Threat Management, Malware, Network Security

GhostDNS hijacking campaign steps up attacks on Brazilians; 100K+ devices compromised

An ongoing DNS hijacking campaign significantly increased its activity this past September, leveraging over 100,000 compromised home routers in order to redirect Brazilian e-banking customers to phishing web pages.

Previously reported on last August by Radware, the campaign uses a remote configuration URL to modify the DNS server settings of exploited networking devices so that unsuspecting users are sent to phishing sites where they are asked to enter their banking credentials.

This past weekend, Qihoo 360's Netlab team chimed in on the threat, which it calls GhostDNS, noting in a blog post that the campaign involves 52 hijacked domain names, at least 19 confirmed phishing pages, and more than 70 exploited router and firmware models. Some of the targeted domains belong to financial institutions like Citibank and Banco do Brasil, while others are owned by Avira antivirus software and Netflix.

Netlab says that GhostDNS' activity picked up heavily beginning on Sept. 20, with a host of new scanners seeking out vulnerable routers whose passwords could be brute-force guessed or whose authentication process could be bypassed.

The attack involves four components: a "DNSChanger" malware program that conducts information collection and exploitation, a web phishing module, a rogue DNS server and what appears to be a web admin module.

According to Qihoo, the DNSChanger module can be broken down into three separate versions based on the Shell Code, Javascript, and the Python and PHP programming languages.

The PyPhp (Python/php) version is the most commonly used, as it has been deployed on over 100 servers, most of which reside on Google Cloud, Qihoo reports. It is comprised of a Web API that controls the program, a scanner and an attack module that includes 69 attack scripts for 47 different devices and firmwares.

The scanner seeks out targeted router IPs in Brazil, passing those along to the attack module, which uses both brute-force attacks and an authentication exploit to achieve device compromise.

Qihoo notes that one of the PyPhp DNSChanger nodes included the aforementioned apparent web admin module; however, researchers don't know much about this component yet.

Meanwhile, the Shell version contains 25 attack scripts and can infect 21 devices and firewares, using the Fast HTTP Auth Scanner to scan for routers and then leveraging these devices' information to crack their web authentication passwords. 

By comparison, the Js version has 10 attack scripts and affects six devices and firmware programs. It is typically injected into phishing websites and works in conjunction with the aforementioned phishing web system. In its post, Qihoo explains how the module's scanners look for open intranet IP addresses typically used by routers, then pass those IPs along to a payload generator that creates a payload based on the router IP and Rogue DNS IP. Next, the module hijacks the DNS through a series of password guesses via https requests.

"The GhostDNS system poses a real threat to [the] Internet. It is highly scaled, utilizes diverse attack vector[s], [and] adopts [an] automated attack process," reads the Qihoo report. "We recommend the broadband users in Brazil to update their router systems, check if the router's default DNS server is changed and set more complicated password[s] for [the] router web portal. We also recommend the router vendors to increase the complexity of router default password[s] and enhance the system security update mechanism for their products."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.