GhostDNS in the machine
A DNSchanger-like attack first spotted in August on D-Link routers in Brazil has expanded to affect more than 70 different devices and more than 100,000 individual piece of kit.
Radware first identified the latest campaign, which started as an attack on Banco de Brasil customers via a DNS redirection that sent people to a cloned Website that stole their credentials.
Now, Quihoo's Netlab 360 folk have warned that the attack, which they've dubbed GhostDNS, is “starting to ramp up its effort significantly with a whole bunch of new scanners."
The attackers were trying to get control of the target machines either by guessing the web admin password, or through a vulnerable DNS configuration CGI script (dnscfg.cgi). If they get control of a device, they change the router's default DNS server to their own “rogue” machine.
Netlab 360's post added that as well as redirecting a victim's default DNS, the GhostDNS campaign uses three DNSChanger variants running as a shell, a JavaScript program, or a Python program.
But wait, there's more, the post said: “The GhostDNS system consists of four parts: DNSChanger module, Phishing Web module, Web Admin module, Rogue DNS module.”
The shell DNSChanger module works on 21 router models, the post said; the JavaScript module can infect six models; and the Python version has been installed on 100 servers, mostly on Google's cloud.
At this stage, the post said, the redirection campaign is heavily weighted towards Brazilian Websites, nearly 88 per cent of the compromised devices are also in Brazil, and the rogue DNS servers operated on Hostkey, Oracle, Multacom, Amazon, Google, Telefonica, Aruba, and OVH.
Compromised kit has also been spotted in Bolivia, Argentina, Saint Maarten, Mexico, Venezuela, the US, Russia and a few others.
OVH, Oracle and Google have kicked the attackers off their infrastructure, and the post said others are “working on it”.
Vendors the Netlab 360 researchers have also listed 3Com*, A-Link, Alcatel / Technicolor, Antena, C3-Tech, Cisco, D-Link, Elsys, Fiberhome, Fiberlink, Geneko, Greatek, Huawei, Intelbras, Kaiomy, LinkOne, MikroTik, MPI Networks, Multilaser, OIWTECH, Perfect, Qtech, Ralink, Roteador, Sapido, Secutech, Siemens, Technic, Tenda, Thomson, TP-Link, Ubiquiti, Viking, ZTE, and Zyxel as vulnerable (* Yes, we know 3Com is a name long gone from the shelves; The Register speculates that since the vendor list is compiled by querying the compromised device, 3Com's name survives in some HP devices' firmware).
The Russian-authored Wive-NG router firmware has also been exploited, the post said.