Hello, welcome to the Wednesday, October 3, 2018 edition of the Sandcent Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Honolulu, Hawaii.

Yara rules are rules that were designed to essentially build sort of antivirus engines, detect Malware, and in general,

sort of detects various patterns in binaries. It can be quite useful to create your own

Yara rules occasionally. If you wonder how that works, DDA has a nice little tutorial in

yesterday's diary for you.

NetLab 360 has an interesting blog post with details about a DNS changer campaign that they have been tracking recently.

DNS changers typically use exploits or weak passwords to change the DNS settings

in routers. And a couple cases also exploits like cross-side request forging. Now, in this case,

it seems to be they use the former, so weak passwords and some exploits against vulnerable scripts that lead to all the occasion

bypass in order to update the DNS settings on these routers.

Now, many DNS changer campaigns really just change the DNS settings to direct victims to

spam and ad campaigns or to redirect, for example, Google to

their own search engine. In this case, it looks like the bad guys went a step further and

launched full fishing attacks. What it did was if a user went to a bank's website, they would redirect them via the bad DNS server to a fishing site that would then steal the victim's credentials.

Netlab 360 is calling this particular group Ghost DNS and they have been tracking them now for a while.

At this point, they appear to be focusing on routers in Brazil.

The 100 plus thousand routers that NetLab 360 beliefs are infected by this particular attack

use 70 plus different firmware and router combinations,

and also more than 50 domain names were redirected by this tag.

Again, focusing on banks, but also things like, for example, Netflix were redirected to steal credentials.

Your number one defense against attacks like this should be TLS. If the bank's website has TLS

...