Trojan Hacks Routers to Spread Malware

Friday, March 14, 2014 @ 06:03 PM gHale


There is now a Trojan that hacks WiFi routers in order to spread the Sality malware family.

Sality is one of the oldest malware families out there, and it is partly due to its spreading and communication capabilities that it has survived for this long. It is capable of a variety of malicious actions, including terminating AV software and firewalls, stealing information from infected computer and using it to spam other users, download additional malware, and so on, said researchers from Russian AV company Dr. Web.

RELATED STORIES
Tor Running 900 Criminal Services
Android Malware Using TOR
Botnet uses Tor as a Hideout
Details Revealed in Crash Reports

It also has rootkit capabilities, and spreads via removable drives and network shares, and in the latest spotted approach, it works in conjunction with the WiFi-hacking Trojan, Rbrute, to propagate itself.

“When launched on a Windows computer, Trojan.Rbrute establishes a connection with the remote server and stands by for instructions. One of them provides the Trojan with a range of IP addresses to scan,” the researchers said.

In addition to this, Rbrute can mount a dictionary attack on the router. If successful, it reports back to the remote server, which then instructs the router to change the DNS addresses stored in its settings.

“As a result, when a user tries to visit a website, they can be redirected to another site that has been crafted by intruders. This scheme is currently being used by cybercriminals to expand the botnet created using the malware Win32.Sector,” the researchers said. Win32.Sector is just another name for Sality.

Rbrute compromises the router so other machines using it could ultimately end up infected. Currently, the malware redirects targeted users to a spoofed Google Chrome download site, where the file offered for download is actually a Sality variant.

Once on the computer, Sality downloads Rbrute, and so the infection cycle continues.

Rbrute Trojan, the researchers said, can currently crack passwords on a number of different router models, including: D-Link DSL-2520U, DSL-2600U, TP-Link TD-W8901G, TD-W8901G 3.0, TD-W8901GB, TD-W8951ND, TD-W8961ND, TD-8840T, TD-8840T 2.0, TD-W8961ND, TD-8816, TD-8817 2.0, TD-8817, TD-W8151N, TD-W8101G, ZTE ZXV10 W300, ZXDSL 831CII.



Leave a Reply

You must be logged in to post a comment.