• October 01, 2022, 11:24:20 AM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  


This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Author Topic: GhostDNS / DNS Changer / DNS Hijacking Vulnerability  (Read 3850 times)


  • Administrator
  • Level 11 Member
  • *
  • Posts: 2752
GhostDNS / DNS Changer / DNS Hijacking Vulnerability
« on: July 23, 2019, 01:26:39 PM »

List of affected products and firmware patches - https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10118

On January 24, 2019, D-Link became aware that security experts had discovered that GhostDNS, a sophisticated DNS hijacking system for data theft, is affecting more than 100,000 routers with a majority of them in Brazil. According to Netlab, a company specializing in information security, malware has been found in a wide variety of consumer and carrier IP routers models, including D-Link and others.

The malware reported by Netlab at 360 performs an attack known as DNSchange. Generally, this scam attempts to guess the router password on the web configuration page using IDs defined by manufacturers, such as admin / admin, root / root, etc. Another way is to skip authentication by scanning dnscfg.cgi.With access to the router's settings, malware changes the default DNS address - which translates URLs from desirable sites, such as banks - to malicious site IPs.

GhostDNS is a much improved version of this tactic. It has three versions of DNSChanger, called in the shell itself DNSChanger, DNSChanger, and PyPhp DNSChanger. The PyPhp DNSChanger is the main module among the three, having been deployed on more than 100 servers, mostly Google Cloud. Together, they bring together more than 100 attack scripts, intended for routers in the Internet and intranet networks.