Blog


Daily News

HIJACKED BY GHOSTDNS

70+ DIFFERENT TYPE OF HOME ROUTERS ARE BEING HIJACKED BY GHOSTDNS  


BACKGROUND INTRODUCTION

DNSchanger is not something new and was quite active years ago, we occasionally encountered one every once in a while, but given the impact they have, we normally don’t bother to write any article.

With that being said, we have been keeping an eye on a particle one for a while, this one has been active for a long time, and Radware has also blogged about it recently. Starting from September 20, 2018, we noticed the campaign starting to ramp up its’ effort significantly with a whole bunch of new scanners, we think it is time to expose more details and take some needed actions.

Just like the regular dnschanger, this campaign attempts to guess the password on the router's web authentication page or bypass the authentication through the dnscfg.cgi exploit, then changes the router's default DNS address to the Rogue DNS Server through the corresponding DNS configuration interface.

GHOSTDNS SYSTEM

The GhostDNS system consists of four parts: DNSChanger module, Phishing Web module, Web Admin module, Rogue DNS module. Among them, the DNSChanger module is responsible for information collection and exploitation.

DNSCHANGER SYSTEM

The DNSChanger module is the main module of GhostDNS. The attacker uses three DNSChanger sub-modules to carry out attack against routers on both internet and intranet networks. The module includes100+attack scripts altogether, affecting70+different routers. 


PROCESSES

  • The Shell DNSChanger sub-module
  • The Js DNSChanger sub-module
  • The PyPhp DNSChanger sub-module
  • The Web Admin System
  • The Rogue DNS System
  • The Phishing Web System
  • Statistics of Infected Routers

Summary

The GhostDNS system poses a real threat to Internet. It is highly scaled, utilizes diverse attack vector, adopts automated attack process.We recommend the broadband users in Brazil to update their router systems, check if the router's default DNS server is changed and set more complicated password for router web portal.We also recommend the router vendors to increase the complexity of router default password and enhance the system security update mechanism for their products. Relevant security agencies are welcomed to contact netlab[at]360.cn for a full list of infected IP addresses.