From a list of different routers URLs and a dictionary of default passwords, the malware brute force the web interface and hijacks DNS settings.
List of URL from various routers
Dictionary of default login:passwords
DNSChanger IP address in Ukraine
If the attack succeeds, all computers in the network using the router DNS settings are affected. The hijacked devise can redirects connections to a fake website.
See trustedsource.org and washingtonpost.com blogs.
