Routers & Malware

Computer forums for help with removing malicious software (malware) and improving computer security

Welcome Guest to What the Tech! ( Log In | Register ) We specialize in the removal of malicious software (malware), but here you'll find free help and support for all your tech questions. We invite you to ask questions, share experiences, and learn. Explore our message boards, or register now to post messages of your own. Please Start Here. Register today (registration removes advertising)

What the Tech > Discussion > Tech Tips

Routers & Malware

Options

LDTate View Member Profile	Jun 12 2008, 02:29 PM Post #1
Forum God Group: Root Admin Posts: 39,364 Joined: 23-September 04 From: Missouri, USA Member No.: 15,276	routers & malware Posted at MRU by ChrisRLG http://blog.washingtonpost.com/securityfix...s_wirele_1.html QUOTE According to researchers contacted by Security Fix, recent versions of the ubiquitous "Zlob" Trojan (also known as DNSChanger) will check to see if the victim uses a wireless or wired hardware router. If so, it tries to guess the password needed to administer the router by consulting a built-in list of default router username/password combinations. If successful, the malware alters the victim's domain name system (DNS) records so that all future traffic passes through the attacker's network first. DO NOT leave the default username and password as is, change them.

Doug View Member Profile	Jun 13 2008, 11:11 AM Post #2
Global Moderator Group: Global Moderator Posts: 3,997 Joined: 15-May 05 From: California Member No.: 32,477 Operating System: Win98, Win2k Pro, XP Pro, XP Home	Good Tip, LDTate. Most owner/users don't bother with making the change... but they really should. And many that do, forget what username and password they set. If you've forgotten, you can "start over" by using the "reset" button/paper clip hole. Doug

DaChew View Member Profile	Jun 13 2008, 12:40 PM Post #3
Authentic Member Group: Authentic Member Posts: 244 Joined: 17-March 08 From: Millenium Falcon Member No.: 77,666 Operating System: windows xp sp2	So the DNS changer is just making a user change in the settings? and a reset will fix that? This post has been edited by DaChew: Jun 13 2008, 12:41 PM

Abydos View Member Profile	Jun 13 2008, 03:47 PM Post #4
Advanced Member Group: Tech Classroom Posts: 603 Joined: 16-January 08 From: Denmark Member No.: 76,005 Operating System: WinXP SP3	QUOTE (DaChew @ Jun 13 2008, 12:40 PM) So the DNS changer is just making a user change in the settings? and a reset will fix that? You still have to aware of the Trojan and remove it. Or it will just change the settings again within minutes.

AplusWebMaster View Member Profile	Jun 18 2008, 05:55 AM Post #5
AplusWebMaster Group: Authentic Member Posts: 3,585 Joined: 30-December 03 From: USA Member No.: 1,643 Operating System: WinXP	FYI... - http://www.trustedsource.org/blog/42/New-D...ks-into-routers June 13, 2008 - "...behavior is entirely controlled by the attackers’ DNS servers. These could even redirect existing domain names to servers hosting crafted content (Phishing) or servers dynamically modifying real content. Once your DNS settings are under control, the bad possibilities are nearly unlimited. And, even clean machines are affected once a previous infection on just one client behind the shared router successfully cracked the router login..."

Noobie07 View Member Profile	Jun 21 2008, 10:01 PM Post #6
Authentic Member Group: Authentic Member Posts: 33 Joined: 12-April 08 Member No.: 78,352 Operating System: Windows XP	Wait so...how do you set a password for the Wireless Router? Is that possible??? I'm confused here...

AplusWebMaster View Member Profile	Jun 22 2008, 04:37 AM Post #7
AplusWebMaster Group: Authentic Member Posts: 3,585 Joined: 30-December 03 From: USA Member No.: 1,643 Operating System: WinXP	-3- Common home router vendors (pwd change info): * Linksys: - http://linksys.custhelp.com/cgi-bin/linksy...hp?p_faqid=3976 * D-Link: - http://support.dlink.com/faq/view.asp?prod_id=1997 * NetGear: - http://kbserver.netgear.com/kb_web_files/N100651.asp .

BuckS View Member Profile	Jun 22 2008, 01:49 PM Post #8
New Member Group: New Member Posts: 7 Joined: 8-June 08 Member No.: 79,534 Operating System: Vista Home Premium	So how do you check / figure out that your settings have been changed or if your router has been compromised? That's one small detail that they didn't mention. I wouldn't know the difference between the "correct" DNS setting (or where to check them) and "malware created DNS settings". If most AV/AM software misses this how can you know if you've been affected?

AplusWebMaster View Member Profile	Jun 22 2008, 04:31 PM Post #9
AplusWebMaster Group: Authentic Member Posts: 3,585 Joined: 30-December 03 From: USA Member No.: 1,643 Operating System: WinXP	If the DNS setting is blank, you are using the DNS servers from your ISP - depending on who/what that is, this can be a dubious scenario. However, I highly recommend giving OpenDNS a try - http://www.opendns.com/ 'Lots of options there, and you'll always know what your DNS settings should be.

« Next Oldest · Tech Tips · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Topic Title	Replies	Topic Starter	Views	Last Action
HijackThis™ Logs and Infections Removal [Resolved] Malware Infection	14	msiegel629	114	Today, 01:28 AM Last post by: jpshortstuff
Security advisories and vulnerabilities info SPAM frauds, fakes, and other MALWARE deliveries... 1234	51	AplusWebMaster	934	Yesterday, 06:31 AM Last post by: AplusWebMaster
HijackThis™ Logs and Infections Removal slow start-up caused by malware?	1	chardmj	41	29th November 2008 - 04:05 PM Last post by: LDTate
HijackThis™ Logs and Infections Removal Various Malware and annoying redirects.	1	Sporg	44	29th November 2008 - 03:49 PM Last post by: LDTate