0
Over 100,000 routers have had their DNS settings modified to redirect users to phishing pages. The redirection occurs only when users are trying to access e-banking pages for Brazilian banks.
Around 88% of these routers are located in Brazil, and the campaign has been raging since at least mid-August when security firm Radware first spotted something strange.
But according to a new report published last week by Chinese cyber-security firm Qihoo 360, the group behind these attacks have stepped up their game.
By analyzing massive amounts of collected data, Qihoo 360’s Netlab division gained a deep look into the group’s modus operandi.
CNET: We can’t stop botnet attacks alone, says US government report
According to Netlab experts, the hackers are scanning the Brazilian IP space for routers that use weak or no passwords, accessing the routers’ settings, and replacing legitimate DNS settings with the IPs of DNS servers under their control.
This change redirects all DNS queries that pass through the compromised routers to the malicious DNS servers, which respond with incorrect info for a list of 52 sites.
Most of these sites are Brazilian banks and web hosting services, and the redirection leads back to a phishing page that steals victims’ credentials for these sites.
See also: IoT hacker builds Huawei-based botnet, enslaves 18,000 devices in one day
Attackers do all this with the help of three modules, which Netlab has dubbed Shell DNSChanger, Js DNSChanger, and PyPhp DNSChanger, all based on the programming languages in which they have been coded.
The first module, Shell DNSChanger, is written in Shell and is a combination of 25 Shell scripts that can brute-force the passwords of 21 routers or firmware packages.
“This sub-module is only being used lightly, with limited deployment by the attacker,” Netlab researchers said over the weekend.
The second module, Js DNSChanger, is written in JavaScript, and is a collection of only 10 JS scripts that can brute-force the passwords of six routers or firmware packages.
This one is only deployed on already-compromised routers to scan and brute-force other routers and devices on internal networks.
The third module, PyPhp DNSChanger, is written in a combination of Python and PHP, and is the most potent of all three. Netlab says this module has been deployed on over 100 Google Cloud servers, from where the attackers are constantly scanning the Internet to identify vulnerable routers.
This module uses 69 attack scripts that can brute-force the passwords of 47 different routers and firmware packages.
TechRepublic: The 6 reasons why we’ve failed to stop botnets
Furthermore, this module also uses an exploit that can bypass the authentication procedures for some routers and alter DNS settings. This particular exploit (known as the dnscfg.cgi vulnerability) has been seen exploited in Brazil in a similar fashion in February 2015, also used to change DNS settings and redirect Brazilian bank users to phishing sites.
Netlab researchers say that they’ve managed to access this third module’s admin area, where they discovered that PyPhp DNSChanger alone had infected over 62,000 routers just by itself.
Image: Qihoo 360
In addition, this third module also seems to use what appears to be stolen Shodan API key to identify vulnerable routers it can exploit using the Shodan IoT search engine.
All in all, the operators of this botnet, which Netlab have nicknamed GhostDNS, can target over 70 different types of routers, have already infected over 100,000 routers, and are currently host phishing pages for over 70 different services (the 52 URLs found by Netlab researchers, plus another 19 phishing sites hosted on the same phishing servers, but for which GhostDNS had not redirected traffic to yet).
Netlab says it notified affected entities such as Brazilian ISPs about the ongoing campaign. A list of URLs for which GhostDNS is redirecting traffic to phishing pages, along with the list of routers GhostDNS is known to be able to infect, are available in Netlab’s report, here.
Related coverage:
Meet Torii, a new IoT botnet far more sophisticated than Mirai variantsNew Hakai IoT botnet takes aim at D-Link, Huawei, and Realtek routersMirai botnet authors avoid prison after “substantial assistance” to the FBINew Virobot malware works as ransomware, keylogger, and botnetNew XBash malware combines ransomware, coinminer, botnet, and worm features in deadly combo
Related Topics:
Internet of Things
Security TV
Data Management
CXO
Data Centers
0