Cyber Crooks Compromise DNSs of Routers by Adding New Function to the Notorious Sality Malware

According to security firm ESET, developers of notorious piece of malware namely Sality has been around since 2003 and began adding fresh functionality to it in the past few months that is designed to compromise the main DNS address of routers.

Security researchers have been monitoring this new strain that was originally spotted in the end of October 2013. Experts of Russian security firm Dr. Web first identified the threat that is nicknamed Win32/RBrute.

During the first attack, ESET detected a component namely Win32/RBrute.A that scans the Internet for a variety of router models. The list includes D-Link, Cisco, Huawei, ZTE and TP-Link routers and most heavily struck models belong to TP-Link.

When one of these routers is identified, the malware downloads a list of IP (Internet Protocol) addresses from the server of C&C (command and control) and attempts to undertake a brute-force attack on administration panel of the device. The C&C server sends the bot a list of around couple of dozen common or default passwords to strive and access the administration web page.

The powerful attack has been attackers' favorite for a long-time. By redirecting a victim to their own malicious DNS server, the cybercriminals can control the direction of an individual even if they type the right name of the domain for a web site.

The malicious DNS server redirects Internauts to a fake page of Google Chrome installation whenever they try to resolve domains having the words 'Google' or 'Facebook'.

The binary distributed through this installation page is 'Win32/Sality' which gives a way for the operators of Sality botnet to increase its size further by tainting other people behind this router.

Techworld.com published a report on 3rd April, 2014 quoting Benjamin Vanheuverzwijn, a Malware Researcher of ESET, as saying that they will no more be affected by its hoax redirections as infected PCs will not employ DNS server of the router any longer."

The number of computers infected with Sality appeared to increase during December 2013 coinciding the adding of DNS strain. But, Vanheuverzwijn adds that the effectiveness of the new ploy is uncertain in the long-run as many configuration portals of routers are not configured to face the Web.

» SPAMfighter News - 4/11/2014