13 replies to this topic

[LDTate]

routers & malware

Posted at MRU by ChrisRLG
http://blog.washingt...s_wirele_1.html

According to researchers contacted by Security Fix, recent versions of the ubiquitous "Zlob" Trojan (also known as DNSChanger) will check to see if the victim uses a wireless or wired hardware router. If so, it tries to guess the password needed to administer the router by consulting a built-in list of default router username/password combinations. If successful, the malware alters the victim's domain name system (DNS) records so that all future traffic passes through the attacker's network first.

DO NOT leave the default username and password as is, change them.

[Doug]

Good Tip, LDTate. Most owner/users don't bother with making the change... but they really should. And many that do, forget what username and password they set. If you've forgotten, you can "start over" by using the "reset" button/paper clip hole. Doug

[DaChew]

So the DNS changer is just making a user change in the settings? and a reset will fix that?

Edited by DaChew, 13 June 2008 - 12:41 PM.

[Abydos]

So the DNS changer is just making a user change in the settings? and a reset will fix that?

You still have to aware of the Trojan and remove it. Or it will just change the settings again within minutes.

[AplusWebMaster]

FYI...

- http://www.trustedso...ks-into-routers
June 13, 2008 - "...behavior is entirely controlled by the attackers’ DNS servers. These could even redirect existing domain names to servers hosting crafted content (Phishing) or servers dynamically modifying real content. Once your DNS settings are under control, the bad possibilities are nearly unlimited. And, even clean machines are affected once a previous infection on just one client behind the shared router successfully cracked the router login..."

[Noobie07]

Wait so...how do you set a password for the Wireless Router? Is that possible??? I'm confused here...

[AplusWebMaster]

-3- Common home router vendors (pwd change info):

* Linksys:
- http://linksys.custh...hp?p_faqid=3976

* D-Link:
- http://support.dlink...sp?prod_id=1997

* NetGear:
- http://kbserver.netg...les/N100651.asp

.

[BuckS]

So how do you check / figure out that your settings have been changed or if your router has been compromised? That's one small detail that they didn't mention. I wouldn't know the difference between the "correct" DNS setting (or where to check them) and "malware created DNS settings". If most AV/AM software misses this how can you know if you've been affected?

[AplusWebMaster]

If the DNS setting is blank, you are using the DNS servers from your ISP - depending on who/what that is, this can be a dubious scenario.

However, I highly recommend giving OpenDNS a try - http://www.opendns.com/

'Lots of options there, and you'll always know what your DNS settings should be.

[Micha'El]

Makes me insist that everyone change all the defaults of their router. I have a ppt I give my clients.

[Missouri Mobile]

Also be sure to always update to the latest firmware for your router... There was a hole in one of Linksys's more popular routers that can be exploited if firmware was not upgraded...

Here is some tricks you can do to turn your 60 dollar router into a 600 dollar router... remember that i offer no warranties on this and recommend you back up all your data before trying anything...

http://chris.pirillo...rmware-upgrade/

And I also believe the article above only applies to WRT54G/WRT54GL/WRT54GS and WRTSL54GS wireless routers...

Remember try this at your own risk!!!

[Lamae]

Can I ask a question refering to Routers and Malware ? When we setup our Router we never setup a password . For some reason I cannot locate any files refering to the DLink Router. Its left open for the neiborhood to use . My question is should i uninstal everything and start over or is there a way to locate missing files that even search helper shows no files.

[jeffce]

Hi and welcome!

I am not sure I understand your question completely....when you set of your router you did not change the admin/password to access the router settings themselves or you did not enable encryption for your wireless network on the router?

My question is should i uninstal everything and start over or is there a way to locate missing files that even search helper shows no files.

Start over in relation to setting up the router again or do you just need access to get into the router to enable encryption?

[Tomk]

It might help if you let us know which router you are working with.


It sounds like you are wanting to secure your router. You don't need to "start over". You just need to change your setup - though I agree that there isn't much difference.

I don't understand what files you are trying to locate... but maybe you could have a look at D-links page where they have pretty good guides. http://support.dlink.com/