GhostDNS: Tool to Hack Routers and Steal Information

GhostDNS consists of a set of tools to exploit vulnerabilities in router. Its detection and analysis in detail was possible, thanks to the fact that Avast! it detected it as a suspicious compressed file, while a person tried to upload it to a portal. What is mainly achieved through these tools is that attacks such as phishing are facilitated, with the purpose of stealing credentials, especially if they are related to bank details, such as credit cards.

Remember that Avast! is one of the best known antivirus / antimalware solutions. Remember that this, as well as other solutions, have the ability to detect potential malicious files. Once it is detected, it analyzes in detail what it contains and what characteristics the file has. Consequently, they can have full access to the file and get it as if the file is Avast! or other similar programs.

From this, it was possible to know in detail what GhostDNS is about and how it carries out the violation of the routers. The target of most of these devices is aimed at Latin America, but very soon it could also reach Spain.

What does GhostDNS contain?

Everything you need to execute DNS hijack attacks. This type of attack can be carried out both at the internal network level and the Internet. On the side of internal attacks, GhostDNS allows any computer that has the violated router as a gateway to attack the rest of the network. However, attacks that occur through Internet access require an additional tool to scan which are the vulnerable routers. This vulnerability scanning tool is found inside the compressed file detected by Avast !.

As we have commented, the target points to Latin American countries. However, reports indicate that Brazil is the most affected country. The scanner for vulnerable routers is called BRUT, the parameters it uses to locate them are public IPs and the open HTTP port. Scans from the antivirus / antimalware solution detected two versions:

• Version 1: Detects devices to a lesser extent. However, it lists the potential default username and password combinations of the routers extensively.
• Version 2 (would be the most recent): Detects more devices but with fewer possible combinations of administrator credentials.

One of the reasons why such exploit kits are so successful is that a large proportion of routers have default administrator credentials. It is always recommended that these credentials be changed for security, with passwords that, of course, are not easy to guess using any personal data or identifying number. However, this has not yet become the norm and this is the reason for the ease of finding multiple routers with the same username and password combination. We recommend you visit our tutorial on how to create strong passwords .

Above, we said that the scanner tool has two versions. With emphasis on the second, it is more convenient for a cybercriminal to have more routers and fewer possible password combinations. This gives you the advantage of breaking more devices just by trying a combination of passwords once. It’s that simple and without much effort.

When a router has been violated by GhostDNS, the administrator access password is changed. It becomes deadcorp2017 . A curious fact is that among the possible passwords found in the credentials of vulnerable routers, are those that belong to already infected routers. That is, there are routers with deadcorp2017 administrator password . This implies that if your router has already been a victim of GhostDNS, it can be a victim again through the action of other cybercriminals.

Violation and attacks scheme

According to what was reported, GhostDNS uses one of the web security risks that was mentioned in OWASP . It is called Cross Site Request Forgery . It consists of altering the DNS settings on the router. This allows DNS requests to be directed to a malicious DNS server (known in English as the rogue server ). The address of the malicious DNS server varies according to the criteria applied by the cybercriminal when carrying out the attacks. At the moment that Avast! Having the knowledge to analyze it, he came across three variants of malicious DNS configurations, which fortunately none of them currently operate.

The most worrisome part of this is that no one connected to the router perceives any irregularity, until the moment they repair that their data has been stolen. The reported also indicates that through this discovery by the popular antivirus solution, it was possible to identify the types of fake websites found. Remember that these fake sites are those that are displayed in the browsers of people connected to the violated routers. Here are some of them:

• Banks:
  • Itaú
  • Santander
  • Bradesco
• Credicard
• Netflix and others

Once again the importance of protecting the devices with which we connect to the Internet is reinforced. We are not only talking about the computer but also, in this case, the Wi-Fi router. It is one of the most active devices found in our homes. However, and at the same time, it is one of the ones that receives less attention in relation to the settings to make it more secure. Just implementing the good practice of changing the router’s administrator password will make a difference.

On the other hand, we must pay close attention when browsing the web. Even if it is the sites we visit frequently. We have cited those sites that were included in the GhostDNS exploit kit above, and we can find sites that allude to extremely popular institutions and services. Let’s take a few seconds and look at the URL of the pages we are visiting. We should also keep an eye on the content of the pages, although nowadays phishing pages look very similar to legitimate pages.

However, the most effective protective shield against router breach events is protecting administrator access with a truly strong and secure password.