|
|
Trojan modifies routers' DNS
Author: Gareth HalfacreePublished: 18th June 2008
SecureComputing's analysis of the trojan variant shows it attacks certain routers in order to change DNS server details.
CNet, citing an entry on SecureComputing's TrustedSource blog made last week, has highlighted a new variant of the DNSChanger trojan designed to target routers and change the addresses used for DNS resolution.
The Domain Name Service, or DNS, is the system by which plain-text names like bit-tech.net are converted to IP addresses like 91.198.165.67. A computer wishing to visit a website queries a central server, often hosted by your ISP, which contains a massive database of these translations in order to figure out where to go. By reconfiguring the router to point at compromised servers containing poisoned DNS records, a hacker is able to cause every host on that network to think it's visiting one site when it's actually browser one under the cracker's control. You might think you're visiting your bank's website, but it's really a phishing system run by the attacker.
The trojan accomplishes the router reconfiguration by attempting a dictionary attack on the router's management interface. Shipping with a preconfigured list of default logins for common home and office routers, the trojan attempts a login on the default gateway IP for the infected host every hundred milliseconds. Although the malware only knows about a set number of common devices – the fact that each manufacturer tends towards its own, custom-built web interface rather than an industry standard is acting in the customers' favour for a change – that's no comfort if yours in on the list, nor does it preclude the release of a future variant with a more robust list of vulnerable systems.
While it's unlikely that tech-savvy bit-tech readers will be hit by this rather nasty bug – we all run virus scanners, or operating systems immune to such nasties, right? – it's a sobering reminder that leaving network-connected devices set to their factory defaults is a rather daft thing to be doing.
Has anybody ever been hit by a drive-by trojan that attempted to fiddling with your router, or is it just something the anti-virus vendors like to talk up in order to bolster sales? Share your thoughts over in the forums.
Related articles on bit-tech.net
Comments (25)Stats: 0.110 seconds
Admin
Admin
=P
still vulnerable if you are an idiot and leave it as admin admin or something daft like that....
its interesting though that its now being used for standard phishing scams rather than corporate espionage.
No, it's a problem for those with shite habits (one of which being leaving the router password as default, and of course doing stupid things that get you trojans in the first place). There's no need for AV software if you don't act like a tool on your computer, no matter what OS you're using. Not so much for firewalls, but that's a separate issue.
Noting is ever 100% secure, however, if you just take your time to actually setup your router and network properly with relevant security measures taken then it shouldn't be a problem.
Yeah, me too. Maybe this trojan first has to enter your PC.
The clever part is that most people don't ever check their router's settings unless their internet connection disappears. This attack very effectively puts a man in the middle for every computer in the network, which can get there by infecting a single machine with a Trojan and which remains there even if the Trojan is removed or if the whole computer is removed.
but that would have to be on every pc on the network, and if someone comes over to my house and I let them on my network and they have the trojan, then I'm in danger?
right?
or did I miss something.
Once a router gets affected by this how would you know about it and how would you fix it?
not necessarily. some routers by default provide admin access from WAN as well. or remote-management firewall turned on by default. or zero firewall policies even. and to top it off, there are ways to spoof ur way into the router confusing WAN and LAN.
oh there are ways.
gotta love this one.
or admin - 1234
or admin - smc1234
or admin - [blank]
or administrator - [blank]
list goes on and on...
well once it succesfully infects ur router, it could care less if there's any trojan in any computer of the network.
once the router's whacked, anything under the router's network will get some really bad domain name redirection.
how would u kno about it? tough. i recommend just resetting ur router to factory default and/or update/refresh its firmware, THEN lock it down; such as giving it a tough password and turning off remote access from WAN n stuff...
edit: actually, the trustedsource link there gives a couple good examples on how to test if ur infected or not :)
Viruses and Trojans aren't the end of the world, they're just a friendly reminder that it's time to format.
uh oh...
lol, that used to be on our old router, cause i was too lazy to change it. its changed on the new router though
I got it trying out a link such as this one : http://emes.com.br/index.php sent in an email pretending to offer a sexy video (such as liv tyler naked).
I was testing my own security and got screwed. My pc wasn't attacked, my router was. There is a great article on how, published by Symantec, under the key words DNS pharming.