03 Oct 2018

Security researchers have found a new malware which has hacked around 100,000 home routers and changed their DNS settings. Dubbed as GhostDNS, this malware campaign appears to be similar to the infamous DNS Changer malware. GhostDNS aims at getting the sensitive information of the users which includes login details of those who are visiting banking websites.

Like all DNSChanger campaign, GhostDNS scans for the IP addresses for routers that use weak or no password, then accesses the routers’ settings, and changes the router’s default DNS address to the one controlled by the attackers.

GhostDNS system includes four modules for its operation. The modules used by GhostDNS botnet to perform malicious actions are

DNS Changer Module: This one is the main module used by GhostDNS malware. It lets the malware to collect sensitive information by hacking users’ routers. It has 3 sub-modules

a) Shell DNSChanger: It is written in Shell programming language and it includes 25 Shell scripts that can brute-force the passwords on routers or firmware packages from 21 different manufacturers.

b) Js DNSChanger: It is written in JavaScript and it includes 10 attack scripts designed to infect 6 routers or firmware packages.

c) PyPhp DNSChanger: It is written in both Python and PHP and it contains 69 attack scripts against 47 different routers/firmware and has been found deployed on over 100 servers, most of which on Google Cloud, and includes functionalities like Web API, Scanner and Attack module.

This is the core module of DNSChanger that allows attackers to scan the Internet to find vulnerable routers.

Web Admin Module: There is no much information about its operating purpose. But it is believed that this technique gives the hackers access to the admin panel.

Rogue DNS Module: This module is responsible for resolving targeted domain names from the attacker-controlled web servers, which mainly involves banking and cloud hosting service.

Phishing Web Module: When the targeted content gets resolved, this module creates the fake variant of the website that was hacked.

The Ghost campaign has compromised more than 100,000 routers out of which 87.8% of infected routers belong to Brazilians which means Brazil is the primary target of the attackers.

Protect your Home Routers

In order to avoid such malware attacks and keep your device and personal information safe, it is better to take some precautionary measures. Ensure that your router receives all recommended updates offered by its developer. This can be done by checking the router’s official page to see the new updates.

It is very important to set a very strong password for the web access. Create a strong password which includes capital and small letters, some numbers and even signs. Don’t use passwords that are related to you like your birthdate, name etc. The more complicated your password is the smaller is the risk of being hacked.

Deactivate the remote administration function so that nobody will be able to access and modify settings on your router without your permission.

Technical Writer,  Blogger,

Leave your thought

This site uses Akismet to reduce spam. Learn how your comment data is processed.