GhostDNS Botnet hijacked over 100,000 home routers in Brazil


IT Security researchers have unmasked a new malware, GhostDNS, which has hacked over 100,000 residence routers & changed their DNS settings. This widespread DNS Trojan campaign aims at hacking the web-pages & stealing login credentials of the users.

The newly discovered GhostDNS malware seems to be related to its scandalous predecessor, DNS Changer Malware that could turn the inconspicuous network router into a vital tool for hackers. The malware would tamper the router & its DNS settings. Following this successful vandalizing, malware would redirect the users to the malicious versions of the legitimate banking websites or other legit pages. This paves a way for the bad guys to steal user’s account credentials, PIN numbers & passwords!

GhostDNS t3

However, both the Home router Hijackers relies on the operating principle that is based on altering the DNS Server settings.

According to the report by CyberSecurity firm, Qihoo Netlab 360, GhostDNS is starting to grade up its efforts to gather sensitive information with a whole new bunch of scanners.

In this event, the attackers try to curb the potential routers either by guessing the web admin passwords or bypass the authentication through a susceptible DNS configuration CGI script. GhostDNS Botnet scans the IP addresses of the routers, gains illicit access to the router settings & changes the default DNS settings with the one dominated by the hackers.

The GhostDNS System uses four modules to carry out deceptive deeds:

1. DNSChanger Module: DNSChanger module is the main component of module which is designed to exploit the targeted home routers & collect sensitive information of the users.

DNSChanger Module is further divided into three sub-modules namely, Shell DNSChanger, Js DNSChanger, PyPhp DNSChanger.

 1.1. Shell DNSChanger is written in Shell programming language &         consists of 25 shell scripts. These scripts may rampage the passwords on 21 different routers & firmware packages.

1.2. Js DNSChanger is written is JavaScript & contains around 10 onslaught scripts specifically designed to corrupt 6 routers or firmware packages from different manufacturers.

The functional structure of Js DNSChanger consists of payload generators & attack programs. This malicious Js DNSChanger is injected in phishing websites & works as a companion with the Phishing Web System.

1.3. PyPhp DNSChanger is drafted in Python & PHP & accommodates 69 invasive scripts that are able to demolish 47 different home routers/ firmware. It has been found distributed on around 100 servers that include functionalities like Web API, Scanner & attack module.

PyPhp DNSChanger serves as the key module for DNSChanger that authorize attackers to scrutinize the internet to find potential weak routers.

GhostDNS t2

Flowchart – GhostDNS

2. Web Admin Module: Though less information is available about the operating purpose of this module, web admin module executes as an admin panel for the attackers which is kept annexed by a login web-page according to the cyber security experts.

3. Rouge DNS Module: This module enables the attackers to figure out the focused domains from the hacker-controlled web servers. The exact number of DNS entries used to drudge legit domains is still vague as the cyber experts had no access to the Rouge DNS module at the time of investigation.

4. Phishing Web Module: Following the efficient resolution of targeted domains, Phishing Web Module serves the precise duplicated version/model for the particular legit website.

GhostDNS Botnet Targeting Brazilian Home Routers Primarily

According to the researchers, the main target of this malware marketing campaign is the home routers/firmware in Brazil where over 100,000 devices have been compromised between September 21 and 27.

With around 87.8% compromised kits, the redirection campaign implies to be heavily vicious towards Brazilian websites. Some renowned banks of Brazil, Netflix & have been reported to be hijacked to gather the login credentials of the users.

GhostDNS t1

The Rouge DNS Servers were found to be actively operating on Oracle, Multacom, Amazon, Google, Telephonia, Aruba, Hostkey & OVH. Compromised devices were majorly spotted in Bolivia, Argentina, US, Russia, Mexico, Venezuela & Saint Maarten.

Experts warn that the GhostDNS malware campaign poses great threat because of its scalability, use of different attack angles & automated invasion course. This attack may not be limited to online banking scam as cybercriminals can smartly taint DNA names of authentic websites frequently used by customers & steal personal/sensitive information.

Therefore, the users are advised to take precautionary steps in order to avoid being a target to such attacks.

Users should:

  • Ensure the latest version of the firmware.
  • Set a strong password for router web portal.
  • Disable Remote Administration feature.
  • Change the default IP Address to a different one.
  • Hardcode a trusted DNS server in the router.

In addition to that, Netlab researchers have advised router distributors to widen the complexity of router default password & revise the safety mechanism definitions for their merchandise.

Virus Removal Guidelines