Dubbed GhostDNS, the own has many similarities amongst the infamous DNSChanger malware that plant past times changing DNS server settings on an infected device, allowing attackers to road the users' cyberspace traffic through malicious servers as well as pocket sensitive data.
According to a novel report from cybersecurity draw solid Qihoo 360's NetLab, only similar the regular DNSChanger campaign, GhostDNS scans for the IP addresses for routers that utilization weak or no password at all, accesses the routers' settings, as well as thence changes the router's default DNS address to the ane controlled past times the attackers.
GhostDNS System: List of Modules as well as Sub-Modules
1) DNSChanger Module: This is the principal module of GhostDNS designed to exploit targeted routers based upon collected information.
DNSChanger Module is comprised of 3 sub-modules, which the researchers dubbed, Shell DNSChanger, Js DNSChanger, as well as PyPhp DNSChanger.
a.) Shell DNSChanger—Written inward the Shell programming language, this sub-module combines 25 Shell scripts that tin brute-force the passwords on routers or firmware packages from 21 dissimilar manufacturers.
b.) Js DNSChanger—Mainly written inward JavaScript, this sub-module includes 10 assault scripts designed to infect half dozen routers or firmware packages.
"Its functional construction is mainly divided into scanners, payload generators, as well as assault programs. The Js DNSChanger plan is normally injected into phishing websites, thence it plant together amongst the Phishing Web System," the researchers say.
c.) PyPhp DNSChanger—Written inward both Python as well as PHP, this submodule contains 69 assault scripts against 47 dissimilar routers/firmware as well as has been constitute deployed on over 100 servers, most of which on Google Cloud, as well as includes functionalities similar Web API, Scanner as well as Attack module.
This sub-module is the center module of DNSChanger that allows attackers to scan the Internet to detect vulnerable routers.
2) Web Admin module: Though researchers create non accept likewise much information almost this module yet, it seems to endure an admin panel for attackers secured amongst a login page.
3) Rogue DNS module: This module is responsible for resolving targeted domain names from the attacker-controlled spider web servers, which mainly involves banking as well as cloud hosting services, along amongst a domain that belongs to a safety fellowship named Avira.
"We accept no access to the Rouge DNS server, thence nosotros can’t country for certain how many DNS names accept been hijacked, but past times querying both Alexa Top1M as well as our DNSMon’s Top1M domains against the rogue DNS server (139.60.162.188), nosotros were able to detect a sum of 52 domains beingness hijacked," NetLab researchers say.
4) Phishing Web module: When a targeted domain successfully gets resolved through the rogue DNS module, Phishing spider web module aims to server the correct simulated version for that specific website.
GhostDNS Malware Targeting Brazilian Users Primarily
Also Read: VPNFilter Router Malware Adds vii New Network Exploitation Modules
"Currently the own mainly focuses on Brazil, nosotros accept counted 100k+ infected router IP addresses (87.8% located inward Brazil), as well as 70+ router/firmware accept been involved, as well as 50+ domain names such every bit around big banks inward brazil , fifty-fifty Netflix, Citibank.br accept been hijacked to pocket the corresponding website login credentials," the researchers say.
Since the GhostDNS own is highly scaled, utilizes dissimilar assault vector as well as adopts automated assault process, it poses a existent threat to users. Therefore, users are advised to protect themselves.
How to Protect Your Home Router from Hackers
In society to avoid yourself from beingness a victim to such attacks, you lot are recommended to ensure that your router is running the latest version of the firmware as well as laid a rigid password for the router spider web portal.
You tin also consider disabling remote administration, changing its default local IP address, as well as hardcoding a trusted DNS server into your router or the operating system.
NetLab researchers also recommended the router vendors to growth the complexity of router default password as well as get upward the organisation safety update machinery for their products.
