Warning, the botnet campaign called GhostDNS is taking over more than 100000 routers
Security researchers at NetLab, a security firm of Qihoo 360, recently discovered a malicious campaign called GhostDNS took over more than 100,000 home routers, changing settings. DNS and use malicious websites to steal user information.
Similar to the famous DNSChanger malware, GhostDNS works by changing the DNS settings of affected devices. The attacker then navigates the user's Internet access through malicious servers and steals sensitive information such as the user's bank account .
According to NetLab, the GhostDNS system uses a lot of different code to detect the passwords of routers from 21 different manufacturers. They even found in more than 100 servers, mostly on Google Cloud, including attack codes designed specifically for routers or firmware of the affected router.
In addition, GhostDNS has a series of auxiliary modules to scan on the Internet and find out which routers are in the affected group and can exploit. In particular, there is a fake DNS module that resolves target domain names from web servers controlled by attackers.
And yet, GhostDNS has a series of auxiliary modules that an attacker can scan on the Internet and find out which routers are in the affected group and can exploit. It is noteworthy that a fake DNS module is responsible for resolving target domain names from web servers controlled by attackers.
According to security experts, from September 21 to September 27, more than 100,000 routers (about 87% of devices in Brazil) were manipulated by GhostDNS. Notably, D-Link and TP-Link router models, which are used by many domestic users, are also in the list of affected routers. Even devices manufactured by Huawei, which are being provided by many network providers for Internet contract users, are included in this list.
Below is a list of routers / firmware affected by GhostDNS.
GhostDNS campaign is a real danger for users because it is large scale, automatic attack process with many different attack methods.
As recommended by researchers, users should actively protect their home routers by updating the latest firmware, changing strong and complex passwords, and changing the default IP addresses on the local network. , use the remote administration feature (remote administration), and only use trusted DNS for the router or operating system.
See more:
- How to detect VPNFilter malware before it destroys the router
- How to change Modem login password and Vigor Draytek Router
- Instructions to change IP address from Command Prompt
You should read it
- Manual removal of GhostDNS details
- Android malware believed to be spreading from Vietnam has attacked more than 10,000 Facebook accounts in 140 countries
- Three critical holes in Linksys routers, hackers can take advantage of hijacking
- Warning: New malicious code is infecting about 500,000 router devices
- Hacker uses browser extension to take over target's Gmail account
- Warning: Dangerous new malicious code spills over to Vietnam
- Web13: Session Hijacking Hacking Techniques
- Campaign to distribute spyware aimed at macOS in Vietnam
- Warning: Detecting a campaign to spread malicious code GandCrab 5.2 into Vietnam via fake email of the Ministry of Public Security
- Microsoft urgently warns about a phishing campaign that uses malicious Excel macros to hack PCs
- Is it safe when your ISP uses a router as a hotspot?
- Warning: VPNFilter malicious code attacks the router that has 'evolved', there are many extremely dangerous new features