The notorious malware Sality made a career around 2003. However, in recent months, its makers have begun adding new features designed to violate the main DNS address of routers, or routers as reported by ESET.
ESET security researchers analyzed these new features, which appeared for the first time at the end of October of 2013. The threat, named Win32 / RBrute, was first highlighted by experts from the Russian security company Dr. Web.
In the first part of the attack, a new malware component detected by ESET as Win32/RBrute.A scans the Internet για διάφορα μοντέλα router. Ο κατάλογος των routers που αναζητεί περιλαμβάνει τα D-Link, Cisco, Huawei, ZTE and TP-Link. The most targeted models are those of TP-Link.
When malware detects one of these routers, it downloads a list of IP addresses from the C&C server, and attempts a brute-force attack to gain control of the device management webpage.
The C&C server sends to the malicious software μια λίστα με δεκάδες κοινούς κωδικούς πρόσβασης για να προσπαθήσει να αποκτήσει πρόσβαση στη σελίδα διαχείρισης. Ο κατάλογος περιλαμβάνει κωδικούς όπως: “Password”, “qwerty”, “root”, “trustno1”, “admin”, “12345”, “123456”, “abc123” and “administrator”.
Once it gains access, it changes the primary DNS server address on the router. By changing the server address, fraudsters can redirect their victims to arbitrary websites.
ESET experts have found that users whose computers are infected are being transferred to a false Google Chrome installation site.
False pages are set up to distribute malware Sality. In this way, other users who use the infected router may be infected.
"The IP address used as the primary DNS of the router is part of the Win32 / Sality network. In fact, it is another malware, detected by ESET as Win32 / RBrute.B, and installed by Win32 / Sality. Infected computers can act as either DNS or HTTP proxy servers to distribute the fake Google Chrome installer, ”say ESET experts.
For additional technical details about the new features of Sality, you can see its website ESET.