What's new

"In the hands" of information security experts got the source code of GhostDNS


Extreme Hot Vendor
Verfied Vendor
Premium User
Jan 28, 2016
Reaction score
GhostDNS is a set of exploits for routers that changes DNS settings using CSRF.

Avast security researchers managed to gain unrestricted access to the components of the GhostDNS exploit kit after the malicious package itself fell into their hands.

GhostDNS is a set of exploits for routers that, using cross-site request forgery (CSRF), changes DNS settings and redirects users to phishing pages to steal their credentials for authorization on various resources (online banking services, news sites, streaming services, etc.). )

The entire source code of the exploit kit, together with phishing pages in the form of an RAR archive, was published on a file-sharing site by a careless user who apparently did not pursue any criminal purposes. The user did not protect the archive with a password and left Avast antivirus software enabled with the active Web Shield component that protects against malicious web content, which gave Avast analysts the opportunity to thoroughly study GhostDNS.

“We downloaded the linked file and found all the source code for the GhostDNS exploit suite,” the researchers said.

The name of the KL DNS.rar archive indicates that the tool uses DNS hijacking and keylogging to steal the credentials of its victims. In total, the archive contained two methods of attacking routers, Router EK and BRUT, and both of them used CSRF to change DNS settings.

Router EK attacks from the local network and requires the user to click on a malicious link. BRUT is a scanner for finding routers accessible through the Internet and attacking them without user intervention.

Researchers found a list of IP address prefixes in 69 countries (most often in South America). For each prefix, 65,536 addresses were scanned. After the attacker chose the prefix, some versions of the exploit set printed the name GhostDNS (with an error - GostDNS instead of GhostDNS) in order to inform operators about CSRF execution.