Researchers from Russian AV company Dr. Web have recently analyzed a Trojan that hacks Wi-Fi routers in order to facilitate the spreading of the infamous Sality malware family.
Sality is one of the oldest malware families out there, and its partly due to its spreading and communication capabilities that it has survived for this long. It is capable of a variety of malicious actions, including terminating AV software and firewalls, stealing information from infected computer and using it to spam other users, download additional malware, and so on.
It also has rootkit capabilities, and spreads via removable drives and network shares, and in the latest spotted approach, it works in conjunction with the aforementioned Wi-Fi-hacking Trojan – dubbed Rbrute – to propagate itself.
“When launched on a Windows computer, Trojan.Rbrute establishes a connection with the remote server and stands by for instructions. One of them provides the Trojan with a range of IP addresses to scan,” the researchers explain.
In addition to this, Rbrute can mount a dictionary attack on the router. If successful, it reports back to the remote server, which then “instructs” the router to change the DNS addresses stored in its settings.
“As a result, when a user tries to visit a website, they can be redirected to another site that has been crafted by intruders. This scheme is currently being used by cybercriminals to expand the botnet created using the malware Win32.Sector,” the researchers note. Win32.Sector is just another name for Sality.
Rbrute compromises the router so that other machines using it could be ultimately infected. Currently, the malware redirects targeted users to a spoofed Google Chrome download site, where the file offered for download is actually a Sality variant.
Once on the computer, Sality downloads Rbrute, and so the infection cycle continues.
What can you do to protect your computer and your router from these dangers? Well, a good AV solutions should block both, but just in case, change the default settings of your Wi-Fi router, and select an extra complex and long password that can’t be easily cracked by brute forcing. In fact, you should do this by default with every new router you set up.
Rbrute Trojan can currently crack passwords on a number of different router models, including: D-Link DSL-2520U, DSL-2600U, TP-Link TD-W8901G, TD-W8901G 3.0, TD-W8901GB, TD-W8951ND, TD-W8961ND, TD-8840T, TD-8840T 2.0, TD-W8961ND, TD-8816, TD-8817 2.0, TD-8817, TD-W8151N, TD-W8101G, ZTE ZXV10 W300, ZXDSL 831CII.