GhostDNS

GhostDNS is a hijacking campaign. The GhostDNS campaign was first reported in October 2018. GhostDNS targets routers in Brazil and forces them to visit phishing websites and other threatening online locations. The GhostDNS attack is quite complex and has caught the attention of PC security researchers.

Why GhostDNS can be so Threatening?

GhostDNS uses three different modules in its attack, as well as an online administrator panel and a phishing server. GhostDNS has managed to compromise at least one hundred thousand routers at the time of writing and has managed to hijack the DNS records of at least 52 different domains. These attacks are designed to trick computer users into visiting phishing websites against their will, which can then be used to collect online passwords, deliver unsafe advertising, or a wide variety of other attacks. GhostDNS's main targets are home routers, rather than larger companies or high-profile targets. This is because home routers will often not be updated frequently or as secure as those used by more resourceful targets. This is one of the reasons why GhostDNS has been so successful. GhostDNS uses three modules, all part of a tool named 'DNSChanger Module.' The following are the three modules associated with the GhostDNS attack:

1. Shell DNSChanger – This module loads a tool called Fast HTTP Auth Scanner v 0.6, or Fscan, which scans for vulnerabilities. This module uses a password list, which looks for routers with factory default passwords or other, similar vulnerabilities.
2. JS DNS CHANGE – These take the form of scanners and payload generators. This module is used to identify open ports and deliver a payload, which allows the criminals to monetize the GhostDNS attack.
3. PyPHP DNSChanger – This module uses a Web module so that the criminals can control it. GhostDNS targets routers in Brazil and carries out brute force attacks on the routers' login pages. This GhostDNS module takes advantage of poor passwords and weak protection.

How GhostDNS Carries Out Its Attack

The GhostDNS modules are designed to target specific vulnerabilities and generate automatic payloads. After GhostDNS has compromised a victim's router, the default DNS settings are changed. This affects how the IP addresses are processed, causing the router to direct the victim to phishing pages rather than to authentic pages. For example, the victims attempting to log into their online banking website will be directed to a fake version of it where their password will be collected and then used to take money from their real account. Malware researchers have observed at least nineteen online banking and mobile phone websites being delivered through the phishing servers associated with the GhostDNS campaign.

Protecting Yourself from Attacks Like GhostDNS

The following are the routers that have been associated with GhostDNS:

AirRouter AirOS, Antena PQWS2401, C3-TECH Router, Cisco Router, Elsys CPE-2n, GPON ONU, GWR 120, Greatek, Huawei, LINKONE, MikroTik, Multilaser, OIWTECH, PFTP-WR300, QBR-1041 WU, Sapido RB-1830, TECHNIC LAN WAR-54GS, Tenda Wireless-N Broadband Router, Thomson, Wive-NG routers firmware, ZXHN H208N, Zyxel VMG3312
D-Link DIR-600, D-Link DIR-610, D-Link DIR-615, D-Link DIR-905L, D-Link ShareCenter
Fiberhome, Fiberhome AN5506-02-B, Fiberlink 101
Intelbras WRN 150, Intelbras WRN 240, Intelbras WRN 300
Roteador PNRT150M, Roteador Wireless N 300Mbps, Roteador WRN150, Roteador WRN342
TP-Link Archer C7, TP-Link TL-WR1043ND, TP-Link TL-WR720N, TP-Link TL-WR740N, TP-Link TL-WR749N, TP-Link TL-WR840N, TP-Link TL-WR841N, TP-Link TL-WR845N, TP-Link TL-WR849N, TP-Link TL-WR941ND.

While it is crucial to ensure that your routers are connected properly, computer users in Brazil with the above routers will need to take extra protections to ensure that they are protected from GhostDNS attacks completely. The best protection is to ensure that your router firmware is up-to-date, your passwords are strong (not the factory default passwords definitely), and that your router settings are configured with the default network configuration to prevent any DNS changes.