Win32/RBrute
Win32/RBrute is a new component of updated variants of Sality, a particularly sophisticated virus that can delete files, distribute spam messages and open a backdoor vulnerability on the infected PC. The purpose behind current implementations of Win32/RBrute remains clear: Win32/RBrute modifies the infected PC's router to use settings that redirect vulnerable browsers to threat websites, which currently install new versions of Sality. The browser hijack lets PCs sharing routers with infected machines become infected in turn. Malware experts classify Win32/RBrute as a high-level threat, and recommend removing Win32/RBrute along with Sality and all unwanted browser changes with suitable anti-malware solutions.
When Your Router Gets Brutalized by a Threat's Sidekick
While viruses tend to be thought of as the threats of yesteryear, some of them have achieved longevity through continued updates, such as Sality. Besides being a file infector that inserts its code into EXE files, Sality also includes support for varied attacks that make it not dissimilar to a rootkit or a backdoor Trojan. Win32/RBrute is one of the newest PC threats to be seen cooperating with Sality, and was first identified clearly in late 2013, with activity continuing into 2014.
Win32/RBrute detects router equipment, according to their brands, and particularly targets TP-Link models. However, D-Link, Cisco and other company routers also are at risk. Win32/RBrute's method of hacking the router is unsophisticated but, potentially, effective: Win32/RBrute uses 'brute force' attacks to attempt to match the router's password to a list of common passwords, including 'admin,' 'qwerty' and '123456.' Once Win32/RBrute gains access to the router, malware experts found that Win32/RBrute consistently modifies DNS settings to provide redirects to corrupted websites hosting installers for Sality.
Thus far, redirects by Win32/RBrute Trojans only have been set to trigger for browsers attempting to load Facebook or Google websites. The Sality installer is disguised as an installer for a Chrome update. However, an essential facet of Win32/RBrute's strategy is that any browser that uses the compromised router's settings may be subjected to these hijacks. Malware experts especially emphasize that all brands of browsers, and even browsers on other, uninfected computers may be affected – and, therefore, may become infected, as well.
Getting a Brute out of Your Router
Win32/RBrute has been seen in at least two major variants and is believed to be in active development, at this time. For PC users with routers, using creative passwords that are unlikely to be in Win32/RBrute's database will protect their routers from unusual DNS changes. However, compromised computers will require anti-malware protection to block related attacks, remove Win32/RBrute or disinfect files that have been infected by Sality. Like all threats, Sality may spread rapidly through unrelated files, and malware analysts would recommend watching for potential breaches in network or peripheral device security.
Win32/RBrute's attack is not structurally innovative and is very similar to that of previous attacks by other browser hijackers, such as DNS Changer that the US FBI were responsible for terminating. However, its inclusion in the Sality campaign, and the purpose behind its browser hijackings causes Win32/RBrute to be a high-level threat to any PC that uses a router. Resetting your router should be considered mandatory after cleaning up any Win32/RBrute attack, along with the usual anti-malware solutions always encouraged by malware experts.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.