{"id":930,"date":"2016-12-29T19:00:00","date_gmt":"2016-12-30T00:00:00","guid":{"rendered":"http:\/\/www.ccrepairservices.com\/blog\/?p=930"},"modified":"2016-12-29T19:33:21","modified_gmt":"2016-12-30T00:33:21","slug":"930","status":"publish","type":"post","link":"https:\/\/www.ccrepairservices.com\/blog\/computer-news\/930\/","title":{"rendered":"Android Trojan Switcher Infects Routers via DNS Hijacking &#8211; Android Trojan Switcher Infects Routers via DNS Hijacking"},"content":{"rendered":"<div class=\"featured-image-wrap\">\n<p><img loading=\"lazy\" decoding=\"async\" class=\"attachment-single-featured size-single-featured wp-post-image\" src=\"https:\/\/trtpost-wpengine.netdna-ssl.com\/files\/2016\/12\/android_trojan_router.png\" alt=\"\" width=\"680\" height=\"400\" \/><\/p>\n<h1 class=\"entry-title\">Android Trojan Switcher Infects Routers via DNS Hijacking<\/h1>\n<\/div>\n<article id=\"post-122779\" class=\"post-122779 post type-post status-publish format-standard has-post-thumbnail hentry category-iot category-malware-2 category-vulnerabilities tag-android tag-android-vulnerabilities tag-dns-hijacking tag-routers tag-switcher tag-switcher-trojan tag-trojan\">\n<header class=\"entry-header\">\n<div class=\"post-info\"><span class=\"author alignleft\">\u00a0<\/span><span class=\"date alignright\"><time datetime=\"2016-12-28\"><br \/>\n<\/time><\/span>\n<\/div>\n<\/header>\n<div class=\"entry-content\">\n<p>A new Android Trojan uses a victims\u2019 devices to infect WiFi routers and funnel any users of the network to malicious sites. The malware doesn\u2019t target users directly \u2013 instead its goal is to facilitate further attacks by turning victims into accomplices.<\/p>\n<p>&nbsp;<\/p>\n<p>Researchers at Kaspersky Lab, who discovered the malware and dubbed it Switcher Trojan, claim they\u2019ve seen two versions of the malware. Attackers have used both iterations to commandeer 1,280 wireless networks, most of them in China, according to Nikita Buchka, a mobile security expert with the firm.<\/p>\n<p>One version of the malware mimics a mobile client for the Chinese search engine Baidu. Another passes itself off as a version of an app used for locating and sharing WiFi login information. Once a victim has downloaded one of the versions, it gets to work attacking the router.<\/p>\n<p>The malware does so by carrying out a brute-force password guessing attack on the router\u2019s admin web interface. Once in, Switcher swaps out the addresses of the router\u2019s DNS servers for a rogue server controlled by the attackers along with a second DNS, in case the rogue one goes down.<\/p>\n<p>This makes it so queries from devices on the network are re-routed to the servers of the attacker, something that can open victims to redirection, phishing, malware and adware attacks.<\/p>\n<p>\u201cThe ability of the Switcher Trojan to hijack [DNS] gives the attackers almost complete control over network activity which uses the name-resolving system, such as internet traffic,\u201d Kaspersky Lab said Wednesday, \u201cThe approach works because wireless routers generally reconfigure the DNS settings of all devices on the network to their own \u2013 thereby forcing everyone to use the same rogue DNS.\u201d<\/p>\n<p>The creators of the Trojan were a little sloppy when it came to crafting parts of its command and control website however; they left a table complete with internal infection statistics publicly viewable. According to Buchka, who has reviewed the site, the attackers boast to have infiltrated 1,280 WiFi networks over the last several weeks.<\/p>\n<p>In <a href=\"https:\/\/securelist.com\/blog\/mobile\/76969\/switcher-android-joins-the-attack-the-router-club\/\">a Securelist post<\/a> on the malware posted Wednesday Buchka cautioned users to review their routers\u2019 DNS settings for the following rogue servers: 101.200.147.153, 112.33.13.11, and 120.76.249.59. He also took the opportunity to encourage users \u2013 although for many it goes without saying \u2013 to verify that they\u2019ve changed their routers\u2019 default login and passwords.<\/p>\n<p><a href=\"https:\/\/threatpost.com\/new-mirai-variant-targets-routers-knocks-900000-offline\/122155\/\">Several weeks ago<\/a>\u00a0a handful of router users in Germany fell victim when a variant of Mirai, the nasty malware that\u2019s become synonymous with internet of things vulnerabilities, took hold of their devices. While those routers didn\u2019t suffer from a hardcoded username\/password vulnerability, they did have port 7547, usually used by internet service providers to remotely manage the device, open.<\/p>\n<p>The behavior of Switcher is somewhat similar to that of <a href=\"https:\/\/threatpost.com\/dnschanger-exploit-kit-hijacks-routers-not-browsers\/122539\/\">DNSChanger<\/a>, malware that\u2019s been repurposed as an exploit kit as of late.\u00a0A recent campaign <a href=\"https:\/\/threatpost.com\/dnschanger-exploit-kit-hijacks-routers-not-browsers\/122539\/\">observed by Proofpoint<\/a> was targeting wireless\u00a0routers and changing DNS entries in order to steal traffic.\u00a0In that instance routers made by D-Link, Netgear, Pirelli and Comtrend were vulnerable. According to Buchka, the hardcoded names of input fields and the structures of the HTML documents that the Switcher\u00a0Trojan tries to access suggests it may work only on web interfaces of TP-LINK Wi-Fi routers.<\/p>\n<\/div>\n<\/article>\n","protected":false},"excerpt":{"rendered":"<p>Android Trojan Switcher Infects Routers via DNS Hijacking \u00a0 A new Android Trojan uses a victims\u2019 devices to infect WiFi routers and funnel any users of the network to malicious sites. The malware doesn\u2019t target users directly \u2013 instead its goal is to facilitate further attacks by turning victims into accomplices. &nbsp; Researchers at Kaspersky Lab, who discovered the malware and dubbed it Switcher Trojan, claim they\u2019ve seen two versions of the malware. Attackers have used both iterations to commandeer 1,280 wireless networks, most of them in China, according to Nikita Buchka, a mobile security expert with the firm. One version of the malware mimics a mobile client for the Chinese search engine Baidu. Another passes itself off as a version of an app used for locating and sharing WiFi login information. Once a victim has downloaded one of the versions, it gets to work attacking the router. The malware does so by carrying out a brute-force password guessing attack on the router\u2019s admin web interface. Once in, Switcher swaps out the addresses of the router\u2019s DNS servers for a rogue server controlled by the attackers along with a second DNS, in case the rogue one goes down. This makes [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[1420,1228,103,19,566,1421,567,1429,1425,486,156,861,10,142,86,1430,1423,1424,1426,1008,1427,1428,1422],"class_list":["post-930","post","type-post","status-publish","format-standard","hentry","category-computer-news","category-virus-and-malware-threats","tag-android-tojan","tag-complete-computer-repair","tag-computer-news-2","tag-computer-repair","tag-dns","tag-dns-hijacker","tag-hijack","tag-hijacking-router","tag-it-news","tag-latest-news","tag-malware","tag-new-trojan","tag-new-virus","tag-new-viruses","tag-news","tag-pc-repair-fort-lauderdale","tag-router-hijack","tag-router-trojan","tag-router-virus","tag-security-news","tag-switcher","tag-trojan-switcher","tag-trojan-virus"],"_links":{"self":[{"href":"https:\/\/www.ccrepairservices.com\/blog\/wp-json\/wp\/v2\/posts\/930","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ccrepairservices.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ccrepairservices.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ccrepairservices.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ccrepairservices.com\/blog\/wp-json\/wp\/v2\/comments?post=930"}],"version-history":[{"count":5,"href":"https:\/\/www.ccrepairservices.com\/blog\/wp-json\/wp\/v2\/posts\/930\/revisions"}],"predecessor-version":[{"id":934,"href":"https:\/\/www.ccrepairservices.com\/blog\/wp-json\/wp\/v2\/posts\/930\/revisions\/934"}],"wp:attachment":[{"href":"https:\/\/www.ccrepairservices.com\/blog\/wp-json\/wp\/v2\/media?parent=930"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ccrepairservices.com\/blog\/wp-json\/wp\/v2\/categories?post=930"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ccrepairservices.com\/blog\/wp-json\/wp\/v2\/tags?post=930"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}