67 replies to this topic

[AplusWebMaster]

FYI...

- http://blog.washingt...s_wirele_1.html
June 11, 2008 - "...recent versions of the ubiquitous "Zlob" Trojan (also known as DNSChanger) will check to see if the victim uses a wireless or wired hardware router. If so, it tries to guess the password needed to administer the router by consulting a built-in list* of default router username/password combinations. If successful, the malware alters the victim's domain name system (DNS) records so that all future traffic passes through the attacker's network first. DNS can be thought of as the Internet's phone book, translating human-friendly names like example.com into numeric addresses that are easier for networking equipment to handle. While researchers have long warned that threats against hardware routers could one day be incorporated into malicious software, this appears to be the first time this behavior has been spotted in malware released into the wild. The type of functionality incorporated into this version of the Zlob Trojan is extremely concerning for a number of reasons. First, Zlob is among the most common type of Trojan downloaded onto Windows machines. According to Microsoft, the company's malicious software removal tool [MSRT] zapped some 14.3 million instances of Zlob-related malware from customer machines in the second half of 2007. The other, more important reason this shift is scary is that a Windows user with a machine infected with a Zlob/DNSChanger variant may succeed in cleaning the malware off an infected computer completely, but still leave the network compromised. Few regular PC users (or even PC technicians) think to look to the router settings, provided the customer's Internet connection is functioning fine... Specific, manufacturer-based video tutorials on how to secure your wireless router are available at this link**..."
* http://blog.washingt...ix/zlobpass.txt

** http://onguardonline...orials-wireless

- http://www.trustedso...ks-into-routers
June 13, 2008 - "...behavior is entirely controlled by the attackers’ DNS servers. These could even redirect existing domain names to servers hosting crafted content (Phishing) or servers dynamically modifying real content. Once your DNS settings are under control, the bad possibilities are nearly unlimited. And, even clean machines are affected once a previous infection on just one client behind the shared router successfully cracked the router login..."

!

Edited by AplusWebMaster, 18 June 2008 - 05:19 AM.

[AplusWebMaster]

FYI...

- http://blog.trendmic...-engine-market/
August 7, 2008 - "More than a year ago, Trend Micro threat researchers uncovered a network of over 900 rogue DNS (Domain Name System) servers related to the ZLOB Trojan family. We gave examples showing that these rogue DNS servers are part of click fraud and leakage of personal information. Just recently, however, we discovered that this network is now targeting four of the most popular search engines. In a large scale click fraud scheme, the ZLOB gang appears to hijack search results and to replace sponsored links with DNS “tricks”... These ZLOB Trojans we found, silently change the local DNS settings of affected systems to use two out of the abovementioned 900+ rogue DNS servers. These Trojans spread by advanced social engineering tricks; an example would be professional-looking Web sites that promise Internet users access to pornographic movies after installing malware that pose as video codecs. The number of ZLOB-related infections is huge — for the last six months of 2007, Microsoft reported more than 14,000,000 infections. It now appears that the ZLOB gang has entered the multibillion-dollar search engine market. ZLOB’s rogue DNS servers resolve several domain names of the main engines to fraudulent IP addresses. Among others, this criminal operation has even set up rogue sites of the UK and Canadian versions of one of the largest search engines. Even searches performed via the installed browser toolbar (provided by the same company) are now being hijacked by ZLOB. Another popular search engine company has been hit even harder — most, if not all, domain names of the search engine that give back search results get resolved to fraudulent Web sites by the rogue DNS servers. The primary objective of ZLOB here appears to be stealing traffic and clicks from search engines, making money along the way. Affected users are immediately redirected to sites that are not at all related to their original search queries. All sponsored search hits of the two main search engines we analyzed were hijacked by ZLOB. Clicks on sponsored links then are not credited to big search engine companies, but to the ZLOB gang instead..."

[AplusWebMaster]

FYI...

- http://www.viruslist...pubid=204792017
Sep 01 2008 - "... most widespread malicious programs... This table shows the malicious programs detected on users’ computers...
1. Trojan.Win32.DNSChanger.ech ..."


'Still around (i.e.):
- http://www.grisoft.c...download-update
IAVI: / 1655 - Added detection of new variant of Win32/Virut, Worm/Brontok,
new variants of trojans DNSChanger, Dropper.Bravix, Downloader.Tiny.
September 5, 2008

Edited by AplusWebMaster, 06 September 2008 - 07:51 AM.
Added description of latest def. files...

[AplusWebMaster]

FYI...

- http://preview.tinyurl.com/5cg8nh
September 15, 2008 - "...Instead of scouring for anonymous proxies to stay faceless on the internet, cyber criminals are increasingly targeting unsecured Wi-FI networks to get the job done. A combination of war driving tools such as NetStumbler along with a listing of default router usernames and passwords* is all it takes to freely connect to unsecured Wi-FI networks. Especially since most Wi-Fi routers use default security settings that come pre-installed by the vendor rather than it having being configured by the end user. SOHO routers log every connection and DHCP lease but these logs are flushed once the router is rebooted. If an attacker has access to the administrative console of the router (thanks to the default password), once their nefarious actives have been carried out, a simple restart of the router will erase all tracks. The extent to which an unsecured Wi-Fi connection can be abused is purely left to imagination of the attacker..."
* http://www.routerpasswords.com/

[AplusWebMaster]

FYI...

- http://voices.washin...wireless_a.html
September 26, 2008 - "...Why is changing the default settings on wireless access point a big deal? Because there are plenty of Web sites that list the default user names and passwords built into every brand of router out there... For instance, if I were looking for an exposed wireless network, I'd probably start by searching the local zip code for the default SSID assigned to many popular routers. After all, these would most likely be the networks powered by users who yanked their shiny new routers straight out of the box and plugged them right into the user's modem without modifying a thing..."
* http://wigle.net/gps.../main/ssidstats

[AplusWebMaster]

FYI...

How to Protect Your Wi-Fi Network from the WPA Hack
- http://lifehacker.co...om-the-wpa-hack
Nov 7 2008 - "... a PhD candidate studying encryption has found an exploit in the WPA standard that would allow a hacker to "send bogus data to an unsuspecting WiFi client," completely compromising your Wi-Fi security and opening your network to all sorts of hacking. Lucky for you, it's not terribly difficult to protect yourself against the new exploit.
The key: Just log into your router, switch off Temporal Key Integrity Protocol (TKIP) as an encryption mode, and use Advanced Encryption System (AES) only. TKIP is the only protocol that the hack applies to, so switching to AES-only will ensure that your Wi-Fi network is safe again. It's quick and easy, so do yourself a favor and make the adjustment now so you don't run into any problems in the future."

- http://web.nvd.nist....d=CVE-2008-5230
Last revised: 12/03/2008

- http://www.cisco.com...6.html#response
"... the use of WPA2 with AES is recommended whenever possible..."

Edited by AplusWebMaster, 16 October 2010 - 12:56 PM.

[AplusWebMaster]

FYI...

Router-based botnet...

- http://isc.sans.org/...ml?storyid=6061
Last Updated: 2009-03-24 13:13:59 UTC - "...document (pdf - dated January 11th, 2009) by Terry Baume* goes into detail about how a specific brand of DSL Modem (Netcomm NB5) can be compromised with malicious code that turns the device into a IRC based Bot - named PSYB0T 2.5L. While discovered several months ago, some recent entries on the DroneBL blog that (among further detail into "PSYB0T") state "We came across this botnet as part of an investigation into the DDoS attacks against DroneBL's infrastructure...". It certainly appears that PSYB0T may be alive and kicking! Some further insight into the possibility that this Bot is still evolving (Now Version 2.9L, 3 months later) has been presented on the TeamFurry blog**..."
* http://www.adam.com.au/bogaurd/
** http://www.teamfurry...ps-cpu-devices/

- http://www.dronebl.org/blog/8
"You are only vulnerable if:
• Your device is a mipsel device.
• Your device has telnet, SSH or web-based interfaces available to the WAN
• Your username and password combinations are weak, OR the daemons that your firmware uses are exploitable.
As such, 90% of the routers and modems participating in this botnet are participating due to user-error (the user themselves or otherwise)... Any device that meets the above criteria is vulnerable, including those built on custom firmware such as OpenWRT and DD-WRT. If the above criteria is not met, then the device is NOT vulnerable.

How can I tell if I have been infected?
Ports 22, 23 and 80 are blocked as part of the infection process (but NOT as part of the rootkit itself, running the rootkit itself will not alter your iptables configuration). If these ports are blocked, you should perform a hard reset on your device, change the administrative passwords, and update to the latest firmware. These steps will remove the rootkit and ensure that your device is not reinfected...
Mar-24-2009 ...botnet itself is still active..."

- http://www.theregist...etworking_worm/
24 March 2009

- http://www.eset.com/...ter/blog/?p=810
March 23, 2009 - "...targets routers and DSL modems..."

Edited by AplusWebMaster, 24 March 2009 - 08:24 AM.
Added ISC and ESET links...

[AplusWebMaster]

FYI...

DD-WRT vuln...
- http://isc.sans.org/...ml?storyid=6853
Last Updated: 2009-07-22 20:43:54 UTC - "... new vulnerability in DD-WRT that was being reported in the Register at:
http://www.theregist...rt_router_vuln/ .
DD-WRT runs on routers by Linksys, D-Link Buffalo, ASUS and well as other routers. The complete list can be found at:
http://www.dd-wrt.co...pported_Devices
This vulnerability will allow an attacker to run programs with root priviledges on a vulnerable router. More information can be found on the DD-WRT Forum at:
http://www.dd-wrt.co...p...asc&start=0 "

[AplusWebMaster]

FYI...

SMC router vuln - unpatched
- http://www.wired.com...e-warner-cable/
October 20, 2009 - "A vulnerability in a Time Warner cable modem and Wi-Fi router deployed to 65,000 customers would allow a hacker to remotely access the device’s administrative menu over the internet, and potentially change the settings to intercept traffic, according to a blogger who discovered the issue. Time Warner acknowledged the problem to Threat Level on Tuesday, and says it’s in the process of testing replacement firmware code from the router manufacturer, which it plans to push out to customers soon... The vulnerability lies with Time Warner’s SMC8014 series cable modem/Wi-Fi router combo, made by SMC. The device is one of several options Time Warner offers to customers who don’t want to install their own modem and router to use with the company’s broadband service..."

- http://www.f-secure....s/00001799.html
October 23, 2009

Edited by AplusWebMaster, 23 October 2009 - 06:40 PM.

[AplusWebMaster]

FYI...

2wire Gateway router/modem - update available
- http://web.nvd.nist....d=CVE-2009-3962
Last revised: 11/18/2009 - "The management interface on the 2wire Gateway 1700HG, 1701HG, 1800HW, 2071, 2700HG, and 2701HG-T with software before 5.29.52 allows remote attackers to cause a denial of service (reboot)...
CVSS v2 Base Score: 7.8 (HIGH) ...

- http://webvuln.com/a....of.service.txt
Solution Status: Vendor issued firmware patches; Providers are in charge of applying the patches...
WORKAROUND: Disable Remote Management in Firewall -> Advanced Settings...

- http://www.us-cert.g...9-327.html#high
November 23, 2009

[AplusWebMaster]

FYI...

DSL modem-router botnet...
- http://blog.trendmic...f-chuck-norris/
Mar. 1, 2010 - "... Dubbed the “Chuck Norris botnet,” based on the Italian comment in its source code, in nome di Chuck Norris (translation: “in the name of Chuck Norris”), this botnet infects vulnerable DSL modems and routers to spread a worm Trend Micro detects as WORM_IRCBOT.ABJ. This worm tries to gain access to a target router by guessing the router’s configuration password using brute force. It may also spread via shared networks by exploiting a known Microsoft vulnerability, MS03-039 Buffer Overrun in RPCSS Service. The worm’s routines make users who are connected to the same network or router at risk of being infected. This worm also has backdoor capabilities that allows attackers to execute remote command on affected systems, which include downloading and executing other malware and launching denial-of-service (DOS) attacks against other systems. Ultimately, its main goal is still to gain profit from unknowing users by stealing personally identifiable information (PII) and credentials to access certain websites, particularly online banking sites. Its infection routine via router may be unusual for most bots of its kind, which usually infects computers. But it is not the first time that bots have used modems and routers as a propagation platform. Trend Micro has, in fact, reported such attacks in the past in relation to other threat families such as ZLOB, RBOT, and QHOST..."

[AplusWebMaster]

FYI...

Wi-Fi hacked in seconds ...
- http://blog.cpp.co.u...networks-safely
14 Oct 2010 - "... Using only a laptop and widely available software, our ethical hacker demonstrated how vulnerable we are to Wi-jacking because of non-existent or inadequate online security. Having gained access to your personal details hackers can ‘cloak’ criminal activities such as purchasing illegal pornography or selling on stolen goods. It also allows them to view your private transactions over the network, accessing passwords and usernames which can then be used to impersonate you and commit identity fraud and other illegal activity in your name.
Key findings from the report:
• We found that nearly a quarter of private wireless networks have no password whatsoever attached, making them immediately accessible to criminals
• Hackers were able to ‘harvest’ usernames and passwords from unsuspecting people using public networks at a rate of more than 350 an hour, sitting in town-centre coffee shops and restaurants.
• More than 200 people unsuspectingly logged onto a fake Wi-Fi network over the course of an hour, putting themselves at risk from fraudsters who could harvest their personal and financial information.
Steps and ways to protect yourself..."
(More detail at the URL above.)

> http://www.cpp.co.uk...open-to-attack/

- http://news.cnet.com...021188-245.html
November 1, 2010 - "Chances are you don't leave your front door unlocked. And you shouldn't leave your Wi-Fi network unsecured either. Many of you may have heard this before, but many still seem to not be doing anything about it. You should. Here's why. With a $50 wireless antenna and the right software a criminal hacker located outside your building as far as a mile away can capture passwords, e-mail messages, and any other data being transmitted over your network, and even decrypt data that is supposedly protected..."

Edited by AplusWebMaster, 02 November 2010 - 04:44 AM.

[AplusWebMaster]

FYI...

Wardrivers hit SMBs...
- https://www.computer...mall_businesses
April 22, 2011 - "Seattle police are investigating a group of criminals who they say have been cruising around town in a black Mercedes stealing credit card data by tapping into wireless networks belonging to area businesses. The group has been at it for about five years, according to an affidavit signed by Detective Chris Hansen, a fraud investigator with the Seattle Police Department... looking for companies using an unsecure Wi-Fi standard called Wired Equivalent Privacy (WEP). WEP has well-documented security flaws and has been considered for years to be unsecure, but was widely used in routers built between about 2000 and 2005. Many consumers and small businesses still use it... Wardrivers typically use long-range antennas connected to laptops to compile lists and locations of wireless networks, driving from street to street and logging the Wi-Fi activity that they find... In its annual Data Breach Investigations Report earlier this week, Verizon said criminals are increasingly hitting smaller businesses as it becomes harder to steal financial data from big companies... The gang is thought to have stolen more than $750,000 worth of items, according to the Seattle Post Intelligencer*, which first reported the story."
* http://www.seattlepi...ted-1344185.php

[AplusWebMaster]

FYI...

Tools bypass Wireless router security...
- https://krebsonsecur...outer-security/
December 29, 2011 - "... At issue is a technology called “Wi-Fi Protected Setup” (WPS) that ships with many routers marketed to consumers and small businesses... Setting up a home wireless network to use encryption traditionally involved navigating a confusing array of Web-based menus, selecting from a jumble of geeky-sounding and ill-explained encryption options (WEP, WPA, WPA2, TKIP, AES), and then repeating many of those procedures on the various wireless devices the user wants to connect to the network. To make matters worse, many wireless routers come with little or no instructions on how to set up encryption. Enter WPS. Wireless routers with WPS built-in ship with a personal identification number (PIN – usually 8 digits) printed on them. Using WPS, the user can enable strong encryption for the wireless network simply by pushing a button on the router and then entering the PIN in a network setup wizard designed to interact with the router. But according to new research, routers with WPS are vulnerable to a very basic hacking technique: The brute-force attack. Put simply, an attacker can simply try thousands of combinations in rapid succession until he happens on the correct 8-digit PIN that allows authentication to the device... if your router has a “WPS PIN” notation on its backside, then it shipped with this WPS feature built-in."
> http://www.kb.cert.org/vuls/id/723755
Last Updated: 2011-12-27 - "... Workarounds: Disable WPS... best practices also recommend only using WPA2 encryption with a strong password, disabling UPnP, and enabling MAC address filtering so only trusted computers and devices can connect to the wireless network."
___

- https://isc.sans.edu...l?storyid=12292
Last Updated: 2011-12-30 03:19:11 UTC - "... Disable WPS..."
___

• Linksys WPA2 setup: http://www6.nohold.n...onverted=0#WPA2
• D-Link WPA2 setup: http://support.dlink...sp?prod_id=1506
• Netgear WPA2 setup: http://kb.netgear.co...detail/a_id/112
• Belkin WPA2 setup: http://en-us-support.....vM01qSjhSTWs=

Edited by AplusWebMaster, 31 December 2011 - 08:35 AM.

[Doug]

Thanks for posting AplusWebMaster

I had already read the article from Kreb's, and am perplexed because there does not seem to be a solution for most routers as yet.

Even though this would have to be a local attack, it is still a huge vulnerablility which exposes most home computer networks and most small business networks.