Gigantic 100,000-strong botnet used to hijack traffic meant for Brazilian banks

Botnet redirects hijacked traffic to over 50 active phishing sites.

Over 100,000 routers have had their DNS settings modified to redirect users to phishing pages. The redirection occurs only when users are trying to access e-banking pages for Brazilian banks.

Around 88% of these routers are located in Brazil, and the campaign has been raging since at least mid-August when security firm Radware first spotted something strange.

But according to a new report published last week by Chinese cyber-security firm Qihoo 360, the group behind these attacks have stepped up their game.

By analyzing massive amounts of collected data, Qihoo 360's Netlab division gained a deep look into the group's modus operandi.

Also: We can't stop botnet attacks alone, says US government report CNET

According to Netlab experts, the hackers are scanning the Brazilian IP space for routers that use weak or no passwords, accessing the routers' settings, and replacing legitimate DNS settings with the IPs of DNS servers under their control.

This change redirects all DNS queries that pass through the compromised routers to the malicious DNS servers, which respond with incorrect info for a list of 52 sites.

Most of these sites are Brazilian banks and web hosting services, and the redirection leads back to a phishing page that steals victims' credentials for these sites.

Also: IoT hacker builds Huawei-based botnet, enslaves 18,000 devices in one day

Attackers do all this with the help of three modules, which Netlab has dubbed Shell DNSChanger, Js DNSChanger, and PyPhp DNSChanger, all based on the programming languages in which they have been coded.

The first module, Shell DNSChanger, is written in Shell and is a combination of 25 Shell scripts that can brute-force the passwords of 21 routers or firmware packages.

"This sub-module is only being used lightly, with limited deployment by the attacker," Netlab researchers said over the weekend.

The second module, Js DNSChanger, is written in JavaScript, and is a collection of only 10 JS scripts that can brute-force the passwords of six routers or firmware packages.

This one is only deployed on already-compromised routers to scan and brute-force other routers and devices on internal networks.

The third module, PyPhp DNSChanger, is written in a combination of Python and PHP, and is the most potent of all three. Netlab says this module has been deployed on over 100 Google Cloud servers, from where the attackers are constantly scanning the Internet to identify vulnerable routers.

This module uses 69 attack scripts that can brute-force the passwords of 47 different routers and firmware packages.

TechRepublic: The 6 reasons why we've failed to stop botnets

Furthermore, this module also uses an exploit that can bypass the authentication procedures for some routers and alter DNS settings. This particular exploit (known as the dnscfg.cgi vulnerability) has been seen exploited in Brazil in a similar fashion in February 2015, also used to change DNS settings and redirect Brazilian bank users to phishing sites.

Netlab researchers say that they've managed to access this third module's admin area, where they discovered that PyPhp DNSChanger alone had infected over 62,000 routers just by itself.

brazil-botnet-log.png
Image: Qihoo 360

In addition, this third module also seems to use what appears to be stolen Shodan API key to identify vulnerable routers it can exploit using the Shodan IoT search engine.

All in all, the operators of this botnet, which Netlab have nicknamed GhostDNS, can target over 70 different types of routers, have already infected over 100,000 routers, and are currently host phishing pages for over 70 different services (the 52 URLs found by Netlab researchers, plus another 19 phishing sites hosted on the same phishing servers, but for which GhostDNS had not redirected traffic to yet).

Netlab says it notified affected entities such as Brazilian ISPs about the ongoing campaign. A list of URLs for which GhostDNS is redirecting traffic to phishing pages, along with the list of routers GhostDNS is known to be able to infect, are available in Netlab's report, here.

Previous and related coverage:

What is malware? Everything you need to know

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Security 101: Here's how to keep your data private, step by step

This simple advice will help to protect you against hackers and government surveillance.

VPN services 2018: The ultimate guide to protecting your data on the internet

Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.

FBI solves mystery surrounding 15-year-old Fruitfly Mac malware

Fruitfly malware author used port scanning with weak or no passwords to identify potential victims.

Meet Torii, a new IoT botnet far more sophisticated than Mirai variants

The evolving IoT botnet is able to compromise an impressive array of architectures.

Teenage Apple hacker avoids jail for 'hacky hack hack' attack

The self-proclaimed Apple fan stole roughly 90GB of confidential data from the iPad and iPhone maker.

Related stories: