GhostDNS: the malware that can hack your router and steal your bank password

Cybersecurity researchers have discovered a new malware campaign, targeting Brazil, that has already invaded more than 100,000 routers. It changes DNS settings of routers to trick users with fake websites, especially related to banks, and steal their passwords.

Called GhostDNS, the malware is similar to DNSChanger, and works by changing DNS settings on vulnerable routers. As a result, part of the network traffic is diverted to attackers' servers in order to falsify bank websites, among others, and steal users' passwords.

GhostDNS scans the network looking for vulnerable routers, with weak passwords or even no password at all. The malware invades these vulnerable routers and changes the configuration regarding which DNS servers the router and local network users should use. By controlling this, the malware is able to redirect part of the traffic to malicious websites that aim to steal users' passwords and other personal data. Routers infected with this malware will be able to redirect traffic from sites such as Bradesco, Banco do Brasil, Caixa, Itaú, Santander, Citibank, Sicredi and Netflix.

According to the survey carried out, GhostDNS has already invaded more than 100,000 routers, 87.8% of which are in Brazil . Some brands/models of infected routers found in the search:

3COM OCR-812
AirRouter AirOS
PQWS2401 Antenna
AP-ROUTER
C3-TECH Router
Cisco Router
D-Link DIR-600
D-Link DIR-610
D-Link DIR-615
D-Link DIR-905L
D-Link DSL-2640T
D-Link DSL-2740R
D-Link DSL-500
D-Link DSL-500G/DSL-502G
D-Link ShareCenter
Elsys CPE-2n
Fiberhome
Fiberhome AN5506-02-B
Fiberlink 101 GPON ONU
Greatek GWR-120
Huawei
Huawei SmartAX MT880a
Intelbras WRN 150
Intelbras WRN 240
Intelbras WRN 300
Intelbras WRN240-1
Kaiomy Router
LINKONE
MikroTiK Routers
Multilaser
OIWTECH
PFTP-WR300
QBR-1041 WU
Ralink Routers
Sapido RB-1830
SpeedStream
SpeedTouch
TECHNIC LAN WAR-54GS
Tent
Thomson
TP-Link Archer C7
TP-Link TD-W8901G/TD-W8961ND/TD-8816
TP-Link TD-W8960N
TP-Link TL-WR1043ND
TP-Link TL-WR720N
TP-Link TL-WR740N
TP-Link TL-WR749N
TP-Link TL-WR840N
TP-Link TL-WR841N
TP-Link TL-WR841ND
TP-Link TL-WR845N
TP-Link TL-WR849N
TP-Link TL-WR941ND
TRIZ TZ5500E/VIKING
DSLINK 200 U/E
Wive-NG routers firmware
ZTE ZXHN H208N
Zyxel VMG3312

How do I find out if my router has been hacked?

The main symptom that indicates that your router has been hacked by GhostDNS or DNSChanger is that it will make your computer use a strange DNS server. It is possible to do a simple test, which detects most cases.

First find out which DNS servers are in use by your computer.
If the DNS servers specified on your computer do not match any of the following patterns, we recommend further analysis.

192.168.xx
10.xxx
8.8.8.8
8.8.4.4
1.1.1.1
1.0.0.1
9.9.9.9
149.112.112.112
208.67.222.222
208.67.220.220
4.2.2.1
4.2.2.2

How to avoid problems with GhostDNS?

You can prevent GhostDNS from hacking your router by using a strong password in the router's management interface . Furthermore, keeping the router with updated firmware , according to the latest official firmware versions released by the manufacturer, is also an important measure to avoid security problems.

Another very effective solution is to use an internet access control system with DNS Firewall , as is the case with Lumiun . In networks that use Lumiun, the probability of equipment contamination and router hacking is reduced, and, furthermore, even if the router has been hacked and the DNS reconfigured, Lumiun will protect the network and will not allow this type of hacker redirects user traffic based on the DNS change imposed by the malware on the affected router. Therefore, companies that use Lumiun are always safe against all malware campaigns that aim to divert traffic by invading the router and modifying the DNS.