GhostDNS: the malware that can hack your router and steal your bank password

Cybersecurity researchers have discovered a new malware campaign, targeting Brazil, that has already invaded more than 100,000 routers. It changes DNS settings of routers to trick users with fake websites, especially related to banks, and steal their passwords.

Called GhostDNS, the malware is similar to DNSChanger, and works by changing DNS settings on vulnerable routers. As a result, part of the network traffic is diverted to attackers' servers in order to falsify bank websites, among others, and steal users' passwords.

GhostDNS scans the network looking for vulnerable routers, with weak passwords or even no password at all. The malware invades these vulnerable routers and changes the configuration regarding which DNS servers the router and local network users should use. By controlling this, the malware is able to redirect part of the traffic to malicious websites that aim to steal users' passwords and other personal data. Routers infected with this malware will be able to redirect traffic from sites such as Bradesco, Banco do Brasil, Caixa, Itaú, Santander, Citibank, Sicredi and Netflix.

According to the survey carried out, GhostDNS has already invaded more than 100,000 routers, 87.8% of which are in Brazil . Some brands/models of infected routers found in the search:

  • 3COM OCR-812
  • AirRouter AirOS
  • PQWS2401 Antenna
  • AP-ROUTER
  • C3-TECH Router
  • Cisco Router
  • D-Link DIR-600
  • D-Link DIR-610
  • D-Link DIR-615
  • D-Link DIR-905L
  • D-Link DSL-2640T
  • D-Link DSL-2740R
  • D-Link DSL-500
  • D-Link DSL-500G/DSL-502G
  • D-Link ShareCenter
  • Elsys CPE-2n
  • Fiberhome
  • Fiberhome AN5506-02-B
  • Fiberlink 101 GPON ONU
  • Greatek GWR-120
  • Huawei
  • Huawei SmartAX MT880a
  • Intelbras WRN 150
  • Intelbras WRN 240
  • Intelbras WRN 300
  • Intelbras WRN240-1
  • Kaiomy Router
  • LINKONE
  • MikroTiK Routers
  • Multilaser
  • OIWTECH
  • PFTP-WR300
  • QBR-1041 WU
  • Ralink Routers
  • Sapido RB-1830
  • SpeedStream
  • SpeedTouch
  • TECHNIC LAN WAR-54GS
  • Tent
  • Thomson
  • TP-Link Archer C7
  • TP-Link TD-W8901G/TD-W8961ND/TD-8816
  • TP-Link TD-W8960N
  • TP-Link TL-WR1043ND
  • TP-Link TL-WR720N
  • TP-Link TL-WR740N
  • TP-Link TL-WR749N
  • TP-Link TL-WR840N
  • TP-Link TL-WR841N
  • TP-Link TL-WR841ND
  • TP-Link TL-WR845N
  • TP-Link TL-WR849N
  • TP-Link TL-WR941ND
  • TRIZ TZ5500E/VIKING
  • DSLINK 200 U/E
  • Wive-NG routers firmware
  • ZTE ZXHN H208N
  • Zyxel VMG3312

How do I find out if my router has been hacked?

The main symptom that indicates that your router has been hacked by GhostDNS or DNSChanger is that it will make your computer use a strange DNS server. It is possible to do a simple test, which detects most cases.

  1. First find out which DNS servers are in use by your computer.
  2. If the DNS servers specified on your computer do not match any of the following patterns, we recommend further analysis.
  • 192.168.xx
  • 10.xxx
  • 8.8.8.8
  • 8.8.4.4
  • 1.1.1.1
  • 1.0.0.1
  • 9.9.9.9
  • 149.112.112.112
  • 208.67.222.222
  • 208.67.220.220
  • 4.2.2.1
  • 4.2.2.2

How to avoid problems with GhostDNS?

You can prevent GhostDNS from hacking your router by using a strong password in the router's management interface . Furthermore, keeping the router with updated firmware , according to the latest official firmware versions released by the manufacturer, is also an important measure to avoid security problems.

Another very effective solution is to use an internet access control system with DNS Firewall , as is the case with Lumiun . In networks that use Lumiun, the probability of equipment contamination and router hacking is reduced, and, furthermore, even if the router has been hacked and the DNS reconfigured, Lumiun will protect the network and will not allow this type of hacker redirects user traffic based on the DNS change imposed by the malware on the affected router. Therefore, companies that use Lumiun are always safe against all malware campaigns that aim to divert traffic by invading the router and modifying the DNS.

References

The Hacker News – GhostDNS: New DNS Changer Botnet Hijacked Over 100,000 Routers [Content in English]

Netlab 360 – 70+ different types of home routers(all together 100,000+) are being hijacked by GhostDNS [Content in English]

Lumiun DNS integration with pfsense software
Lumiun DNS Free Trial
Related Posts