Researchers have discovered a malware campaign that has seized 100,000 home-based routers by tweaking the DNS settings, giving them the ability to access login credentials. This campaign is very similar to the DNSChanger malware which also changes DNS settings. GhostDNS looks for IP addresses that have weak passwords or none at all, allowing for a change in address by the attacker. It includes four modules as well as two submodules. These include DNSChanger Module, Shell DNSChaner, Js DNSChanger, PhPhp DNSChanger, and the submodules include Web Admin Module and Rouge DNS module. Over the course of six days that the 100,000 routers were compromised, 87.8 percent of the routers were located in Brazil, making it the target. “Currently the campaign mainly focuses on Brazil, we have counted 100k+ infected router IP addresses (87.8% located in Brazil), and 70+ router/firmware have been involved, and 50+ domain names such as some big banks in Brazil, even Netflix, Citibank.br have been hijacked to steal the corresponding website login credentials,” the researchers say. To avoid this happening, it is advised to make sure the latest firmware is running on your router as well as setting a strong password for the router portal.
