[BOTNET] GhostDNS: the botnet made up of 100,000 routers is attacking Brazil

Netlab 360, the cybersecurity laboratory of the Chinese company QuiHoo, has detected a powerful botnet that is rampant in Brazil.  Its name? GhostDNS. The latter is designed to steal the bank details of Internet users. A new IoT botnet has compromised nearly 100,000 routers in Brazil. No less than 70 models sold to private individuals are affected by this attack. This one is particularly vicious. Hackers are not intended to disable these products or websites through a DDoS attack, but to empty bank accounts. Radware, a provider of load balancing and cybersecurity services for data centers, has identified the latest attack campaign. It was aimed at the customers of Banco do Brasil, one of the oldest banks in the country.

By performing a DNS redirection, the cyberattackers cloned the institution’s web portal to steal Internet users’ banking data. According to QuiHoo’s Netlab 360, the botnet called GhostDNS is growing. In a document published on 29 September 2018, the cybersecurity specialist specified the number of routers reached and the number of models involved. The researchers also indicate the method implemented by the attackers. To take control of routers, the malware attempts to guess the password or runs a CGI script to modify the DNS server associated with a device. By replacing the server with their own, hackers ensure control of the Botnet. To this end, Netlab 360 has identified three variants of DNS modifier programs including JavaScript and Python applications.

The attack is not negligible. Nearly 88% of infected devices are located in Brazil. DNS changers have infected more than 50 domain names including Netflix, Citibank.br and other Brazilian banks have been hacked to retrieve users’ credentials. In addition, unauthorized DNS servers operated on Hostkey, Oracle, Multacom, Amazon, Google, Telefónica, Aruba and OVH. Netlab 360 informed the companies in question, most of which have deleted the corresponding IP addresses. Netlab 360 believes that GhostDNS is “a real threat to the global Internet“. Researchers recommend that Internet users and Brazilian companies update their routers.