Press releases

Avast Analyzes GhostDNS Exploit Kit Source Code Used to Attack Brazilian Routers

Exploit Kit known for stealing credit card information and login credentials is set up to scan tens of thousands of IP addresses in Brazil, the U.S., and Mexico for open ports

Exploit Kit known for stealing credit card information and login credentials is set up to scan tens of thousands of IP addresses in Brazil, the U.S., and Mexico for open ports


PRAGUE, Czech Republic, May 20, 2020 - Avast (LSE:AVST), a global leader in digital security and privacy products, gained access to and analyzed the source code of the GhostDNS Exploit Kit. The exploit kit has been used to infect routers in Brazil, and carries out cross-site request forgery (CSRF) attacks to change router DNS settings, sending users to phishing sites to steal login credentials and credit card information submitted to the fake sites. The analysis shows that the exploit kit is designed to scan tens of thousands of IP addresses for open ports that could allow the cybercriminals to intrude the devices, majorly in Brazil, the U.S., and Mexico but ultimately only affects routers with Brazilian IP addresses. A closer look at the source code showed that the attackers can also change the infected router’s login credentials to predefined credentials.

Avast gained access to the source code when the Avast Web Shield, included in all versions of Avast Antivirus, blocked an Avast user attempting to share the source code on a file sharing platform. The exploit kit, which in 2018 was sold online for approximately 450 USD, is typically distributed via malvertising, malicious advertising, but can also attack routers across the internet by first scanning the Internet for open IP addresses, and then a script that attempts to gain access to routers using default login credentials or commonly used credentials. Once the exploit kit gains access to a router via CSRF, it uses a DNS hijack method to redirect users to phishing sites designed to look identical to the sites they are actually trying to visit. Anything the user submits through the phishing site, for example, login credentials or credit card information, is sent directly to the attacker.  

The analysis shows that one of the exploit kits versions is designed to scan about 5 billion IP addresses for open ports that could be exploited, out of which over 50% are IP addresses in Brazil, over 20% in the U.S., and over 10% located in Mexico.

“One of the interesting findings we had was that the exploit kit intentionally excludes certain IP addresses of the Public University in Campinas (Universidade Estadual de Campinas) in Brazil, which is a member of the Distributed Honeypots Project focusing on the analysis of threats targeting devices on the internet,” said Simona Musilová, Threat Analyst at Avast. “We believe that the cybercriminals want their exploit kit to remain unnoticed for as long as possible, and therefore avoid this known range of IP addresses.”

 Included in the source code, Avast found a list of router login credentials* and the source code of phishing pages** that can be used to carry out attacks. The phishing pages included pages imitating some of the biggest banks in Brazil, Netflix, hosting domains, a news site, and travel companies.

“As far as we know, we are the first to analyze the GhostDNS Exploit Kit source code, which is commonly used to target Brazilians who have not changed their router’s default router login credentials, or who use weak credentials. While there is no active campaign at the moment, in November 2019, we blocked more than 7,000 CSRF attack attempts to carry out commands without the users’ knowledge, to silently modify the users’ DNS settings to perform attacks. Based on our data, 76% of router login credentials in Brazil have weak login passwords, leaving them vulnerable to CSRF attacks,” Musilová said.  

People can find out whether their router is infected by using the Avast Wi-Fi Inspector feature, which is part of Avast Free Antivirus and all of Avast’s paid antivirus versions, which also includes Avast Web Shield, a core shield that protects users from CSRF attacks.

The full analysis of the GhostDNS source code Avast analyzed can be found here: https://decoded.avast.io/simonamusilova/ghostdns-source-code-leaked/.

* Router Login credentials the exploit kit uses to attempt to gain access to routers:

  • :
  • :admin
  • :root
  • ACESSO:@@ACESSO##POINT#@
  • admin2:admin2
  • admin:
  • Admin:
  • admin:1
  • admin:123
  • admin:1234
  • admin:123456
  • admin:1234567890
  • admin:@!JHGFJH15
  • admin:admin
  • Admin:admin
  • Admin:Admin
  • admin:adsl
  • admin:bigb0ss
  • admin:buildc0de
  • admin:bulld0gg
  • admin:bullyd0gg
  • admin:deadcorp2017
  • admin:deadcp2017
  • admin:deus1010
  • admin:dn5ch4ng3
  • admin:dnschange
  • admin:Gidlinux2019
  • admin:gpnet321
  • admin:gvt12345
  • admin:internet
  • admin:K3LLY2016
  • admin:krug3rpicao
  • admin:m3g4m4ln
  • admin:m3g4m4n
  • admin:megaman
  • admin:megaman2
  • admin:mundo
  • admin:p4dr40
  • admin:passthehash
  • admin:password
  • admin:publ1c0
  • admin:roteador
  • admin:s1m23l
  • admin:saho4001
  • admin:theb0ss
  • admin:thed0gg
  • admin:uhuwCorp
  • admin:Voltage2016
  • admin:zyxel
  • cisco:cisco
  • deadcorp2017:deadcorp2017
  • jordam:jdmadmin
  • megaman:megaman
  • megaman:megaman2
  • provedor:MACAXEIRA
  • provedor:SIERRABRAVO
  • root:
  • root:123
  • root:44acesso22point2014
  • root:admin
  • root:bigb0ss
  • root:buildc0de
  • root:bulld0gg
  • root:bullyd0gg
  • root:deus1010
  • root:Gidlinux2019
  • root:K3LLY2016
  • root:m3g4m4ln
  • root:m3g4m4n
  • root:root
  • root:theb0ss
  • root:thed0gg
  • root:toor
  • root:Voltage2016
  • super:megaman
  • super:super
  • support:bigb0ss
  • support:buildc0de
  • support:bulld0gg
  • support:bullyd0gg
  • support:deus1010
  • support:Gidlinux2019
  • support:K3LLY2016
  • support:m3g4m4ln
  • support:m3g4m4n
  • support:theb0ss
  • support:thed0gg
  • support:Voltage2016
  • T1m4dm:
  • T1m4dm:@T1m@dml1v@
  • T1m4dm:T1m4dm
  • T1m4dm:T1m@dml1v
  • ubnt:ubnt
  • user:
  • user:megaman
  • user:user

** The source code of phishing sites designed to look like the following pages were included in the GhostDNS source code:

  • Banco Bradesco
  • Itau
  • Caixa
  • Santander
  • MercadoPago
  • CrediCard
  • Netflix
  • Flytour Viagens
  • Banco de Brazil
  • Cartao UNI
  • Sicoob
  • Banco Original
  • CitiBank
  • Locaweb
  • MisterMoneyBrazil
  • UOL
  • PayPal
  • LATAM Pass
  • Serasa Experian
  • Sicredi
  • SwitchFly
  • Umbler