SecureComputing's analysis of the trojan variant shows it attacks certain routers in order to change DNS server details.
If you're still running your broadband router on its default settings, now would be a very
good time to change.
, citing an entry on SecureComputing's TrustedSource blog
made last week, has highlighted a new variant of the DNSChanger
trojan designed to target routers and change the addresses used for DNS resolution.
The Domain Name Service, or DNS, is the system by which plain-text names like bit-tech.net
are converted to IP addresses like 18.104.22.168
. A computer wishing to visit a website queries a central server, often hosted by your ISP, which contains a massive database of these translations in order to figure out where to go. By reconfiguring the router to point at compromised servers containing poisoned DNS records, a hacker is able to cause every
host on that network to think it's visiting one site when it's actually browser one under the cracker's control. You might think
you're visiting your bank's website, but it's really a phishing system run by the attacker.
The trojan accomplishes the router reconfiguration by attempting a dictionary attack on the router's management interface. Shipping with a preconfigured list of default logins for common home and office routers, the trojan attempts a login on the default gateway IP for the infected host every hundred milliseconds. Although the malware only knows about a set number of common devices – the fact that each manufacturer tends towards its own, custom-built web interface rather than an industry standard is acting in the customers' favour for a change – that's no comfort if yours in on the list, nor does it preclude the release of a future variant with a more robust list of vulnerable systems.
While it's unlikely that tech-savvy bit-tech
readers will be hit by this rather nasty bug – we all run virus scanners, or operating systems immune to such nasties, right? – it's a sobering reminder that leaving network-connected devices set to their factory defaults is a rather daft thing to be doing.
Has anybody ever been hit by a drive-by trojan that attempted to fiddling with your router, or is it just something the anti-virus vendors like to talk up in order to bolster sales? Share your thoughts over in the forums