The forensic breakdown of the attack came first from Fabio Assolini, a researcher for Kaspersky Labs, during a presentation at the Virus Bulletin conference. Graham Cluley at Sophos recounted the presentation in his blog.
Assolini described how at some Brazilian ISPs, more than 50% of users were reported to have been affected by the attack. After the six manufacturers affected issued firmware updates to plug the security hole, the number of compromised modems decreased. However, some 300,000 modems are still thought to be controlled by attackers.
“My suspicion is that the typical computer user doesn't give a second thought about whether their router could be harboring a security threat, imagining that the devices don't need to be treated with suspicion,” said Cluley.
Users’ ADSL modems had been compromised, and the hackers had changed the router's configuration to point to a malicious DNS. This meant that when the user entered the web address of a legitimate website (like google.com.br or facebook.com) they could be taken to a malicious website instead, posing as the real thing.
Thus, users would visit legitimate websites such as Google, Facebook and Orkut (a popular social network in Brazil) and would be prompted to install software. Visitors to Google.com.br, for instance, were invited to install a program called "Google Defence" in order to access the "new Google."
“Now, normally if you access a router via the internet you will be asked for a username and password – and so long as the user has chosen hard-to-guess login credentials (and not gone with manufacturer's defaults) all should be well,” explained Cluley. “Unfortunately, in this case, the hackers were able to exploit a vulnerability in the Broadcom chip included in some routers.”
The Broadcom flaw allows a Cross Site Request Forgery (CSRF) to be performed in the administration panel of the ADSL modem, capturing the password set on the device and allowing the attacker to make changes, usually in the DNS servers, Cluley said. So, the exploit allowed malicious hackers to break into millions of routers remotely, without having to know the passwords being used to protect them.
The hackers were then able to change the ADSL modem's DNS settings – pointing them to one of 40 malicious DNS servers around the world. The end result is that many Brazilian users downloaded code, mistakenly believing it was from websites they trusted.
“Ironically, if users contacted their anti-virus vendor's tech support line and asked them about the safety of files like facebook.com/ChromeSetup.exe, chances are that the support technician would not be able to locate the file themselves because their own computers were not running through malicious DNS servers,” said Cluley. "And, of course, affected users would often be adamant that they had done nothing wrong – certain that their computers were fully updated with patches and anti-virus. But, of course, that didn't stop the remote attack on their router.”
The DNS redirects were first reported last fall, but the inner workings of the attacks and the ongoing nature of the problem were revealed just this week.