Sality malware, in a move to upgrade its services, developers started adding new functionality like a component that can hijack the primary DNS address of routers, researchers said.
Security researchers from ESET have been reviewing this new component, first seen at the end of October 2013. The threat, dubbed Win32/RBrute, first came to researchers attention from Russian security company Dr. Web.
All commands and files exchanged through Sality’s P2P network are digitally signed, making it resilient to protocol manipulation,” said ESET’s Benjamin Vanheuverzwijn in a blog post. “Its modular architecture as well as the longevity of the botnet shows good programming practice and an efficient software design.”
In the first part of an attack, a component detected by ESET as Win32/RBrute.A scans the Web for various router models. The list includes D-Link, Cisco, Huawei, ZTE and TP-Link routers. Most targeted models are from TP-Link.
When one of these routers ends up identified, the malware downloads a list of IP addresses from the command and control server, and tries to perform a brute-force attack on the device’s administration panel.
The C&C server sends the bot a list of common or default passwords to try and access the administration page. The list includes “password,” “qwerty,” “root,” “trustno1,” “admin,” “12345,” “123456,” “abc123” and “administrator.”
Once it gains access, the router’s primary DNS server address ends up changed. By changing the server’s address, cybercriminals can redirect users to arbitrary web pages.
ESET researchers found users whose computers suffer infection will end up redirected to a fake Google Chrome installation site whenever there is a domain request for the words “google” or “facebook.”
The fake Chrome pages are set up to distribute Sality. This way, other users that might be relying on the infected router can end up infected as well.
“The IP address used as the primary DNS on a compromised router is part of the Win32/Sality network. In fact, another malware, detected by ESET as Win32/RBrute.B, is installed by Win32/Sality on compromised computers and can act either as a DNS or a HTTP proxy server to deliver the fake Google Chrome installer,” Vanheuverzwijn said in the blog post.
Based on their analysis, researchers have determined that the same group of developers is behind both the main file infector and the new components.
Experts said this operation is similar to the one that relied on the notorious DNSChanger, which infected millions of computers worldwide and redirected their owners to arbitrary domains.
The number of Sality infections has steadily decreased since 2012. However, around December 2013, there was a small increase. This increase coincided with a release of the malware.