bit-tech.net

Trojan modifies routers' DNS

Trojan modifies routers' DNS

SecureComputing's analysis of the trojan variant shows it attacks certain routers in order to change DNS server details.

If you're still running your broadband router on its default settings, now would be a very good time to change.

CNet, citing an entry on SecureComputing's TrustedSource blog made last week, has highlighted a new variant of the DNSChanger trojan designed to target routers and change the addresses used for DNS resolution.

The Domain Name Service, or DNS, is the system by which plain-text names like bit-tech.net are converted to IP addresses like 91.198.165.67. A computer wishing to visit a website queries a central server, often hosted by your ISP, which contains a massive database of these translations in order to figure out where to go. By reconfiguring the router to point at compromised servers containing poisoned DNS records, a hacker is able to cause every host on that network to think it's visiting one site when it's actually browser one under the cracker's control. You might think you're visiting your bank's website, but it's really a phishing system run by the attacker.

The trojan accomplishes the router reconfiguration by attempting a dictionary attack on the router's management interface. Shipping with a preconfigured list of default logins for common home and office routers, the trojan attempts a login on the default gateway IP for the infected host every hundred milliseconds. Although the malware only knows about a set number of common devices – the fact that each manufacturer tends towards its own, custom-built web interface rather than an industry standard is acting in the customers' favour for a change – that's no comfort if yours in on the list, nor does it preclude the release of a future variant with a more robust list of vulnerable systems.

While it's unlikely that tech-savvy bit-tech readers will be hit by this rather nasty bug – we all run virus scanners, or operating systems immune to such nasties, right? – it's a sobering reminder that leaving network-connected devices set to their factory defaults is a rather daft thing to be doing.

Has anybody ever been hit by a drive-by trojan that attempted to fiddling with your router, or is it just something the anti-virus vendors like to talk up in order to bolster sales? Share your thoughts over in the forums.

25 Comments

Discuss in the forums Reply
Amon 18th June 2008, 11:47 Quote
Clearly, this is a problem for those with shite routers.
Glider 18th June 2008, 11:54 Quote
Or real insecure setups
taliban_raider 18th June 2008, 12:18 Quote
or
Admin
Admin
liratheal 18th June 2008, 13:11 Quote
What are factory defaults?

=P
proxess 18th June 2008, 13:41 Quote
DD-WRT <3
DXR_13KE 18th June 2008, 13:46 Quote
Quote:
Originally Posted by proxess
DD-WRT <3

still vulnerable if you are an idiot and leave it as admin admin or something daft like that....
Bluephoenix 18th June 2008, 14:08 Quote
these have actually been used on larger targets for much longer, since some corporations insist on not using customized settings in favor of shorter deployment time.

its interesting though that its now being used for standard phishing scams rather than corporate espionage.
Firehed 18th June 2008, 14:39 Quote
Quote:
Originally Posted by Amon
Clearly, this is a problem for those with shite routers.

No, it's a problem for those with shite habits (one of which being leaving the router password as default, and of course doing stupid things that get you trojans in the first place). There's no need for AV software if you don't act like a tool on your computer, no matter what OS you're using. Not so much for firewalls, but that's a separate issue.
DannyDirect 18th June 2008, 15:12 Quote
This is why I have memorized a 12 character password which is consisted of totally random numbers, caps and letters. Even then, my router makes use of technologies to make it virtually invisible apart from the computer IP's which I assign to it.
Noting is ever 100% secure, however, if you just take your time to actually setup your router and network properly with relevant security measures taken then it shouldn't be a problem.
-EVRE- 18th June 2008, 15:35 Quote
I thought a router wouldnt respond to a login attempt from the wan side, only the lan side....?
plagio 18th June 2008, 15:44 Quote
Quote:
Originally Posted by -EVRE-
I thought a router wouldnt respond to a login attempt from the wan side, only the lan side....?

Yeah, me too. Maybe this trojan first has to enter your PC.
Gareth Halfacree 18th June 2008, 15:50 Quote
Quote:
Originally Posted by plagio
Yeah, me too. Maybe this trojan first has to enter your PC.
Bingo. It infects Windows PCs, then attacks whatever IP is assigned as the default gateway.
mclean007 18th June 2008, 17:41 Quote
I'm sorry to admit it, but I'm actually quite impressed by the devious ingenuity of this. Not that there's any excuse for this sort of thing mind.

The clever part is that most people don't ever check their router's settings unless their internet connection disappears. This attack very effectively puts a man in the middle for every computer in the network, which can get there by infecting a single machine with a Trojan and which remains there even if the Trojan is removed or if the whole computer is removed.
chrisb2e9 18th June 2008, 20:12 Quote
so it infects your pc and then goes after the router, so if I run something like AVG i'm safe right?
but that would have to be on every pc on the network, and if someone comes over to my house and I let them on my network and they have the trojan, then I'm in danger?
right?
or did I miss something.
Once a router gets affected by this how would you know about it and how would you fix it?
Tomm 18th June 2008, 20:22 Quote
It is somewhat worrying that my PC (albeit via Firefox which is largely bulletproof) knows the passwords to my router login anyway... A 12 digit random password is no use if it's stored on your (infected) PC!
Redbeaver 18th June 2008, 22:38 Quote
Quote:
Originally Posted by Gareth Halfacree
Quote:
Originally Posted by plagio
Yeah, me too. Maybe this trojan first has to enter your PC.
Bingo. It infects Windows PCs, then attacks whatever IP is assigned as the default gateway.

not necessarily. some routers by default provide admin access from WAN as well. or remote-management firewall turned on by default. or zero firewall policies even. and to top it off, there are ways to spoof ur way into the router confusing WAN and LAN.

oh there are ways.
Quote:
Originally Posted by taliban_raider
or
Admin
Admin

gotta love this one.

or admin - 1234
or admin - smc1234
or admin - [blank]
or administrator - [blank]

list goes on and on...
Redbeaver 18th June 2008, 22:42 Quote
Quote:
Originally Posted by chrisb2e9
so it infects your pc and then goes after the router, so if I run something like AVG i'm safe right?
but that would have to be on every pc on the network, and if someone comes over to my house and I let them on my network and they have the trojan, then I'm in danger?
right?
or did I miss something.
Once a router gets affected by this how would you know about it and how would you fix it?

well once it succesfully infects ur router, it could care less if there's any trojan in any computer of the network.

once the router's whacked, anything under the router's network will get some really bad domain name redirection.

how would u kno about it? tough. i recommend just resetting ur router to factory default and/or update/refresh its firmware, THEN lock it down; such as giving it a tough password and turning off remote access from WAN n stuff...

edit: actually, the trustedsource link there gives a couple good examples on how to test if ur infected or not :)
Amon 18th June 2008, 23:48 Quote
My router password isn't even English.
Veles 19th June 2008, 01:01 Quote
Wow, I just realised my router doesn't even have a login screen thingy
Firehed 19th June 2008, 05:08 Quote
Quote:
Originally Posted by Tomm
It is somewhat worrying that my PC (albeit via Firefox which is largely bulletproof) knows the passwords to my router login anyway... A 12 digit random password is no use if it's stored on your (infected) PC!
That's assuming that the trojan knows to look for a stored password, where to look, and what it's looking for.
BurningFeetMan 19th June 2008, 05:18 Quote
My myspace account was hijacked once. I lol'd.

Viruses and Trojans aren't the end of the world, they're just a friendly reminder that it's time to format.
webarchitect 19th June 2008, 05:52 Quote
Well lots of trojans can do nasty things to a person's PC. A good anti-virus or trojan remover/checker can probably detect it before it can change the router settings. plus, stop downloading programs from untrusted sites.
Amon 19th June 2008, 05:59 Quote
Quote:
Originally Posted by BurningFeetMan
My myspace account was hijacked once. I lol'd.

Viruses and Trojans aren't the end of the world, they're just a friendly reminder that it's time to format.
They're usually late warning signs of utterly piss-poor Internet surfing habits. It's not like trojans just suddenly penetrate your PC randomly from the cloud of the Net.
PhenomRed 19th June 2008, 11:59 Quote
Quote:
Originally Posted by taliban_raider
or
Admin
Admin

uh oh...

lol, that used to be on our old router, cause i was too lazy to change it. its changed on the new router though
pg13 22nd June 2008, 20:00 Quote
I got it by this virus. It was not noticeable, as most of the web remained the same. I noticed it when I tryied to download firefox 3 in french and was given a french university link in China and then in Brazil. I went into my modem and saw that my secondary DNS did not look like the primary DNS.

I got it trying out a link such as this one : http://emes.com.br/index.php sent in an email pretending to offer a sexy video (such as liv tyler naked).

I was testing my own security and got screwed. My pc wasn't attacked, my router was. There is a great article on how, published by Symantec, under the key words DNS pharming.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums