Gigantic 100,000-strong botnet used to hijack traffic meant for Brazilian banks

The DNS settings of more than 100,000 routers have been changed, and the user has been redirected to the phishing page. The redirect only occurs if the user tries to access the online banking page of a Brazilian bank.

Approximately 88% of these routers are in Brazil and have been furious since mid-August, after security firm Radware found something strange.

However, according to a new report released by Chinese computer security company Qihoo 360 last week, groups behind these attacks are strengthening that game.

By analyzing the collected large amount of data, the Qihoo 360 Netlab department thoroughly investigated the operation mode of the group.

CNET: According to the report of the US government, the robot's network attack can not be stopped

According to Netlab experts, hackers use weak or invalid passwords to analyze the Brazilian IP space of the router, access the router's configuration, set the IP address of the DNS server under control of legitimate DNS settings Replace with.

This change will redirect all DNS queries that passed through the compromised router to a malicious DNS server and return incorrect information to the list of 52 sites.

Most of these sites are Brazilian banks and web hosting services, and redirects lead to phishing pages that steal victim identification information on these sites.

Also, IkT hackers are building a Huawei-based botnet with slavery of 18,000 devices in a day

An attacker uses Netlab's shell module DNSChanger, Js DNSChanger, and PyPhp DNSChanger to perform all of these based on the encoded programming language.

The first module, Shell DNSChanger, is written in Shell and is a combination of 25 shell scripts that can force cracking of passwords on 21 routers or firmware packages.

Researchers at Netlab said, "This submodule is used only slightly and can only be used with limited deployment by attackers."

The second module, Js DNSChanger, is written in JavaScript and contains only 10 JS scripts that can force passwords for 6 routers or firmware packages.

It is expanded only to the intruding router and forcibly executes by scanning other routers and devices on the internal network.

The third module, PyPhp DNSChanger, is written in a combination of Python and PHP, and is the most powerful of the three. Netlab claims that this module is deployed on over 100 Google Cloud servers. From there, an attacker constantly scans the Internet for identification.

Hope you like the news Gigantic 100,000-strong botnet used to hijack traffic meant for Brazilian banks. Stay Tuned For More Updates 🙂

Compsmag