D-Link Forums

Announcements => Security Advisories => Topic started by: GreenBay42 on July 23, 2019, 01:26:39 PM

Title: GhostDNS / DNS Changer / DNS Hijacking Vulnerability
Post by: GreenBay42 on July 23, 2019, 01:26:39 PM
List of affected products and firmware patches - https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10118 (https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10118)

On January 24, 2019, D-Link became aware that security experts had discovered that GhostDNS, a sophisticated DNS hijacking system for data theft, is affecting more than 100,000 routers with a majority of them in Brazil. According to Netlab, a company specializing in information security, malware has been found in a wide variety of consumer and carrier IP routers models, including D-Link and others.

The malware reported by Netlab at 360 performs an attack known as DNSchange. Generally, this scam attempts to guess the router password on the web configuration page using IDs defined by manufacturers, such as admin / admin, root / root, etc. Another way is to skip authentication by scanning dnscfg.cgi.With access to the router's settings, malware changes the default DNS address - which translates URLs from desirable sites, such as banks - to malicious site IPs.

GhostDNS is a much improved version of this tactic. It has three versions of DNSChanger, called in the shell itself DNSChanger, DNSChanger, and PyPhp DNSChanger. The PyPhp DNSChanger is the main module among the three, having been deployed on more than 100 servers, mostly Google Cloud. Together, they bring together more than 100 attack scripts, intended for routers in the Internet and intranet networks.