Rbrute Trojan hacks Wi-Fi routers to help spread Sality
Posted on 13.03.2014
Researchers from Russian AV company Dr. Web have recently analyzed a Trojan that hacks Wi-Fi routers in order to facilitate the spreading of the infamous Sality malware family.


Sality is one of the oldest malware families out there, and its partly due to its spreading and communication capabilities that it has survived for this long. It is capable of a variety of malicious actions, including terminating AV software and firewalls, stealing information from infected computer and using it to spam other users, download additional malware, and so on.

It also has rootkit capabilities, and spreads via removable drives and network shares, and in the latest spotted approach, it works in conjunction with the aforementioned Wi-Fi-hacking Trojan - dubbed Rbrute - to propagate itself.

"When launched on a Windows computer, Trojan.Rbrute establishes a connection with the remote server and stands by for instructions. One of them provides the Trojan with a range of IP addresses to scan," the researchers explain.

In addition to this, Rbrute can mount a dictionary attack on the router. If successful, it reports back to the remote server, which then "instructs" the router to change the DNS addresses stored in its settings.

"As a result, when a user tries to visit a website, they can be redirected to another site that has been crafted by intruders. This scheme is currently being used by cybercriminals to expand the botnet created using the malware Win32.Sector," the researchers note. Win32.Sector is just another name for Sality.

Rbrute compromises the router so that other machines using it could be ultimately infected. Currently, the malware redirects targeted users to a spoofed Google Chrome download site, where the file offered for download is actually a Sality variant.

Once on the computer, Sality downloads Rbrute, and so the infection cycle continues.

What can you do to protect your computer and your router from these dangers? Well, a good AV solutions should block both, but just in case, change the default settings of your Wi-Fi router, and select an extra complex and long password that can't be easily cracked by brute forcing. In fact, you should do this by default with every new router you set up.

Rbrute Trojan can currently crack passwords on a number of different router models, including: D-Link DSL-2520U, DSL-2600U, TP-Link TD-W8901G, TD-W8901G 3.0, TD-W8901GB, TD-W8951ND, TD-W8961ND, TD-8840T, TD-8840T 2.0, TD-W8961ND, TD-8816, TD-8817 2.0, TD-8817, TD-W8151N, TD-W8101G, ZTE ZXV10 W300, ZXDSL 831CII.









Spotlight

How to keep your contactless payments secure

Posted on 19 September 2014.  |  Fraudsters can pickpocket a victimís financial data using low-cost electronics that can fit into a rucksack. Here are the top security threats you should be aware of if youíre using a RF-based card, along with our top safety tips to keep your payments secure.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Mon, Sep 22nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //