DSL modem hack used to infect millions with banking fraud malware
Millions of Internet users in Brazil have fallen victim to a
sustained attack that exploited vulnerabilities in DSL modems, forcing
people visiting sites such as Google or Facebook to reach imposter sites
that installed malicious software and stole online banking credentials,
a security researcher said.
The attack, described late last week during a presentation
at the Virus Bulletin conference in Dallas, infected more than 4.5
million DSL modems, said Kaspersky Lab Expert Fabio Assolini, citing
statistics provided by Brazil's Computer Emergency Response Team. The
CSRF (cross-site request forgery) vulnerability allowed attackers to use
a simple script to steal passwords required to remotely log in to and
control the devices. The attackers then configured the modems to use
malicious domain name system servers that caused users trying to visit
popular websites to instead connect to booby-trapped imposter sites.
"This is the description of an attack happening in Brazil since 2011
using 1 firmware vulnerability, 2 malicious scripts and 40 malicious DNS
servers, which affected 6 hardware manufacturers, resulting in millions
of Brazilian internet users falling victim to a sustained and silent
mass attack on DSL modems," Assolini wrote in a blog post published on Monday morning.
"This enabled the attack to reach network devices belonging to millions
of individual and business users, spreading malware and engineering
malicious redirects over the course of several months."
Assolini said the mass attack was the result of a "perfect storm"
brought on by the inaction of a variety of key players, including ISPs,
modem manufacturers, and the Brazilian governmental agency that approves
network devices, but failed to test any of the modems for security.
It remains unclear which modem manufacturers and models are susceptible to the attacks. Assolini said a vulnerability disclosed in early 2011
appears to be caused by a chipset driver included with modems that use
hardware from communications chip provider Broadcom. It allows a CSRF
attack to take control of the administration panel and capture the
password set on vulnerable devices. Assolini doesn't know precisely
when, but at some point attackers began exploiting the vulnerability on
millions of Brazilian modems. In addition to pointing the devices to
malicious DNS servers, the attackers also changed the device passwords
so it would be harder for victims to change the malicious settings.
notícia completa no site da ArrTechnica