Researchers at TrendMicro have managed to discover and research a JavaScript-based malware which has an unusual approach when it comes to infection. The malware is reported to come obfuscated and attack the DNS (Domain Name System) of the router. Not only this but, researchers also report that Jiton attacks mobile devices as well. This is particularly dangerous because the malware may attack multiple devices with once and sniff their web traffic as well as infect them and display various browser redirects.
| Name | JS_JITON |
| Type | JavaScript Infostealer Malware |
| Short Description | The malware infects a device then downloads another malware that infects the router to which the device is connected to. |
| Symptoms | The user may witness browser redirects to third-party websites and his often used websites with different than the original URLs. The DNS address of the router may be also changed to another. |
| Distribution Method | Via malicious URLs. |
| Detection Tool | Download Malware Removal Tool, to See If Your System Has Been Affected by JS_JITON |
| User Experience | Join our forum to discuss JS_JITON. |
How Jiton JavaScript Malware Infect Its Victims
To spread across primarily home routers, this malware is reported to be downloaded via the use a malicious URL, which causes drive by download of the JavaScript malware on the device. Once a user has been affected, the malware downloads another JavaScript variant, which is reported by TrendMicro to be specially designed to modify the DNS settings of the router. This is particularly dangerous because the cyber-criminals behind Jiton may sniff out important credentials that infected users type, such as:
- Online banking credentials.
- PayPal and other online financial service websites’ account names and passwords.
- Email and other social media account names and passwords.
How Does Jiton JavaScript Malware Work
Once downloaded activated on the infected device, the JavaScript malware may use a brute forcing method to connect to your router. This means that it may shuffle through all of the combination of most commonly used by home routers class C IP addresses of the gateway. The other variant of this malware is to execute a script to identify the gateway of the infected device which essentially is the router it may be connected to. Once it has found the IP address of the router, for example, 192.168.0.1 which is the most commonly used one, the malware might connect to it, and since most routers have a default pre-set username and password the malware has combinations of such credentials.
These credentials may be used in a brute force attack to login to your router. Since most home routers are not configured with strong credentials or security, the malware is very effective in logging in successfully.
Once logged into your home router, the malware may change its DNS settings changing the default address to a custom one. After this is modified, it may reboot the home router to apply and save the setting.
This is particularly risky, especially when it comes to routers that are reconfigured to serve as hotspots in café’s or other public places, because the malware may spread onto a higher number of devices to steal more information. Users are strongly advised to use the mobile connection and avoid public Wi-Fi in general. TrendMicro malware experts have also reported that Jiton malware may target primarily router models from the brands TP-Link, D-Link, and ZTE – all manufacturers whose devices are used by the masses.
Detect and Remove Jiton JavaScript Malware from Your Router
To detect whether or not you have this malware installed onto your router, you should check the DNS settings of your device and see whether or not the DNS address is static and different from the one your ISP provided. Usually, most DNS addresses are set to “Automatic” and if you have a static one, it is advisable to remove it and contact your ISP to notify them that you have been affected.
To remove the malware, simply factory reset your router and reconfigure it with different IP address and user name and password, to strengthen its security. Also, make sure you check for firmware update of the router’s software and enable any defenses on the router.
To further strengthen your network, we advise you to follow our recommended security tips and educate users to implement them and avoid further intrusions. It is also advisable to use an advanced anti-malware software for all your devices, including PC’s and smartphones.
For more detailed instructions on how to remove malware from your router and infected devices check out the below mentioned instructive article:
Remove Malware from Your Router Effectively
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter
