Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove Jiton JavaScript Malware from Your Router

1460565185_WifiResearchers at TrendMicro have managed to discover and research a JavaScript-based malware which has an unusual approach when it comes to infection. The malware is reported to come obfuscated and attack the DNS (Domain Name System) of the router. Not only this but, researchers also report that Jiton attacks mobile devices as well. This is particularly dangerous because the malware may attack multiple devices with once and sniff their web traffic as well as infect them and display various browser redirects.

NameJS_JITON
TypeJavaScript Infostealer Malware
Short DescriptionThe malware infects a device then downloads another malware that infects the router to which the device is connected to.
SymptomsThe user may witness browser redirects to third-party websites and his often used websites with different than the original URLs. The DNS address of the router may be also changed to another.
Distribution MethodVia malicious URLs.
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by JS_JITON
User Experience Join our forum to discuss JS_JITON.

How Jiton JavaScript Malware Infect Its Victims

To spread across primarily home routers, this malware is reported to be downloaded via the use a malicious URL, which causes drive by download of the JavaScript malware on the device. Once a user has been affected, the malware downloads another JavaScript variant, which is reported by TrendMicro to be specially designed to modify the DNS settings of the router. This is particularly dangerous because the cyber-criminals behind Jiton may sniff out important credentials that infected users type, such as:

  • Online banking credentials.
  • PayPal and other online financial service websites’ account names and passwords.
  • Email and other social media account names and passwords.

How Does Jiton JavaScript Malware Work

Once downloaded activated on the infected device, the JavaScript malware may use a brute forcing method to connect to your router. This means that it may shuffle through all of the combination of most commonly used by home routers class C IP addresses of the gateway. The other variant of this malware is to execute a script to identify the gateway of the infected device which essentially is the router it may be connected to. Once it has found the IP address of the router, for example, 192.168.0.1 which is the most commonly used one, the malware might connect to it, and since most routers have a default pre-set username and password the malware has combinations of such credentials.

router-sensorstechforum

These credentials may be used in a brute force attack to login to your router. Since most home routers are not configured with strong credentials or security, the malware is very effective in logging in successfully.

Once logged into your home router, the malware may change its DNS settings changing the default address to a custom one. After this is modified, it may reboot the home router to apply and save the setting.

router-dns-settings

This is particularly risky, especially when it comes to routers that are reconfigured to serve as hotspots in café’s or other public places, because the malware may spread onto a higher number of devices to steal more information. Users are strongly advised to use the mobile connection and avoid public Wi-Fi in general. TrendMicro malware experts have also reported that Jiton malware may target primarily router models from the brands TP-Link, D-Link, and ZTE – all manufacturers whose devices are used by the masses.

Detect and Remove Jiton JavaScript Malware from Your Router

To detect whether or not you have this malware installed onto your router, you should check the DNS settings of your device and see whether or not the DNS address is static and different from the one your ISP provided. Usually, most DNS addresses are set to “Automatic” and if you have a static one, it is advisable to remove it and contact your ISP to notify them that you have been affected.

To remove the malware, simply factory reset your router and reconfigure it with different IP address and user name and password, to strengthen its security. Also, make sure you check for firmware update of the router’s software and enable any defenses on the router.

To further strengthen your network, we advise you to follow our recommended security tips and educate users to implement them and avoid further intrusions. It is also advisable to use an advanced anti-malware software for all your devices, including PC’s and smartphones.

For more detailed instructions on how to remove malware from your router and infected devices check out the below mentioned instructive article:

Remove Malware from Your Router Effectively

donload_now_250
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.