DNS Changer Malware Sets Sights on Home Routers

Home routers can be used to steal user credentials, and most people just don’t know it yet. Bad guys have found ways to use Domain Name System (DNS) changer malware to turn the most inconspicuous network router into a vital tool for their schemes.

Attacks that use DNS changer malware aren’t new, but this is the first time we’re seeing the malware affecting routers. (We already know that routers sometimes ship with malicious DNS server settings.) In this scenario, the malware is used to tamper with the router and its DNS settings. In the event that users try to visit legitimate banking websites or other pages defined by the bad guys, the malware would redirect users to malicious versions of the said pages. This would allow cybercriminals to steal users’ account credentials, PIN numbers, passwords, etc.

We’ve seen a growing number of related malicious sites in Brazil (nearly 88% of all infections), the United States, and Japan. These sites run a browser script that performs a brute-force attack against the victim’s router, from the internal network. With access to the administration interface through the right credentials, the script sends a single HTTP request to the router with a malicious DNS server IP address. Once the malicious version replaces the current IP address, the infection is done. Except for the navigation temporary files, no files are created in the victim machine, no persistent technique is needed and nothing changes.

Modified DNS settings mean users do not know they are navigating to clones of trusted sites. Users that don’t change the default credentials are highly vulnerable to this kind of attack.

Brute-force attacks possible with DNS router malware

DNS is the Internet standard for assigning IP addresses to domain names. It acts like a phone book that translates human-friendly host names to PC-friendly IP addresses. Cybercriminals create DNS changer malware to modify the DNS settings of a system. We had previously discussed DNS changer malware back in 2011, when the said malware infected more than 4,000,000 computers used as Esthost bots. We took part in the said botnet’s takedown in Operation Ghost Click.

Internet users commonly take DNS for granted because they are usually assigned by their ISPs. And since the DNS usually works as expected, there would be no reason to suspect otherwise.

DNS settings work like signposts that direct your browser where to go. In the case of a DNS changer malware infection, the “signs” can be switched without you noticing. Now even if the you observe proper security practices—like typing in the correct URL of your bank’s website, logging in using your super-secure password, and even logging out after you’re done—if the malware was successful in making the subtle redirection before your transaction, chances are your data would get stolen.

While this type of malware is not new, we’ve been seeing a growing number of links in phishing attacks in Brazil. These are used as entry points for a script, which we detect as HTML_DNSCHA, that performs a brute-force attack against the router from the internal network. This means that when user’s browser executes the malicious script, from the network point of view, an admin would see this DNS changing request from the user machine to the router, so internal traffic is seen. Therefore, admins looking for external attacks in firewall/router logs won’t find anything.

Brute-force attacks can still succeed because router owners are still notorious for not creating router passwords or using default passwords for popular brands of routers, all of which are available online.

Upon acquiring access to the router’s administration interface, the script sends a single HTTP request to the router with a malicious DNS server IP address to replace the current one—this is all that’s required for the cybercriminal to completely own the router from this point forward. Apart from the temporary navigation files, no other files are created in the victim machine, no persistent technique is needed, and as far as the user is concerned, there is no single clue that anything has changed.

In fact the victim will be able to navigate to any website of his choice as he normally would. However, when a victim tries to access a website of interest to cybercriminals, let’s use our earlier example of a banking website, the victim actually sees a clone of the original website, and this clone has been carefully designed to harvest the victim’s user credentials.

Needless to say, users that do not change the default credentials to their routers are highly vulnerable to this kind of attack.

One of the samples we studied captures the victim external IP address. The part of source code that does this is shown in the screenshot below:

Figure 1. The source code above shows how victims’ IPs are captured

The script tries to guess both the router IP address and administration credentials. Different device models are supported by a single script. The same sample targets D-Link and TPLINK ADSL routers, which are both very common in Brazil. The following image shows the source code responsible for the brute force part:

Figure 2. The source code above shows brute force routines

The script tries to connect to the router using class A and C IP addresses and the external (public) IP as well. It is easy to see that this type of attack takes advantage of router default settings.

Victim profiles

As previously mentioned, majority of the affected routers by this threat are centered in Brazil. The data shown below is the number of hits to the redirected URLs by DNS servers.

Figure 3. Majority of affected routers are from Brazil

Some of the redirected sites we noted are mobile-ready. This means that once a router gets its DNS settings changed, all devices in the router network are exposed to this attack, including mobile devices.

The attack may not only be limited to online banking fraud. This kind of attack becomes especially dangerous for Internet of Things (IoT) or smart devices as cybercriminals can easily poison DNS names of authentication/feedback websites used by those devices and steal users’ credentials.

Best Practices

To prevent this attack and other router-centric ones, we strongly recommend that users configure routers to:

Use strong passwords all user accounts.
Use a different IP address than the default.
Disable remote administration features.

It is a good idea to periodically audit the router DNS settings and pay attention to the visited websites that require credentials like e-mail providers, online banking, etc. They must all show a valid SSL certificate. Another useful preventive action is to install browser extensions that can block scripts before they get executed in the user’s browser, like NoScript.

For investigators and network administrators, I wrote a simple UNIX shell script that can be configured with a list of well-known domains (from email providers, online banking, etc.) and must receive a suspicious DNS server address as input, or use the default system DNS server. The script makes a DNS query request to a public DNS server (owned by Google) and another one to the suspicious DNS server and then compares the answers. If they are the different, that can be an indicator that the suspicious DNS server checked is indeed malicious.

Related hashes (HTML_DNSCHA.SM):