Another malware attack against home routers that modifies DNS settings has been disclosed by Fernando Mercês, a researcher for Trend Micro. This DNS Changer is mostly active in Brazil, although it’s also been detected in the United States, Japan, as well as several other countries,
The attack modifies the router’s DNS settings, a method that we’ve seen many times in the past due to the fact that a large amount of damage can be done this way. Hackers modify the DNS Settings so that the network relies on DNS servers that are run by a group of hackers. These servers usually provide proper DNS resolution, but will redirect other requests to sites that the hackers themselves run, typically to steal things like banking credentials. Because the attack happens at the router’s settings, every computer and device in the network is at risk once the attack has been successfully deployed.
The attack is typically launched by a script called HTML_DNSCHA, which can be embedded in a web page. If a user goes to that page the script can run and attempt to change the router settings by brute force. The script attacks routers that are manufactured by D-Link and TP-Link.
We’re happy to report that RouterCheck has been updated to detect routers that have been modified by this attack. If this modification has been detected, simply follow the instructions that RouterCheck will provide to return your DNS settings to servers that are known to be safe.