How millions of DSL modems were hacked in Brazil, to pay for Rio prostitutes

Filed Under: Featured, Malware, Phishing, Vulnerability

Router image from ShutterstockSo, you think you're doing a pretty good job in terms of computer security on your home PC? You've kept your computer fully patched against the latest vulnerabilities? You've ensured that your PC is running the latest-and-greatest anti-virus updates?

Good for you.

Now, how about your router?

My suspicion is that the typical computer user doesn't give a second thought about whether their router could be harbouring a security threat, imagining that the devices don't need to be treated with suspicion.

But if you think that, you're quite wrong.

Fabio AssoliniFabio Assolini, a researcher for Kaspersky Labs, gave a fascinating presentation at the Virus Bulletin conference in Dallas last week, describing how more than 4.5 million home DSL routers in Brazil were found to have been silently hacked by cybercriminals last year.

Assolini described in his presentation, entitled "The tale of 1001 ADSL modems: Network devices in the sights of cybercriminals", how at some Brazilian ISPs, more than 50% of users were reported to have been affected by the attack.

Here's how the attack came about.

You're on Google's website, but you're not on Google's website

The first thing users may have noticed is that they would visit legitimate websites such as Google, Facebook and Orkut (a Google social network which is particularly popular in Brazil) and would be prompted to install software.

In the example below, visitors to Google.com.br were invited to install a program called "Google Defence" in order to access the "new Google".

Malicious Google redirection

Note - google.com.br is the correct web address for the Brazilian edition of Google, and Google's Brazilian website had not been compromised or hacked to make available a malicious download.

And yet, "Google Defence Para" had nothing whatsoever to do with Google, and was being distributed without the search engine giant's blessing.

How was this possible?

Exploited routers using malicious DNS servers

The answer is that the user's ADSL modem had been compromised, and the hackers had changed the router's configuration to point to a malicious DNS (domain name server). This meant that when the user entered the web address of a legitimate website (like google.com.br or facebook.com) they could be taken to a dangerous website instead, posing as the real thing.

Cybercriminals had managed to access vulnerable modems remotely via the net.

Vulnerable modem's admin panel, accessed remotely

Now, normally if you access a router via the internet you will be asked for a username and password - and so long as the user has chosen hard to guess login credentials (and not gone with manufacturer's defaults) all should be well.

Unfortunately, in this case, the hackers were able to exploit a vulnerability in the Broadcom chip included in some routers. Assolini explained that "the flaw allows a Cross Site Request Forgery (CSRF) to be performed in the administration panel of the ADSL modem, capturing the password set on the device and allowing the attacker to make changes, usually in the DNS servers."

Router exploit

In short, the exploit allowed malicious hackers to break into millions of routers remotely, without having to know the passwords being used to protect them.

And once there, the hackers were able to change the ADSL modem's DNS settings - pointing them to one of 40 malicious DNS servers around the world.

DNS settings

The end result is that many Brazilian users downloaded code, mistakenly believing they were from websites they trusted, including:

  • br.msn.com/ChromeSetup.exe
  • facebook.com.br/ChromeSetup.exe
  • facebook.com/ChromeSetup.exe
  • facebook.com.br/Activex_Components.exe
  • and many more..

In some cases, the attackers didn't even have to use such social engineering to trick users into installing the software - exploiting Java vulnerabilities to plant malicious code onto victims's computers as what should have been trustworthy websites were visited.

Ironically, if users contacted their anti-virus vendor's tech support line and asked them about the safety of files like facebook.com/ChromeSetup.exe, chances are that the support technician would not be able to locate the file themselves because their own computers were not running through malicious DNS servers.

And, of course, affected users would often be adamant that they had done nothing wrong - certain that their computers were fully updated with patches and anti-virus. But, of course, that didn't stop the remote attack on their router.

Router. Image from Shutterstock

Furthermore, the problem was not just limited to home users. According to Assolini, routers designed for the SOHO market are more commonly encountered than you might imagine on corporate networks, not just in Brazil but worldwide.

Eventually it was discovered that the common denominator between affected computers was that they were all using routers made by one of six different hardware manufacturers.

Fixing the problem, however, was not so easy. The automated remote hacks of millions of ADSL modems had not just changed the devices' DNS settings - they had also changed the password to access the device to phrases like "dn5ch4ng3" and "cg4ng3dn5", meaning that users could no longer get in via their admin panels. If only they had known the exploit too..

Hackers reap rewards, and spend it on Rio prostitutes

Rio. Image from ShutterstockThe motivation for the attack, which impacted millions of Brazilian users, was - of course - money.

Malware installed onto victims' computers could steal files and keypresses, trick users into entering sensitive information on convincing phishing pages, spy upon passwords and banking information, and provide a flood of data for the hackers to exploit.

Interestingly, in his presentation, Assolini presented an IRC chat between some of the hackers involved in the DNS caper.

IRC chat

One of them described how another hacker earned more than 100,000 Reais (approximately $50,000) and would spend his ill-gotten gains on trips to Rio de Janeiro in the company of prostitutes.

Reasons why routers can be exposed to security threats

So, why is it that routers are seemingly so vulnerable? It turns out there are a few possible explanations.

Poor patching. Despite exploits against a wide range of network devices, modems and routers being publicly available on the internet - some manufacturers have chosen to largely ignore the problem.

That means that even if you want to patch your DSL router against a known security vulnerability, a fix may not be available for you.

Default passwords. In some cases, a vulnerability may not even be needed. For instance, if a device uses a known default password, a malicious hacker does not have to go to any effort to bypass the device's authentication.

Website providing default router passwords

Lack of user awareness. Users of network devices may not be aware that it is necessary to keep them up-to-date with security patches, or that patches are available.

Non-standard update model. The method by which devices are updated can vary from manufacturer to manufacturer, making it more complex for the user.

"Massive attacks are real and here to stay"

Fabio Assolini says that there are number of groups who could carry a proportion of the blame, aside from the hackers themselves.

According to Assolini, security researchers need to be more proactive in reporting flaws related to routers, ADSL modems and other network devices to prevent them from being exploited by malicious hackers. And, of course, the manufacturers have to be responsive.

ISPs are guilty too, says the Kaspersky analyst. He says that it is common for Brazilian ISPs to lend their customers old and vulnerable network devices, and that this is probably happening in other parts of the world too.

And, says the security researcher, governments may not be doing enough. Assolini claims that ANATEL, Brazil's national agency for telecommunications, approves internet hardware before it can be sold, but it does not verify the security of devices - only standard functionality.

Many thanks to Fabio for a great and thought-provoking presentation. You can read his full paper here.

Router, wireless router, and Rio de Janeiro images from Shutterstock.

, , , , , , , , , , , , ,

You might like

15 Responses to How millions of DSL modems were hacked in Brazil, to pay for Rio prostitutes

  1. Mário Pereira · 730 days ago

    Just a little correction:

    The dialog in the first screenshot reads "Install Google Defence to use the new Google.com"

    The capitalized "Para" is just portugues to "for" / "to".

    Nice article btw

    • Graham Cluley · 730 days ago

      Thank you! I will fix the text. I think I was confused by "Para" being capitalised.

      • Fred · 729 days ago

        One more instance: And yet, "Google Defence Para"

      • Luis · 728 days ago

        This is an interesting point, because this kind of error shows this couldn't be a text from a serious company as Google.

  2. dazzo · 730 days ago

    So what is the best way for an individual to protect themselves against this besides having good passwords and being suspicious of unsolicited software downloads? Should we regularly check our router to see if the DNS have changed? Anything else?

    • Cory Emanuel · 730 days ago

      Change the DNS settings on your computer to Google DNS , OpenDNS or you ISP provided DNS, and therefore bypassing the router for DNS lookup.... you may also receive some Web browsing performance benefits from this change...

  3. Anon · 730 days ago

    Surely the main issue here is that these routers shouldn't have their admin interfaces listening on their external IP in the first place? By default they should only listen on their internal interface...

    Admittedly if users wanted to enable remote access to their modem for legitimate reasons, they'd still be vulnerable to the CSRF, although I would argue they would be tech-savvy enough to realise something suspicious when asked to download software just to access a website.

    • guest · 730 days ago

      ...indeed Anon! As it happen too often, the "security" problem is nothing else than a user problem.

    • @splash · 729 days ago

      Spot on - why on EARTH would users leave WAN side management ON on their home routers? o.O

  4. Markuzy · 730 days ago

    Does NOT broadcasting SSID help much?

    • Canadian Parliament · 730 days ago

      No it does not. It does not help with this exploit/hack. Although back in the day it was "thought" that not broadcasting your SSID was a security best practice the traffic, mac addresses of the AP end point are still visible. You can try it out with disabling SSID broadcast and using netstumbler or inssider and you will still see the wireless network though the wifi name is not displayed, the wifi network is "active."

  5. Jim · 729 days ago

    One further thing: as I understand it, the cross-site scripting vulnerability relies on correctly guessing the internal network LAN gateway/ router address. If this is left as the default 192.168.1.1, then the exploit is easy. Changing this address makes it way harder, so change it when you're setting it up.
    Or, manufacturers could randomise it ...

  6. Kabi · 729 days ago

    Personally, I've changed the DNS on my router itself to the openDNS, and hidden my SSID.

    -Jim, good tips on the gateway- Why i haven't thought of that?! :)

  7. meaia · 712 days ago

    At least the money went to a good cause! Some of those women have families to feed!

  8. NoWay José · 711 days ago

    Once, I signed a internet provider, in Brazil. Then, this provider offered me an email account. I already had two email accounts, but I took this new account and never used, never told nobody about it. However, I started receiving email from my bank, the bank from the credit card I used to pay this provider. Of course, the emails were scam. I do not use online banking. In conclusion, I realized the scam was a inside job. People working inside this provider were trying to rip me off. I called to complain about it, and the hung the phone on my face. So, I had to cancel this provider and get another.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.