GhostDNS – DNS Changer Botnet


Friday, September 11th, 2020 |

GhostDNS is a platform developed to help attackers find vulnerable SOHO routers and change the DNS settings of the ones found to be vulnerable to attack. This allows attackers to reroute traffic to malicious websites and could even allow attackers to compromise financial login information. The attackers utilize two DNS servers, the first being a ‘rogue’ server which redirects requests for specific websites, typically banking related, to phishing pages. The second is a legitimate DNS server, typically Google’s public DNS server, which is used to handle all other requests that the affected user may visit. This allows the attackers to remain undetected for long periods of time, as there isn’t any noticeable difference from the affected user’s point of view.

Based on analysis of GhostDNS’ source code, researchers were able to identify 20 rogue DNS servers, which you can find at the end of this article under the Indicators of Compromise section. Further analysis has also revealed 12 websites that were actively targeted in the phishing campaign:

  • americanas.com.br
  • bb.com.br
  • bradesco.com.br
  • bradecocelular.com.br
  • caixa.gov.br
  • internetbanking.caixa.gov.br
  • msn.com
  • msn.com.br
  • netflix.com
  • shoptime.com.br
  • hotmail.com.br
  • paypal.com

This data shows that along with banking data, attackers are also interested in obtaining possible email credentials, as well as account information for services like Netflix and PayPal. The botnet works by performing automated scans for the IP addresses for routers that use weak or no password at all, accesses the routers’ settings, and then changes the router’s default DNS address to the one controlled by the attackers.

In order to protect yourself from such an attack, it is highly recommended that all routers be upgraded to the latest version of its firmware and set a strong password for the router’s web portal. It is also recommended that you disable remote administration on any routers and hardcoding a trusted DNS server into your router or operating system, such as Google’s 8.8.8.8 or 8.8.4.4.


Sources:


Indicators of Compromise:

  • Changer IP addresses
    • 104.215.74.207
    • 107.155.132.188
    • 107.155.152.21
    • 107.155.152.24
    • 107.155.152.28
    • 107.155.152.3
    • 134.209.194.220
    • 161.35.82.213
    • 164.90.195.195
    • 167.172.47.178
    • 178.62.205.16
    • 178.62.208.183
    • 178.62.211.51
    • 200.98.134.184
    • 209.61.253.201
    • 23.101.189.23
    • 35.203.119.123
    • 51.159.71.63
    • 64.225.66.217
    • 65.52.36.98
    • 70.37.90.42
  • Rogue DNS servers
    • 107.155.132.186
    • 107.155.132.189
    • 107.155.152.13
    • 107.155.152.14
    • 107.155.152.15
    • 107.155.152.17
    • 107.155.152.27
    • 107.155.152.28
    • 107.155.152.5
    • 111.90.159.53
    • 149.56.152.185
    • 162.248.164.36
    • 192.169.7.38
    • 45.62.198.242
    • 45.62.198.243
    • 45.62.198.73
    • 45.62.198.74
    • 45.62.198.89
    • 51.81.27.247
    • 80.82.77.163
Share this: