DNS Changer Malware sets sights on Home Routers
FYI...
DNS Changer Malware sets sights on Home Routers
- http://blog.trendmicro.com/trendlabs...-home-routers/
May 28, 2015 - "Home routers can be used to steal user credentials, and most people just don’t know it yet. Bad guys have found ways to use Domain Name System (DNS) changer malware* to turn the most inconspicuous network router into a vital tool for their schemes. We already know that routers sometimes ship with malicious DNS server settings**. In this scenario, the malware is used to tamper with the router and its DNS settings. In the event that users try to visit legitimate banking websites or other pages -defined- by the bad guys, the malware would redirect users to malicious versions of the said pages. This would allow cybercriminals to steal users’ account credentials, PIN numbers, passwords, etc. We’ve seen a growing number of related malicious sites in Brazil (nearly 88% of all infections), the United States, and Japan. These sites run a browser script that performs a brute-force attack against the victim’s router, from the internal network. With access to the administration interface through the right credentials, the script sends a single HTTP request to the router with a malicious DNS server IP address. Once the malicious version replaces the current IP address, the infection is done. Except for the navigation temporary files, no files are created in the victim machine, no persistent technique is needed and nothing changes. Modified DNS settings mean users do not know they are navigating to clones of trusted sites. Users that don’t change the default credentials are highly vulnerable to this kind of attack...
(Majority of affected routers are from Brazil):
> https://blog.trendmicro.com/trendlab...NS_router3.png
Some of the -redirected- sites we noted are mobile-ready. This means that once a router gets its DNS settings changed, all devices in the router network are exposed to this attack, including mobile devices. The attack may not only be limited to online banking fraud. This kind of attack becomes especially dangerous for Internet of Things (IoT) or smart devices as cybercriminals can easily poison DNS names of authentication/feedback websites used by those devices and steal users’ credentials.
Best Practices: To prevent this attack and other router-centric ones, we strongly recommend that users configure routers to:
- Use strong passwords all user accounts.
- Use a different IP address than the default.
- Disable remote administration features.
It is a good idea to periodically audit the router DNS settings and pay attention to the visited websites that require credentials like e-mail providers, online banking, etc. They must all show a valid SSL certificate. Another useful preventive action is to install browser extensions that can block scripts before they get executed in the user’s browser, like NoScript***...
Malicious DNS servers:
176.119.37.193
176.119.49.210
52.8.68.249
52.8.85.139
64.186.146.68
64.186.158.42
218.186.2.16
218.186.2.6
192.99.111.84
46.161.41.146
Updated May 30, 2015, 4:32 AM PST "
* http://blog.trendmicro.com/trendlabs...are-you-ready/
** http://blog.trendmicro.com/trendlabs...ning-messages/
*** https://noscript.net/
