GhostDNS malware hacked over 100,000 home routers

GhostDNS seems to be related to the infamous DNSChanger malware

GhostDNS - botnet which uses four different modules to perform its hazardous activities.

IT researchers have recently discovered a new malware that has hacked around 100,000 home routers and changed their DNS settings. However, the GhostDNS which was found guilty for this malware campaign seems to be very similar to another virus known as DNS Changer.^[1] Just like its predecessor, this dangerous virus is used to gather sensitive information such as login details of users who were visiting banking websites.

GhostDNS botnet^[2] has even more similarities when compared to the beforementioned malware. Both viruses rely on the operating principle which is based on changing DNS server settings helping the cybercriminals to steal victims' personal information through malicious servers.

At the moment, users whose routers have a weak password or no password at all should be especially worried because GhostDNS is aimed at these routers at the moment. The botnet scans for the IP address and accesses router's settings. Once such activity is done, the router's DNS address is modified and turned to the one that the criminals are using^[3].

GhostDNS botnet is using four modules for its operation

There are four modules used by GhostDNS botnet to perform malicious actions^[4]:

• DNS Changer. This one is the main module used by GhostDNS malware. It lets the malware to collect sensitive information by hacking users' routers.
• Web Admin. This module has very less information about its operating purpose. However, it is known that this technique gives the hackers access to the admin panel.
• Rogue DNS. Such module lets the hackers to figure out domain names from the server that is held under the crook's control. This module seems to be very effective while figuring out various bank account details.
• Phishing Web. Once the targeted content gets resolved, this module creates the fake variant of the website that was hacked.

87.8% of infected routers belong to Brazilians

Researchers have discovered that the main target of this malware campaign is Brazilians^[5]. 87.8% of infected devices are located in this country:

Currently the campaign mainly focuses on Brazil, we have counted 100k+ infected router IP addresses (87.8% located in Brazil), and 70+ router/firmware have been involved, and 50+ domain names such as some big banks in brazil , even Netflix, Citibank.br have been hijacked to steal the corresponding website login credentials.

Do not be a victim of such malware campaigns

If you want to avoid such malware attacks and keep your device and personal information safe, you have to perform some precautionary measures. First, make sure that your router receives all recommended updates that have been offered by its developer. You can always check the official router's page to see what updates are available.

More important, set a very strong password for the web access. It is advisable to create a password which involves not only simple letters. Better use capital and small letters, also include some numbers and even signs. The more complicated your password will be, the smaller the risk of hacking attempts. Furthermore, do not put on ones that are related to you and easy to guess, for example, your name and birthdate.

Another possibility to increase your router's safety is by deactivating the remote administration function. If you do so, nobody will be able to access and modify settings on your router without your permission. Stay safe!