A DNSchanger like threat initially highlighted couple of months ago in August on D-Link routers in Brazil has spread out to impact more than seventy various devices and more than 100,000 individual piece of kit. Radware initially known as the current campaign, which began as a threat on Banco de Brasil users via a DNS redirection that sent individuals to a similar website that sneaked their credentials.

Now, Quihoo’s Netlab 360 folk have alert that the threat, which they have dubbed GhostDNS, is “starting to ramp up its effort significantly with a whole bunch of new scanners.”

The hackers were attempting to acquire control of the aim machines either by assuming the admin password of the website, or through a unsafe DNS configuration CGI script (dnscfg.cgi). If they acquire control of a device, they alter the default DNS server of the router to their individual “rogue” machine.

Netlab 360’s post adjoined that as well as redirecting a default DNS of the victim, the GhostDNS campaign employs three DNSChanger divergence functioning as a shell, a JavaScript plan, or a Python program. However wait, there is more, the post said: “The GhostDNS system consists of four parts: DNSChanger module, Phishing Web module, Web Admin module, Rogue DNS module.”

The exterior DNSChanger module functions on twenty one router models, the post stated; the JavaScript module can corrupt six models; and the Python type has been installed on hundred servers, mainly on Google’s cloud.

The post stated at this occasion that the redirection campaign is steadily forced towards Brazilian Websites, closely 88 percent of the compromised devices are merely in Brazil, and the rogue DNS servers functioned on Google, Oracle, Hostkey, Amazon, Aruba, Multacom, Telefonica, and OVH. The compromised kit has merely been identified in the US, Argentina, Bolivia, Mexico, Russia Venezuela, Saint Maarten, and a few other countries.

Google, Oracle and OVH, have abandoned the hackers off their infrastructure, and the post stated others are functioning on it.

Vendors the Netlab 360 analysts have merely registered 3Com*, A-Link, Alcatel/Technicolor, Antena, C3-Tech, Cisco, D-Link, Elsys, Fiberhome, Fiberlink, Geneko, Greatek, Huawei, Intelbras, Kaiomy, LinkOne, MokroTik, MPI Networks, Multilaser, OIWTECH, Perfect, Qtech, Ralink, Roteador, Sapido, Secutech, Siemens, Technic, Tenda, Thomson, TP-Link, Ubiquiti, Viking, ZTE, and Zyxel as unsafe (* Yes, we realize 3Com is a name long gone from the shelves; The Register postulates that since the vendor list is organized by asking the compromised device, 3Com’s name outlasts in some HP devices’ firmware).

Leave a Reply

Your email address will not be published. Required fields are marked *