The company security ESET posted on blog new features and features for the Win32 / Sality DNS changer.
The Win32 / Sality is a family of malware used by a peer-to-peer botnet, since at least 2003. This is a file infector and one trojan downloader, which is primarily used to send spam, although it has been used for various purposes, such as ad network traffic impersonation, distributed denial of service attacks, or cracking on VoIP accounts. All commands and files exchanged through the Sality P2P network are digitally signed. Its architecture, as well as the longevity of the botnet, shows that it is well designed and programmed.
Η ESET has been monitoring the Win32 / Sality network for some time and has recorded more than 115000 IP addresses that use the so-called "super peers" to keep the botnet alive. The botnet thus transmits their commands to regular peers aka peers.
The security company monitors and records the behavior of the network for quite some time now. Lately, researchers have discovered some new features: it has the ability to change the router's primary DNS address, which is very different from an ordinary FTP password theft or the function of a spambot we knew from Win32 / Sality . According to ESET telemetry data, the new feature appeared for the first time at the end of October 2013. Then it was first reported by Dr. Web, which published a technical analysis of a feature, the IP address scanner. They called it Win32 / RBrute.
The new goal: changing the primary DNS of a router
Αυτό το χαρακτηριστικό προσθέτει μια νέα διάσταση στη λειτουργία του Win32/Sality. Η πρώτη συνιστώσα, που ανιχνεύεται από την ESET σαν Win32/RBrute.A, σαρώνει το Διαδίκτυο για τις σελίδες διαχείρισης των routers για να αλλάξει την καταχώρηση του κύριου διακομιστή DNS. Οι διακομιστές DNS που προσθέτει το malware ανακατευθύνον τους users σε μια πλαστή σελίδα εγκατάστασης του Google Chrome κάθε φορά που προσπαθούν να ανοίξουν σελιδες που το url περιέχει τις λέξεις “google” ή “facebook”. Το binary που διανέμεται μέσω αυτής της σελίδας εγκατάστασης είναι στην πραγματικότητα το Win32/Sality, παρέχοντας έτσι έναν τρόπο στους ιδιοκτήτες του botnet Sality να αυξήσουν περαιτέρω το μέγεθος του αριθμού των θυμάτων τους με τα μολυσμένα routers.
The IP address used as primary DNS on the victim's router is part of the Win32/Sality network. In fact, Win32/Sality installs another one malware, detected by ESET as Win32/RBrute.B. Win32/RBrute.B acts as a DNS or HTTP proxy to deliver the fake Google Chrome installer.
the company
ESET has published a list of routers that are vulnerable to Win32 / RBrute.A malware:
- Cisco routers matching "level_15_" in the HTTP realm attribute
- D-Link DSL-2520U
- D-Link DSL-2542B
- D-Link DSL-2600U
- Huawei EchoLife
- TP-LINK
- TP-Link TD-8816
- TP-Link TD-8817
- TP-Link TD-8817 2.0
- TP-Link TD-8840T
- TP-Link TD-8840T 2.0
- TP-Link TD-W8101G
- TP-Link TD-W8151N
- TP-Link TD-W8901G
- TP-Link TD-W8901G 3.0
- TP-Link TD-W8901GB
- TP-Link TD-W8951ND
- TP-Link TD-W8961ND
- TP-Link TD-W8961ND
- ZTE ZXDSL 831CII
- ZTE ZXV10 W300
When malware detects the router management website, the C&C sends a short list of about ten passwords to the bot and instructs it to execute a brute force attack to discover the router password. When the bot manages to connect, it immediately changes the settings of the router's main DNS server. Once it does, all the DNS queries that users make go through the "teased" DNS server, which redirects them to a fake Chrome installation page.
If you are interested in technical analysis of Win32 / Sality DNS changer you can find it on its website ESET
