BSNL broadband users have been seeing a malicious pop-up upon clicking anywhere on a page that is unsecured. A popular example of unsecured site / page is www.bsnl.co.in itself. Secured sites have the URL in the form of https://. Unsecured sites have the URL in the form of http://. Can you see the missing s?! Anyway, the pop-up redirects the browser to malicious sites that in turn may be doing some unwanted things on your browser and computer. I’ve come across this issue in the last week of June 2018 and immediately started to dig further into it.
Cleaning up the computer
I always use original software. Never used pirated software or OS. I’ve bought Windows XP, Windows 8.1 (that had a free upgrade to Windows 10) and Office 97. Currently, I use a mac, though. Everything is updated to the latest version including OS and browsers.
My first assumption was that my mac may have been affected by a virus. I don’t visit unwanted sites (intentionally). I don’t watch porn sites, either. Anyhow, I tried to use EtreCheck (free version is limited in functionality) to find the culprit. But, it didn’t find anything concrete. So, I went on and tried to use another popular free scanner from Apple Store, named Bitdefender. After a few hours, it didn’t find anything, either.
Spending money to fight a virus!
I had an old Belkin router bought approximately 8 years ago. I thought it could’ve been affected as it hasn’t had an update since its launch. So, I bought a new router-cum-modem from Netgear that seems to offer frequent firewall updates than some popular Chinese brands. The router reached home in a couple of days (thanks to Amazon Prime membership). I switched the routers. The malware hasn’t gone yet!!!
Getting mad at DNS
I searched the internet for possible solutions. Most of them recommended switching the DNS. I run my own DNS server using pi-hole.net. It blocks most advertisers including Google ads. I tried switching to it. I didn’t help. I tried Quad9, Cloudflare and of course the most popular Google public DNS. None of them helped.
Going Public
I felt ashamed that I deal with multiple critical servers around the world, yet, I could not find any particular pattern on this malware. But, finally, I decided to forgo my ego and started asking for help. Initially, I asked my friend who confirmed that I am not alone, but his issue was resolved after resetting the modem!!! Then, I created a thread in broadbandforum.co where I put forth aforementioned thoughts. Help started to pour in and I was able to get an idea about where the issue is.
Understanding the problem
The problem is somewhere in the BSNL broadband hub. It affects all users, at random, at different time of the day. It doesn’t get activated on all unsecured pages. The malware is still inserted into every unsecured page via javascript, though. There are plenty of people who went further on this and put forth their disappointment in the social media. Some even cancelled their connection just because of this malware.
Pi-hole.net to the rescue
There is a saying in the security world… if we know the username, half of the work is done towards getting the password (of an application, etc). So, understanding the issue helps us to circumvent the issue. Since, the malware is getting injected through a BSNL hub where we don’t have any control, we have a find a way to fight it out using the tools we have.
For me, it was pi-hole.net that helped me to blacklist those malicious domains into a block-hole! So, when my wife visits an unsecured site, and if she clicks, the pop-up does happen. But, it never completes. It’d simply say “domain is not hosted here” message. The message could be easily customised to something else, though!
PSA (Public Service Announcement)
Since, I always like to give back to the community (that helped me to understand the issue), my pi-hole.net DNS is open to anyone on the BSNL broadband network. Unfortunately, it isn’t available for other users, yet. It takes a lot of effort, time and money to maintain a DNS server of our own. So, sorry to others.
So, here we go. My DNS server IP is… 45.76.184.155.
Put it as your DNS resolver and let me know, if it really helped you to have a safe browsing. Apart from blocking those malicious domains, it can also block a number of advertisers (including Google ads). So, you can stop using your favourite ad-blocker, if you use pi-hole.net DNS.
Only last month, I wrote a detailed post on how my pi-hole.net works. If you’d like to know the technical details behind it, I highly recommend to give it a read.
If you have any questions, please do not hesitate to write in the comments below!