[email protected] +603-2181 3666
Hacked Routers Serves Dyre Malware
July 6, 2015
0

In the April 7 advisory, we talked about Dyre Wolf banking malware which is a variant of the Dyre Trojan. It was used in a succession of phishing campaign across the globe. Now, cybercriminals are serving Dyre through another channel.

Trust cybercriminals to find new ways to host malicious software used in drive-by attacks. One group of criminals has just taken this to new heights. They have resorted to spreading Dyre malware using hacked wireless routers to deliver their password-stealing crimeware.

A Trojan downloader (see Definition) called “Upatre”, as detected by most antivirus tools, would generally download Dyre malware, which is a curse of the banking industry. Upatre is normally delivered via malicious e-mails containing a link which directs unsuspecting users to servers hosting malicious javascript or to a malicious payload. When a user clicks on the malicious link, they would be sent a file, and if they were to click it open, it would download Dyre malware from a server.

Dyre is a sophisticated piece of software, and is capable of hijacking all three major browsers. It can also intercept internet banking sessions to steal victim’s credentials and send them to the criminals. Dyre is also utilized to download malware to a victim’s machine and more often than not, is added to a botnet. Botnets are used frequently to perpetuate threats by sending out spam and phishing emails to thousands of unsuspecting people.

Things have taken a turn for the worse (for potential victims) and for the better for criminals – Upatre is being served from hundreds of compromised home routers such as MikroTik and Ubiquiti’s AirOS.

airOS_Dyre malware

Hundreds of these wireless access points, and routers were found to be connected in relation to this botnet. The reason could be that known vulnerabilities are being exploited in the firmware (see Definition) which allows this to occur. There is also a possibility that the criminals are exploiting routers with default credentials (e.g., “unbt” for both username and password in most Ubiquiti AirOS routers). It was also found that a disturbing number of the systems in the botnet had the port for telnet (see Definition) connections wide open.

In fact, the botnet used to attack Microsoft’s Xbox and Sony Playstation’s network last year relied entirely on hacked routers, which were compromised remotely via Telnet.

 

Recommendation

1.  Change the default credentials on the device, if you haven’t done so, regardless of what type of router is being used.

2.  Go to this site, routerpasswords.com, and look up the make and model of your router.

3.  To check if credentials are the default, open a browser and enter the numeric address of the router’s administration page. For most routers this is 192.168.1.1 or 192.168.0.1. Go here to see the lists of default internal address for most routers.

 

Definition

1.  Trojan Downloader – a type of trojan that installs itself to a computer system and waits until an internet connection becomes available to connect to a remote server or website to download additional programs such as malware to the infected computer.

2.  Firmware – programming that’s written to the read-only memory (ROM) of a computing device.

3.  Telnet – a user command and an underlying TCP/IP protocol for accessing remote computers. Through telnet, an administrator or another user can access someone else’s computer remotely.

 

Source

1.  Krebs on Security.

2.  Security Affairs (image airOS)

 

The Week That Was

1.  Google to Offer Free Superfast Wi-Fi Internet to the World. Google has begun a project to do just that. It has unveiled a plan to bring free, superfast Wi-Fi to cities worldwide. They are doing this through a Google-owned company, Sidewalk Labs, and will start with New York City first. They will convert old phone booths to ad-supported “Wi-Fi pylons”, which are also intended to provide free-cell charging, free domestic phone calling and a touchscreen-based information hub.

2.  200GB microSD Card arrives from Sandisk. It is now available from Amazon. The microSD card has a transfer speed of 90MB per second, which the company claims that will allow you to transfer up to 1,200 photos in a minute. It is also said to be waterproof, shockproof, temperature proof, magnet proof and X-ray proof to deal with any possibility of destruction. Cost: a whopping USD241.00.

3.  4,900 New Android Malware strains discovered every day. In Q1 of this year, G Data security experts discovered about 490, 267 new Android malware strains. This means that a new malware strain was discovered every 18 seconds. For a user, it is always safer to download from app stores managed by Google and Apple.

4.  Europol has taken down crime syndicate, Zeus and SpyEye. The crime syndicate behind Zeus and SpyEye banking trojans has been taken down. Investigators arrested five people in four cities in Ukraine. The alleged criminals and their accomplices were said to use the notorious banking trojans to steal money from online bank accounts not only in Europe, but from other financial institutions elsewhere in the world.