Cybersecurity researchers have discovered a new malware campaign, directed to Brazil, which has already invaded more than 100,000 routers. It changes Router DNS settings to fool users with fake sites, especially related to bank, and steal their passwords.
Called ghostdns, malware is similar to DNSchanger, and works by changing the DNS settings in vulnerable routers. As a result, part of the network's traffic is diverted to strikers 'servers to falsify bank sites, among others, and steal users' passwords.
Ghostdns sweeps the network looking for vulnerable routers, with weak passwords or even without password. Malware invades these vulnerable routers and changes the configuration regarding which servers DNS the router and local network users should use. Controlling this, malware can redirect part of traffic to malicious websites aimed at stealing passwords and other personal data from users. Routers infected with this malware may redirect the traffic of websites such as Bradesco, Banco do Brasil, Caixa, Itaú, Santander, Citibank, Sicredi and Netflix.
From the survey conducted, Ghostdns has already invaded more than 100,000 routers, of which 87.8% of them in Brazil . Some brands/models of infected routers located in the research:
- 3com OCR-812
- Airrouter Airos
- Antenna Pqws2401
- Ap-Rater
- C3-Tech Router
- Cisco Router
- D-Link Dir-600
- D-Link Dir-610
- D-Link Dir-615
- D-Link Dir-905L
- D-Link DSL-2640T
- D-Link DSL-2740R
- D-Link DSL-500
- D-Link DSL-500g/DSL-502g
- D-Link Sharecenter
- ELSYS CPE-2N
- Fiberhome
- Fiberhome AN5506-02-B
- Fiberlink 101 GPON UN
- Greatek GWR-120
- Huawei
- Huawei Smartax MT880A
- Intelbras WRN 150
- Intelbras WRN 240
- Intelbras WRN 300
- Intelbras WRN240-1
- Kaiomy Router
- Linkone
- Mikrotik Routers
- Multilaser
- OiWtech
- PFTP-WR300
- QBR-1041 WU
- RALINK ROUTERS
- Sapidi RB-1830
- Speedstream
- SpeedTouch
- Technic Lan War-54GS
- Tent
- Thomson
- TP-Link Archer C7
- TP-Link TD-W8901g/TD-W8961nd/TD-8816
- TP-Link TD-W8960N
- TP-Link TL-WR1043ND
- TP-Link TL-WR720N
- TP-Link TL-WR740N
- TP-Link TL-WR749N
- TP-Link TL-WR840N
- TP-Link TL-WR841N
- TP-Link TL-WR841ND
- TP-Link TL-WR845N
- TP-Link TL-WR849N
- TP-Link TL-WR941ND
- TRIZ TZ5500E/VIKING
- DSLINK 200 U/E
- Wive-Eng Routers Firmware
- ZTE ZXHN H208N
- ZYXEL VMG3312
How to find out if my router was invaded?
The main symptom that indicates that your router has been invaded by Ghostdns or DNSchanger is that it will make your computer use a strange DNS server. It is possible to do a simple test, which detects most cases.
- First find out which DNS servers are in use by your computer.
- If DNS servers specified on your computer do not match any of the following standards, we recommend a more detailed analysis.
- 192.168.xx
- 10.xxx
- 8.8.8.8
- 8.8.4.4
- 1.1.1.1
- 1.0.0.1
- 9.9.9.9
- 149.112.112.112
- 208.67.222.222
- 208.67.220.220
- 4.2.2.1
- 4.2.2.2
How to avoid problems with ghostdns?
You can prevent ghostdns from invading your router using a strong password in the router management interface . In addition, keeping the updated firmware router according to the latest firmware versions released by the manufacturer is also an important measure to avoid safety problems.
DNS Firewall Internet Access Control System , such as Lumiun . In networks that use Lumiun, the likelihood of equipment contamination and router invasion is reduced, and even if the router has been invaded and the reconfigured DNS, Lumun will protect the network and will not allow this type of invasion to redirect user traffic based on the change of DNS imposed on the malware in the affected router. As a result, companies that use Lumiun are always safe against all malware campaigns aimed at diverting traffic through router invasion and DNS modification.
References
The Hacker News - Ghostdns: New DNS Changer Botnet Hijacked Over 100,000 Routers
Netlab 360 - 70+ Different Types of Home Routers (All Together 100,000+) Are Being Hijacked by Ghostdns [English Content]
