Scripts running in the background attempt brute-forcing the router login

Sep 4, 2014 14:18 GMT  ·  By

A web-based attack detected in Brazil aims to change the Domain Name System (DNS) settings in home routers with malicious DNS servers that direct to phishing pages of financial institutions.

The modifications are made by steering the victim to malicious websites carrying adult content, which run scripts in the background. These contain links pointing to local IP addresses that are generally assigned to home routers and a specific DNS configuration (“dsncfg.cgi”).

Some users may see a request to log into the router configuration, Fabio Assolini from Kaspersky says in a blog post; this is a clear sign that something is not right.

However, this depends on the strength of the access password, because the scripts also have brute-forcing capability, and they first attempt to guess the credentials on their own.

It appears that they run pretty basic combinations (admin:admin, root:root and admin:gvt12345), so a complex passcode should cause a login dialog to pop up.

Also present in the scripts are commands for changing the primary and secondary DNS servers.

Users are tricked into accessing the malicious links via an email claiming to provide photo evidence that the victim was cheated. Kaspersky systems recorded 3,300 clicks on the malicious links, most of them traced to Brazil, although the US, China, Canada and Mexico also appeared on the map.