GhostDNS malware on routers can steal user banking data

Experts have discovered that GhostDNS, a sophisticated DNS hijacking system for data theft, is affecting more than 100, 000 routers - 87 percent of them in Brazil. According to Netlab, a company specializing in information security, malware has been found in 70 other models, including brands such as TP-Link, D-Link, Intelbras, Multilaser and Huawei, among others.

Using the method of phishing, the final objective of the attack is to discover credentials of important sites, such as banks and large providers. Netlab at 360 records, which discovered the scam, Netflix's Brazilian URLs, Santander and Citibank were some of those invaded by GhostDNS. Next, learn all about malware and learn how to protect yourself.

READ: Strike in router already reaches thousands of homes in Brazil; avoid

Malware GhostDNS infests more than 100, 000 routers and can steal bank data

Want to buy cell phone, TV and other discount products? Know the Compare

What is the attack?

The malware reported by Netlab at 360 performs an attack known as DNSchange. Generally, this scam attempts to guess the router password on the web configuration page using IDs set by default by manufacturers such as admin / admin, root / root, etc. Another way is to skip authentication by scanning dnscfg.cgi. With access to the router's settings, malware changes the default DNS address - which translates URLs from desirable sites, such as banks - to malicious site IPs.

GhostDNS is a much improved version of this tactic. It has three versions of DNSChanger, called in the shell itself DNSChanger, DNSChanger, and PyPhp DNSChanger. The PyPhp DNSChanger is the main module among the three, having been deployed on more than 100 servers, mostly Google Cloud. Together, they bring together more than 100 attack scripts, intended for routers in the Internet and intranet networks.

As if that were not enough, there are still three other structural modules in GhostDNS, in addition to DNSChanger. The first is the Rouge DNS server, which hijacks the domains of banks, cloud services, and other sites with interesting credentials for criminals. The second is the web phishing system, which takes IP addresses from stolen domains and interacts with victims through fake sites. Lastly, there is the web administration system, on which the experts still have little information on the operation.

GhostDNS-promoted attack flowchart to routers

Risks of the attack

The big risk of the attack is that with DNS hijacking, even if you enter the correct URL of your bank in the browser, it can redirect to the IP of a malicious site. So even when a user identifies changes to the page's interface, he is led to believe that he is in a secure environment. This increases the chances of typing in bank passwords, email, cloud storage services, and other credentials that can be used by cybercriminals.

Which routers have been affected?

In the period from September 21 to 27, Netlab at 360 found just over 100, 000 IP addresses of infected routers. Of these, 87.8% - or approximately 87, 800 - are in Brazil. However, due to address variations, the actual number may be slightly different.

GhostDNS Infected Router Counter

The affected routers were infected by different DNSChanger modules. In the DNSChanger Shell, the following models have been identified:

  • 3COM OCR-812
  • AP-ROUTER
  • D-LINK
  • D-LINK DSL-2640T
  • D-LINK DSL-2740R
  • D-LINK DSL-500
  • D-LINK DSL-500G / DSL-502G
  • Huawei SmartAX MT880a
  • Intelbras WRN240-1
  • Kaiomy Router
  • MikroTiK Routers
  • OIWTECH OIW-2415CPE
  • Ralink Routers
  • SpeedStream
  • SpeedTouch
  • Tent
  • TP-LINK TD-W8901G / TD-W8961ND / TD-8816
  • TP-LINK TD-W8960N
  • TP-LINK TL-WR740N
  • TRIZ TZ5500E / VIKING
  • VIKING / DSLINK 200 U / E

Already the routers affected by DNSChanger Js were these:

  • A-Link WL54AP3 / WL54AP2
  • D-Link DIR-905L
  • GWR-120 Router
  • Secutech RiS Firmware
  • SMARTGATE
  • TP-Link TL-WR841N / TL-WR841ND

Finally, the devices affected by the main module, PyPhp DNSChanger, are the following:

  • AirRouter AirOS
  • Antenna PQWS2401
  • C3-TECH Router
  • Cisco Router
  • D-Link DIR-600
  • D-Link DIR-610
  • D-Link DIR-615
  • D-Link DIR-905L
  • D-Link ShareCenter
  • Elsys CPE-2n
  • Fiberhome
  • Fiberhome AN5506-02-B
  • Fiberlink 101
  • GPON ONU
  • Greatek
  • GWR 120
  • Huawei
  • Intelbras WRN 150
  • Intelbras WRN 240
  • Intelbras WRN 300
  • LINKONE
  • MikroTik
  • Multilaser
  • OIWTECH
  • PFTP-WR300
  • QBR-1041 WU
  • PNRT150M Router
  • Wireless N 300Mbps Router
  • WRN150 Router
  • WRN342 Router
  • Sapido RB-1830
  • TECHNIC LAN WAR-54GS
  • Tenda Wireless-N Broadband Router
  • Thomson
  • TP-Link Archer C7
  • TP-Link TL-WR1043ND
  • TP-Link TL-WR720N
  • TP-Link TL-WR740N
  • TP-Link TL-WR749N
  • TP-Link TL-WR840N
  • TP-Link TL-WR841N
  • TP-Link TL-WR845N
  • TP-Link TL-WR849N
  • TP-Link TL-WR941ND
  • Wive-NG firmware routers
  • ZXHN H208N
  • Zyxel VMG3312

How to protect yourself

The first step is to change the router's password, especially if you use the default code or adopt a weak password. It is also recommended that you update the router firmware and check the settings if DNS has changed.

How to set your Wi-Fi router password

What the manufacturers say

The company contacted Intelbras, which is not aware of any problems with its routers: "We hereby inform you that we have so far no registered case of injury to our users through our 14 service channels corresponding to the vulnerability of Intelbras routers." Regarding security, the company directs consumers to keep up with the routine updating of equipment: "the control and availability of updated firmware are available on our website (www.intelbras.com.br/downloads)".

Multilaser also claims there are no reported problems so far. "There was no customer contact through the service channels that could be connected to the event. Multilaser advises consumers to contact support for more information on updates and configurations of the brand's devices."

D-Link reports that the vulnerability has already been reported. According to the statement sent to, the company made available the solution to the users of its routers. "D-Link reiterates the importance of constantly updating the firmware of the routers by users, which increases the security of the equipment and the connection, " he adds.

TP-Link claims to be aware of the problem and recommends that users keep the firmware up to date and change the password for their devices. TP-Link is aware of the research regarding the vulnerability of its routers as a way to prevent this possible malware, TP-Link recommends following the following steps:

  • Change the default password to a more complex password to prevent intruders from accessing the router settings;
  • Make sure your router is using the latest firmware version. If not, upgrade to prevent older vulnerabilities from being exploited. "

Huawei did not comment until this issue was published.

Via Netlab at 360

What is the best Wi-Fi router channel? Discover in the Forum.