Botnet Sality now attacks routers, changes primary DNS

Eset has reported that widespread botnet Sality aimed primarilly at online ad scams and FTP password stealing now includes a component to change primary DNS resolver of the home routers. The component called Win32/Rbrute searches for a router web administration and tries some of the most widely used passwords to access it. If Successful, it changes the address of the primary DNS resolver to the server controlled by the attacker. When user of the infected router tries to access any website including “google“ or “facebook“ in it’s address, he is instead sent to a page offering installation of a fake Google Chrome browser. The DNS resolver at the router is then changed to a legitimate Google service.