Security researchers at NetLab, a sub-division of the Chinese cybersecurity firm Qihoo 360, have discovered a new, wide-scale, and very active malware campaign that has managed to hijack more than 100,000 home routers between Sept 21 and 27. A majority of routers (almost 88%) are located in Brazil.
The malware has been dubbed GhostDNS. Once a router is hijacked, the malware modifies its DNS settings to upload malicious web pages and steal user data such as login credentials for banking sites. The campaign shares stark similarities with an infamous malware DNSChanger, which also used to modify DNS server settings after infecting a device to let attackers route the internet traffic via infected servers to steal sensitive data.
GhostDNS scans for IP addresses for routers that are running without any password or use a very weak password. After detecting a vulnerable router, it infects it and accesses the settings to replace the default DNS address with the address controlled by the attacker(s).
See: Hackers can intercept and manipulate DNS queries, researchers warn
Researchers write that like DNSChanger, GhostDNS also tries to guess the password on the web authentication page of the router via the dnscfg.cgi exploit and then changes the default DNS address of the router with the Rogue DNS Server via the “corresponding DNS configuration interface.”
“But this campaign has more, we have found three related DNSChanger programs, which we call Shell DNSChanger, Js DNSChanger, and PyPhp DNSChanger according to their programming languages,” explained researchers from NetLab.
The modular structure of the GhostDNS comprises four components, which are described below:
1: DNSChanger Module: It is the main module designed for exploiting the targeted routers and had three sub-modules titled: Shell DNSChanger, Js DNSChanger, and PyPhp DNSChanger.
Shell DNSChanger is a combination of 25 scripts written in Shell programming language and allows the malware to conduct brute-force attacks on firmware packages or routers from 21 different vendors.
Js DNSChanger: It is written in JavaScript and comprises 10 attack scripts. The scripts are designed to infect 6 routers/firmware packages including scanners, attack programs, and payload generators, while the program is injected into phishing websites.
PyPhp DNSChanger: It is written in PHP and Python and comprises of 69 attack scripts. The scripts are designed to target around 47 different types of routers/firmware. It is deployed on more than 100 serves, a majority of which are found on Google Cloud and can perform functions like Web API, Attack module and Scanner. It is believed to be the core module of DNSChanger.
See: Most Threatening DNS Security Risks And How To Avoid Them
2) Web Admin module: This module is responsible for implementing an admin panel for attackers and is secured with a login page.
3) Rogue DNS module: It resolves the domain names targeted from the web servers controlled by the attacker. Security researchers could not access the Rogue DNS server and hence, it wasn’t possible to obtain the exact number of DNS entries for hijacking genuine domains.
4) Phishing Web module: This module is responsible for implementing phishing pages for the targeted domains.
Since this campaign is a highly scaled one and makes use of various attack vectors at the same time adopting automated attack processes, therefore, it is a real threat and users must protect themselves. It is important to ensure that the router is updated with the latest firmware version and protected with a strong password.
Moreover, it is a good idea to disable remote administration and change the default local IP address. NetLab also urges router manufacturers to increase the complexity of the default password of routers and enhance the security of their products.