implant malicious code on certain web pages. When the user visits this page, this code has invaded the router and silently tampered with the DNS address in the background. Last year, the National Internet Emergency Response Center issued an announcement saying that domain name hijacking against TP-Link routers has been followed and the attack pattern is exactly the same: users who use the TP-Link router's default account/password, such as admin/admin, just browse the pages that hackers control. The IP address of the domain name resolution server will be hacked by a hacker and point to an outside server.

Even if the user uses a long character to manage the password, he will be easily attacked by hackers: “Because hackers can bypass the authentication process and get the highest management authority. Even some router manufacturers, by default, enable remote access and expose the public network IP of the router. , which means that you can remotely control the router," Cossie said.

â—†Black industry, who participate?

Advertising platform: It is possible to orientate “Internet users” in any province in the country, and charge 1,000 yuan for 1,000 advertising pop-up windows.

On the one hand, hackers tampered with and hijacked the DNS address of the user's router. On the other side, advertisers and commercial websites also secretly helped fuel the development of a complete industrial chain.

On March 11th, the reporter contacted a DNS advertising platform in the name of advertising, and claimed to be free from restrictions on websites and websites. Any web page could display advertisements or even rival web pages. Advertisements are directly sent by DNS and will not be blocked. The total audience exceeds 80 million, and the average daily active users exceed 15 million. They can be targeted to users in any province in the country.

"Hijacking ads has a thousand pop windows 45 to 50 yuan, which means 1000 users open websites such as Baidu and JD. Pop-ups come from ads or web pages you provide. This kind of business has been done a lot before, like some time ago. In order to push some of their products, large websites have also bought this hijacking advertising pop-up window to increase traffic.” The director of the company’s surname Dong said that many commercial websites are their major customers, as long as they are websites. With ICP registration, such hijacking ads can be placed. “There are no problems with the CPM (thousands of people) display a few thousand times a day.”

This type of hijacked advertisement can even display targeted advertisements based on the content of the page viewed by the user. “For example, if a patient searches on Baidu for keywords, such as hospitals and hospitals, the search results page can directly pop up the designated hospital advertisement. Link to the homepage of the hospital," said the responsible person.

According to a rough estimate by the reporter, according to the daily average of 15 million impressions of active users and the price of 50 yuan for 1,000 advertising popups, the average daily income under peak conditions is about 15,000×50=75 million. With the drive of these advertising interests, router hijacking has formed a complete industrial chain from hackers - delivery platforms - advertisers.

"According to the data monitoring of the Security Alliance, there were more than 10,000 websites during the peak period, hackers implanted DNS to hijack malicious code, and nearly 5 million users were affected. At the same time, there was support for the interests of advertising and phishing websites in recent years. Router hijacking has become increasingly rampant,” said Cohesion.

â—†Background defects, intentional?

Technical experts: Manufacturers have left behind their own programs for future detection and debugging needs, but administrative privileges are easily hijacked by hackers.

In February of this year, a vulnerability report issued by the National Internet Emergency Response Center (CNCERT) stated that there are remote command executions for various router products from major network equipment manufacturers such as Cisco, Linksys, Netgear, Tenda, and D-link. User privileges and other preset backdoor vulnerabilities allow hackers to gain remote control of the router and initiate DNS hijacking and stealing information.

“Last year, there were many loopholes in the TP-Link gateway used by home users. The DNS address was tampered with. When a normal webpage was opened, some fixed pages would be accessed or popped up.” A provincial operator’s technical person in charge told the reporter and found After this situation, they directed the hijacked user traffic on the backbone network to the security page for prompting, and intercepted the phishing website in the background.

In his view, it is certainly the responsibility of the user not to change the initial password of the router in time, but the router manufacturer also has an irresponsible responsibility: "The vendor should assign a random password to the router when the product leaves the factory, instead of simply setting it as 12345. Weak password."

But what's more worrying is the product itself. Wang Chuyun, the founder of Pole Routing, told reporters that the current mainstream products of router manufacturers all have a super management authority. This is exactly why hackers hijack routers in the case of weak security protection measures.

"A lot of traditional manufacturers in the product development process will generally reserve this right for future detection and debugging needs. But similar to the Android system, once the hackers use the vulnerability to get this administrator privilege, all the protective measures It's all like a dummy."

D-link, a well-known manufacturer, has left such a serious back door in its various mainstream router products. "The vulnerability we detected was that with a key key of roodkcableo28840ybtide, we could remotely log in and easily gain access to most D-link routers." Cossin told reporters that Dlink's firmware is owned by its US subsidiary AlphaNetworks. Provided, the company’s R&D technical director is called Joel, and this string is exactly the same as editing by 04482 joel backdoor (the back door of Joel's edit).

"The back door program that this kind of manufacturer has left behind itself is actually set according to the name of the R&D personnel. It is too obvious, and it is entirely possible that the manufacturer intends to do so."

A copy from ZoomEye data shows that the use of this defective D-Link user is around 63,000 in the world, covering China, the United States, Canada, and Brazil. In China, about 100,000 TP-Link routers have backdoor defects, affecting millions of users.

Secondary Equipment Powergo

Switchgear Circuit Breakers,Park Detroit Switchgear,Powergo-C40,Intelligent Secondary Equipment

Shandong Shunkai electrical equipment co., LTD. , https://www.chinasdsk.com