• Tag Archives Hijack
  • Android Trojan Switcher Infects Routers via DNS Hijacking – Android Trojan Switcher Infects Routers via DNS Hijacking

    A new Android Trojan uses a victims’ devices to infect WiFi routers and funnel any users of the network to malicious sites. The malware doesn’t target users directly – instead its goal is to facilitate further attacks by turning victims into accomplices.

     

    Researchers at Kaspersky Lab, who discovered the malware and dubbed it Switcher Trojan, claim they’ve seen two versions of the malware. Attackers have used both iterations to commandeer 1,280 wireless networks, most of them in China, according to Nikita Buchka, a mobile security expert with the firm.

    One version of the malware mimics a mobile client for the Chinese search engine Baidu. Another passes itself off as a version of an app used for locating and sharing WiFi login information. Once a victim has downloaded one of the versions, it gets to work attacking the router.

    The malware does so by carrying out a brute-force password guessing attack on the router’s admin web interface. Once in, Switcher swaps out the addresses of the router’s DNS servers for a rogue server controlled by the attackers along with a second DNS, in case the rogue one goes down.

    This makes it so queries from devices on the network are re-routed to the servers of the attacker, something that can open victims to redirection, phishing, malware and adware attacks.

    “The ability of the Switcher Trojan to hijack [DNS] gives the attackers almost complete control over network activity which uses the name-resolving system, such as internet traffic,” Kaspersky Lab said Wednesday, “The approach works because wireless routers generally reconfigure the DNS settings of all devices on the network to their own – thereby forcing everyone to use the same rogue DNS.”

    The creators of the Trojan were a little sloppy when it came to crafting parts of its command and control website however; they left a table complete with internal infection statistics publicly viewable. According to Buchka, who has reviewed the site, the attackers boast to have infiltrated 1,280 WiFi networks over the last several weeks.

    In a Securelist post on the malware posted Wednesday Buchka cautioned users to review their routers’ DNS settings for the following rogue servers: 101.200.147.153, 112.33.13.11, and 120.76.249.59. He also took the opportunity to encourage users – although for many it goes without saying – to verify that they’ve changed their routers’ default login and passwords.

    Several weeks ago a handful of router users in Germany fell victim when a variant of Mirai, the nasty malware that’s become synonymous with internet of things vulnerabilities, took hold of their devices. While those routers didn’t suffer from a hardcoded username/password vulnerability, they did have port 7547, usually used by internet service providers to remotely manage the device, open.

    The behavior of Switcher is somewhat similar to that of DNSChanger, malware that’s been repurposed as an exploit kit as of late. A recent campaign observed by Proofpoint was targeting wireless routers and changing DNS entries in order to steal traffic. In that instance routers made by D-Link, Netgear, Pirelli and Comtrend were vulnerable. According to Buchka, the hardcoded names of input fields and the structures of the HTML documents that the Switcher Trojan tries to access suggests it may work only on web interfaces of TP-LINK Wi-Fi routers.


  • Google DNS servers suffer brief traffic hijack

    Are security measures enabled?

    Traffic to Google’s commonly used public DNS service was rerouted over the weekend, meaning all traffic with Domain Name System resolution queries destined for Google’s servers ended up at a Venezuelan network instead.

    UK telco BT’s Latin America division in Venezuela became the destination for the IP address range used by Google, in a phenomenon known as BGP (border gateway protocol) hijacking, according to monitoring firm BGPmon.

    The rerouting affected networks in that country and Brazil for 22 minutes, BGPMon said.

    Why BT Latin America was able to announce the incorrect traffic routing despite Google’s security measures to protect against hijacking isn’t known. iTnews has put in queries with both BGPMon and BT LATAM.

    BGP traffic hijacking is on the rise, according to internet performance metrics analyst firm Renesys, which last year noted that over a period of two months, around 1500 IP address blocks were rerouted. Several were in Australia.

    Google’s 8.8.8.8 and 8.8.4.4 (IPv6: 2001:4860:4860::8888 and 2001:4860:4860::8844) free public DNS resolvers were set up in 2009 with the aim to provide better performance for queries, as well as improved security.

    They are said to fully support DNSsec security policies and validation, but it is not clear whether the routers for the servers’ network support resource public key infrastructure (RPKI) for BGP.

    These security measures provide route origination authorization objects (ROAs) that specify which autonomous systems can announce routes for certain IP address prefixes

    A query by iTnews at whois.bgpmon.net for the ROA for the 8.8.8.0/24 network range did not produce any result, suggesting there is no policy in place to prevent BGP hijacking through wrong unauthorized announcements.

    Google’s free and open DNS infrastructure is very popular with users around the world. Last year, Google said its public DNS servers answer 130 to 150 billion queries a day from 70 million unique IP addresses.

    Similar large numbers were seen in a test by Geoff Huston at the Asia-Pacific Network Information Centre (APNIC) using just under 2.5 million clients. That test showed 7.2 percent had queries passed on to authoritative name servers from Google’s DNS service.

     

    Please visit ccrepairservices.com

    for latest computer repair and online news.

    Local and Online Virus removal and computer repairs anytime, anywhere