Exposing the black industrial chain behind the router: Vendor left-back procedure

[Guide] The Internet to encounter advertising bomb window, the Web page was jumping gambling site; QQ net silver is stolen ... Many people do not know that the source of these evil is more than the small router at home. Exposing the black industry chain behind the router: manufacturers leave the backdoor procedures to access the Internet Ads window, the Web page was jumping gambling site; QQ Net silver stolen ... Many people do not know that the source of these evil is more than the small router at home. Reporter investigation found that tp, link, Tengda, network, such as mainstream router brands of a variety of products, are using the flaw of the vulnerability of the firmware, weak password settings, resulting in hackers can easily get administrator privileges. And behind the router hijacking, a cluster of hackers, third-party platforms, advertisers, the gray industry chain, has quietly formed. The password is stolen, who is it? User complaints: Internet behavior was "kidnapped", open Baidu but pop-up yellow site. Technical experts: Routers are hijacked, one reason is that the password settings are too simple, the other is the router left a backdoor. "An open Baidu, Jingdong automatically turned into a yellow site, restarted several times routers are useless." At night more rampant, as long as a computer has a browser window ads, and finally only unplug the network cable! "The user Xiao Yong complained to the reporter, according to the method of the Internet to reset the router, with the broadband operators reflect also no effect, even a few days ago even QQ account has been stolen. "On the internet is a DNS hijacking, but my router is set a number + letter mixed long password, how will it be easy to steal?" "In fact, the small Yong encountered this situation, it is hackers use the router loophole, into the background to tamper with the DNS address, the user to visit the normal page hijacked to their own servers, stealing network silver, QQ and other important personal information." Beijing know Chong Yu Information Technology Co., Ltd. research director Cosine told reporters, the current routers are hijacked the main reason there are two kinds, "one is the user's router management interface password is too simple, the other is the manufacturer's router firmware exists back door, hackers can bypass the management interface password verification, Direct intrusion background Tamper DNS address. "Due to the existence of these two vulnerabilities, users face malicious hijacking is difficult to prevent: hackers in advance in some pages of malicious code, when users visit this page, this code has invaded the router, in the background quietly tampered with the DNS address." Last year, the National Internet Emergency Center issued a bulletin, said the emergence of TP routers for the domain name hijacking, the attack is the same: the use of TP router Admin/admin and other default account/password users, as long as the hacker's control of the Web page, Its domain name resolution server IP address will be hacker tampering, pointing to a server outside. Even if a user uses a long character management password, it can be easily hacked by hackers: "Because hackers bypass the verification steps and get the highest administrative privileges." Even some router manufacturers, the default settings to open remote access, exposing the router's public network IP, that is, you can remotely control the router. "CosineSaid。 Black industry, who is involved? Advertising platform: Can be directed to "kidnap" the country in any province of the Internet users, 1000 ads bomb window charges 50 yuan. One side is the hackers wantonly tamper, hijacked the user's router's DNS address, the other side advertisers, commercial web sites are also secretly fuelled, a complete industrial chain has been formed. March 11, the reporter to put the name of advertising linked to a DNS advertising platform, claiming that it is not subject to Web sites, Web site restrictions, any page can display ads, and even competitors Web pages. Ads are sent directly by DNS, will not be blocked, the total audience of more than 80 million, daily active users more than 15 million, can be directed bundled in any provinces in the country users. "Hijacked Ads 1000 window 45~50 yuan, that is to say, 1000 users open Baidu, Jingdong and other sites, bounce out of the ads you provide or Web pages." This kind of business has done a lot before, like two big websites in the previous time to push one of their products, also bought us this kind of hijacked advertisement window, used to improve the flow. "The director of the platform said that many of the commercial sites are their big customers, as long as the site has ICP Record, can put this hijacked ads," a day thousands of CPM (thousands of people show) completely no problem. "The hijacked ads can even be based on the user browsing the page content, directional display associated ads," such as a patient in Baidu search people, hospital These keywords, in the search results page, you can directly pop-up designated hospital ads, link the home page. The official said. Reporter rough estimate under, according to daily active user 15 million of the display times, as well as 1000 AD bomb window 50 yuan price, peak status under the average daily income in 15000X50=75 million. With these advertising interests, router hijacking has formed a complete industrial chain from the hacker-the launch platform-The Advertiser. "According to security Alliance data monitoring, Peak has more than 10,000 sites, hackers implanted DNS hijacked malicious code, nearly 5 million users affected." At the same time behind the advertising, phishing site benefits support, in recent years, the increasingly rampant router hijacking. "Cosine representation. Backstage defect, intentionally? Technical experts: The manufacturers have their own backdoor procedures for future detection, debugging needs, but the administrative authority is easy to be hijacked by hackers. This February, the National Internet Emergency Center (CNCERT) released a recent vulnerability report, Cisco, Linksys, Netgear, Tenda, link and other mainstream network equipment manufacturers of a variety of router products, there are remote command execution, Super user rights such as preset backdoor vulnerabilities, hackers can take the remote control of the router, and then initiate DNS hijacking, theft of information and other attacks. "Last year, a lot of home users use the TP gateway vulnerabilities, DNS addresses are tampered with, open the normal Web page will be accessed or pop-up some fixed pages." "A provincial operator in charge of technology told reporters, found that the situationSituation, they in the backbone of the network will be hijacked the user traffic, led to the security page to prompt, and in the background for the fishing site did intercept processing. In his view, the user did not change the initial password of the router in time is responsible, but the router manufacturers also have the responsibility to shirk: "Manufacturers should be in the product factory to the router to assign a random password, rather than simply set to 12345 such weak password." But the more worrying is the product itself. Polar Route founder Wang Zhuyun told reporters that the current router manufacturers mainstream products, have left a super management authority, in the weak security measures, which is precisely the hacker hijacked routers to provide the most convenient. "Many traditional manufacturers in the product development process, the general will be for future testing, debugging requirements, reserve this permission." But this is similar to the Android system, when hackers take advantage of this access to this administrator, all of the protective measures are useless. "Well-known manufacturers link in its variety of mainstream router products, leaving such a serious backdoor." "The flaw we detected is that with a Roodkcableo28840ybtide key key, you can easily access most link routers with remote logins." "The cosine tells the reporter that DLink's firmware was provided by its US subsidiary, Alphanetworks, the company's research and development director named Joel, and that the string upside down is exactly the back door of edit by 04482 Joel Backdoor (Joel Editor). "This factory left the backdoor procedure, actually according to the name of the research and development personnel set, too obvious, it is entirely possible that the manufacturer intentionally." "And a data from Zoomeye show that the global use of this defective link user around 63,000, across China, the United States, Canada, Brazil and other areas." In China, there are about 100,000 TP routers have a backdoor defect, the affected users reach millions.