Brazil now, U.S. later?

By Richard Arneson

Hopefully the answer is a resounding “NO”, but the Brazilian banking industry has recently been hit hard by “”, so named by China-based security research firm NetLab, which discovered the sinister in September. The infection has hijacked over 100,000 routers in South America’s largest country and hoarded customer login information for many of its largest financial services firms. It’s estimated that it has been running undetected since June of this year.

Domain Name Service (DNS) simplifies the lookup of IP addresses associated with a company’s domain name. Users can remember GDT.com, but servers don’t understand our nomenclature. They need an IP address. Without DNS, the Internet, which processes billions of requests at any given moment, would grind to a halt. Imagine having to keep track of all the IP addresses associated with the thousands of websites you visit, then typing them into a browser.

Here’s how GhostDNS works

GhostDNS is spread through remote access vulnerabilities and can run on over seventy (70) different types of routers. NetLab identified over a hundred (100) different attack scripts that were deployed and discovered them running on several high-profile cloud hosting providers, including Amazon, Google and Oracle.

The attack scripts hijacked organizations’ router settings, which resulted in their traffic being sent to an alternative DNS service. This re-directed traffic headed to rogue, or phony, sites designed to mimic the landing pages of Brazil’s major banks (some telecom companies, ISPs and media outlets were targeted, as well). Users believed they were on “real” landing pages, then happily typed in their user name and password.

While GhostDNS malware has primarily affected routers in Brazil, which is one (1) of the top three (3) countries affected by botnet infections (India and China rank 1 and 2, respectively), the FBI is working to ensure it hasn’t spread to the United States. If you believe your organization may have been infected by GhostDNS, the FBI has provided an easy online way to determine that very issue here. Just type your DNS information into the search box. it’s that simple.

A four-pronged module approach to evil

  1. A DNSChanger module attacks routers that, based on collected information, are deemed target-worthy due to weak or unchanged login credentials or passwords.
  2. A Web Admin module provides1 a portal, of sorts, where attackers can access the phony login page.
  3. A Rogue DNS module resolves the domain names to which users believe they’re heading. Again, most of these domain names are of Brazilian financial institutions.
  4. The Phishing Web module is initiated after the goal of the Rogue DNS module has been satisfied. It then steers the fake DNS server to the end user.

As the result of NetLab’s detective work, the further spreading of GhostDNS appears to have been reined in. Networks have been shut down so remediation and enhanced security measures can be implemented. But rest assured, something as big, or bigger, will soon take its place.

IT Security questions? Turn to the Experts

GDT is a 22-year-old network and systems integrator that employs some of the most talented and tenured security analysts, solutions architects and engineers in the industry. They design, build and deploy a wide array of solutions, including managed security services and professional services. They manage GDT’s 24x7x365 (NOC) and (SOC) and oversee the networks and network security for some of the most notable enterprises, service providers and government agencies in the world. You can contact them at NocASALL@GDT.com They’d love to hear from you.1