CNet, citing an entry on SecureComputing's TrustedSource blog made last week, has highlighted a new variant of the DNSChanger trojan designed to target routers and change the addresses used for DNS resolution.
The Domain Name Service, or DNS, is the system by which plain-text names like yahoo.com are converted to IP addresses like 91.198.165.67. A computer wishing to visit a website queries a central server, often hosted by your ISP, which contains a massive database of these translations in order to figure out where to go. By reconfiguring the router to point at compromised servers containing poisoned DNS records, a hacker is able to cause every host on that network to think it's visiting one site when it's actually browser one under the cracker's control. You might think you're visiting your bank's website, but it's really a phishing system run by the attacker.
The trojan accomplishes the router reconfiguration by attempting a dictionary attack on the router's management interface. Shipping with a preconfigured list of default logins for common home and office routers, the trojan attempts a login on the default gateway IP for the infected host every hundred milliseconds. Although the malware only knows about a set number of common devices – the fact that each manufacturer tends towards its own, custom-built web interface rather than an industry standard is acting in the customers' favour for a change – that's no comfort if yours in on the list, nor does it preclude the release of a future variant with a more robust list of vulnerable systems.
