Chinese cybersecurity researchers have uncovered a malware campaign that has already hijacked over 100,000 home routers and modified their DNS settings to trick users with malicious web pages, mostly if they visit banking sites, and steal their login credentials.
Named GhostDNS, the whole campaign has many similarities with the infamous DNSChanger malware that works by changing DNS server settings on an infected device, when attacker can easily route the users’ traffic through malicious servers and steal data.
According to a latest report from cybersecurity company Qihoo 360’s NetLab, similar to the regular DNSChanger campaign, GhostDNS scans for the addresses of routers that use weak or no password at all, accesses their settings, and then changes the router’s default DNS address to the one controlled by the attackers.
GhostDNS system mainly includes four modules as described by TheHackerNews in their post:
1) DNSChanger Module: This is the main module of GhostDNS designed to exploit targeted routers based upon collected information.
DNSChanger Module is comprised of three sub-modules, which the researchers dubbed, Shell DNSChanger, Js DNSChanger, and PyPhp DNSChanger.
a.) Shell DNSChanger—Written in the Shell programming language, this sub-module combines 25 Shell scripts that can brute-force the passwords on routers or firmware packages from 21 different manufacturers.
“Its functional structure is mainly divided into scanners, payload generators, and attack programs. The Js DNSChanger program is usually injected into phishing websites, so it works together with the Phishing Web System,” the researchers say.
c.) PyPhp DNSChanger—Written in both Python and PHP, this submodule contains 69 attack scripts against 47 different routers/firmware and has been found deployed on over 100 servers, most of which on Google Cloud, and includes functionalities like Web API, Scanner and Attack module.
This sub-module is the core module of DNSChanger that allows attackers to scan the Internet to find vulnerable routers.
2) Web Admin module: Though researchers do not have too much information about this module yet, it seems to be an admin panel for attackers secured with a login page.
3) Rogue DNS module: This module is responsible for resolving targeted domain names from the attacker-controlled web servers, which mainly involves banking and cloud hosting services, along with a domain that belongs to a security company named Avira.
4) Phishing Web module: When a targeted domain successfully gets resolved through the rogue DNS module, Phishing web module aims to server the right fake version for that specific website.
According to the experts, between September 21 and 27, this malware campaign successfully compromised more than 100,000 routers, of which almost 90% of them are located in Brazil. this means that Brazil is the primary target for GhostDNS attackers.
In order to avoid yourself from being a victim of this and similar attacks, you should update your router to it’s latest version of the firmware and set a strong password for the router configuration login page.
