More than 4.5 million DSL modems have been compromised as part of a sustained hacking campaign in Brazil, with the devices spreading malware and malicious web address redirects.
According to the malware analyst at Kaspersky Lab in Brazil, Fabio Assolini. The vulnerability exploited by attackers allowed the use of a script to steal passwords and remotely access the configuration of modems. The attacks was described as "One firmware vulnerability, two malicious scripts, three hardware manufacturers, 35 malicious DNS servers, thousands of compromised ADSL modems, millions of victims."
According to Kaspersky, the Brazilian attackers sought to steal users' banking credentials by redirecting users to false versions of popular sites like Facebook or Google and prompting them to install malware. Some 40 DNS servers were set up outside Brazil too in order to serve forged requests for domain names belonging to Brazilian banks.
Nakedsecurity writes,-- The first thing users may have noticed is that they would visit legitimate websites such as Google, Facebook and Orkut (a Google social network which is particularly popular in Brazil) and would be prompted to install software. In the example below, visitors to Google.com.br were invited to install a program called "Google Defence" in order to access the "new Google".
It remains unclear which modem manufacturers and models are susceptible to the attacks. Assolini said a vulnerability disclosed in early 2011 appears to be caused by a chipset driver included with modems that use hardware from communications chip provider Broadcom. It allows a CSRF attack to take control of the administration panel and capture the password set on vulnerable devices.
After manufacturers issued firmware updates to plug the security hole, the number of compromised modems reduced. However, some 300,000 modems are still thought to be controlled by attackers.