Trojan modifies routers' DNS - bit-tech.net Forums

CardJoe · 18th Jun 2008, 11:33

http://www.bit-tech.net/news/2008/06...-routers-dns/1

SecureComputing has reported a new variant of the DNSChanger trojan, a nasty bug which attempts to reconfigure your broadband router to point at compromised DNS servers.

Amon · 18th Jun 2008, 11:47

Clearly, this is a problem for those with shite routers.

Glider · 18th Jun 2008, 11:54

Or real insecure setups

taliban_raider · 18th Jun 2008, 12:18

or
Admin
Admin

liratheal · 18th Jun 2008, 13:11

What are factory defaults?

=P

proxess · 18th Jun 2008, 13:41

DD-WRT <3

DXR_13KE · 18th Jun 2008, 13:46

Quote:

Originally Posted by proxess

DD-WRT <3

still vulnerable if you are an idiot and leave it as admin admin or something daft like that....

Bluephoenix · 18th Jun 2008, 14:08

these have actually been used on larger targets for much longer, since some corporations insist on not using customized settings in favor of shorter deployment time.

its interesting though that its now being used for standard phishing scams rather than corporate espionage.

Firehed · 18th Jun 2008, 14:39

Quote:

Originally Posted by Amon

Clearly, this is a problem for those with shite routers.

No, it's a problem for those with shite habits (one of which being leaving the router password as default, and of course doing stupid things that get you trojans in the first place). There's no need for AV software if you don't act like a tool on your computer, no matter what OS you're using. Not so much for firewalls, but that's a separate issue.

DannyDirect · 18th Jun 2008, 15:12

This is why I have memorized a 12 character password which is consisted of totally random numbers, caps and letters. Even then, my router makes use of technologies to make it virtually invisible apart from the computer IP's which I assign to it.
Noting is ever 100% secure, however, if you just take your time to actually setup your router and network properly with relevant security measures taken then it shouldn't be a problem.

-EVRE- · 18th Jun 2008, 15:35

I thought a router wouldnt respond to a login attempt from the wan side, only the lan side....?

plagio · 18th Jun 2008, 15:44

Quote:

Originally Posted by -EVRE-

I thought a router wouldnt respond to a login attempt from the wan side, only the lan side....?

Yeah, me too. Maybe this trojan first has to enter your PC.

Gareth Halfacree · 18th Jun 2008, 15:50

Quote:

Originally Posted by plagio

Yeah, me too. Maybe this trojan first has to enter your PC.

Bingo. It infects Windows PCs, then attacks whatever IP is assigned as the default gateway.

mclean007 · 18th Jun 2008, 17:41

I'm sorry to admit it, but I'm actually quite impressed by the devious ingenuity of this. Not that there's any excuse for this sort of thing mind.

The clever part is that most people don't ever check their router's settings unless their internet connection disappears. This attack very effectively puts a man in the middle for every computer in the network, which can get there by infecting a single machine with a Trojan and which remains there even if the Trojan is removed or if the whole computer is removed.

chrisb2e9 · 18th Jun 2008, 20:12

so it infects your pc and then goes after the router, so if I run something like AVG i'm safe right?
but that would have to be on every pc on the network, and if someone comes over to my house and I let them on my network and they have the trojan, then I'm in danger?
right?
or did I miss something.
Once a router gets affected by this how would you know about it and how would you fix it?

Tomm · 18th Jun 2008, 20:22

It is somewhat worrying that my PC (albeit via Firefox which is largely bulletproof) knows the passwords to my router login anyway... A 12 digit random password is no use if it's stored on your (infected) PC!

Redbeaver · 18th Jun 2008, 22:38

Quote:

Originally Posted by Gareth Halfacree

Quote:

Originally Posted by plagio

Yeah, me too. Maybe this trojan first has to enter your PC.

Bingo. It infects Windows PCs, then attacks whatever IP is assigned as the default gateway.

not necessarily. some routers by default provide admin access from WAN as well. or remote-management firewall turned on by default. or zero firewall policies even. and to top it off, there are ways to spoof ur way into the router confusing WAN and LAN.

oh there are ways.

Quote:

Originally Posted by taliban_raider

or
Admin
Admin

gotta love this one.

or admin - 1234
or admin - smc1234
or admin - [blank]
or administrator - [blank]

list goes on and on...

Redbeaver · 18th Jun 2008, 22:42

Quote:

Originally Posted by chrisb2e9

so it infects your pc and then goes after the router, so if I run something like AVG i'm safe right?
but that would have to be on every pc on the network, and if someone comes over to my house and I let them on my network and they have the trojan, then I'm in danger?
right?
or did I miss something.
Once a router gets affected by this how would you know about it and how would you fix it?

well once it succesfully infects ur router, it could care less if there's any trojan in any computer of the network.

once the router's whacked, anything under the router's network will get some really bad domain name redirection.

how would u kno about it? tough. i recommend just resetting ur router to factory default and/or update/refresh its firmware, THEN lock it down; such as giving it a tough password and turning off remote access from WAN n stuff...

edit: actually, the trustedsource link there gives a couple good examples on how to test if ur infected or not

Amon · 18th Jun 2008, 23:48

My router password isn't even English.

Veles · 19th Jun 2008, 01:01

Wow, I just realised my router doesn't even have a login screen thingy

18th Jun 2008, 11:33	#1
CardJoe Player Character bit-tech Staff Join Date: Apr 2007 Posts: 7,940	Trojan modifies routers' DNS http://www.bit-tech.net/news/2008/06...-routers-dns/1 SecureComputing has reported a new variant of the DNSChanger trojan, a nasty bug which attempts to reconfigure your broadband router to point at compromised DNS servers. __________________ this is joe's non-bit-tech blog

18th Jun 2008, 11:47	#2
Amon inch-perfect Join Date: Jun 2007 Location: cannoning into the reds, Toronto, Canada Posts: 2,456	Clearly, this is a problem for those with shite routers. __________________ Defunct Socket 939 San Diego 4000+::2GB PC3200::Radeon 9600 SE 128MB::200GB HDD::24" Dell 2407WFP-HC::WinXP x64/x86 dual boot Dell Vostro 1500 laptop::Socket P Merom T7100::2GB PC5400::Go 8600m GT 256MB::660GB HDD::15.4" WXGA+, 24" Dell 2407WFP-HC::WinXP::Fanatec 911 Wheel+Pedals

18th Jun 2008, 11:54	#3
Glider /dev/null Join Date: Aug 2005 Location: Belgium Posts: 4,102	Or real insecure setups __________________ There Are 10 Types Of People, Those Who Know Binary and Those Who Don't

18th Jun 2008, 12:18	#4
taliban_raider Just some guy; you know Join Date: Feb 2003 Location: Brisbane, Australia Posts: 773	or Admin Admin __________________

18th Jun 2008, 13:11	#5
liratheal Just got a great book on tape Join Date: Nov 2005 Location: High Wycombe, UK Posts: 3,551	What are factory defaults? =P __________________ Gigabyte MA790FX, X4 9950 Black Edition, 8gb Geil Black Dragon, 2x4870 512mb, Antec TruePower Quattro 850w I game, Do you?

18th Jun 2008, 13:41	#6
proxess Victim of AdvancedModernCapitalism Join Date: Nov 2006 Location: The town of Love, Funchal Posts: 597	DD-WRT <3 __________________ Netbook: Asus eeePC 901; 12Gb SDD; Custom Ubuntu 9.04 Minimal Compiz Standalone. Laptop: Intel Centrino Duo T5500 1.66ghz; 2048mb RAM; ATI Mobility Radeon x2300; Hitachi 120gb iPod Classic 120GB; Maxtor 160GB External; Ubuntu 9.10 x64 and Windows 7 x64.

18th Jun 2008, 14:08	#8
Bluephoenix Spoon? What spoon? Join Date: Dec 2006 Location: Daytona Beach, FL Posts: 936	these have actually been used on larger targets for much longer, since some corporations insist on not using customized settings in favor of shorter deployment time. its interesting though that its now being used for standard phishing scams rather than corporate espionage.

18th Jun 2008, 15:12	#10
DannyDirect Banned Join Date: Apr 2008 Posts: 21	This is why I have memorized a 12 character password which is consisted of totally random numbers, caps and letters. Even then, my router makes use of technologies to make it virtually invisible apart from the computer IP's which I assign to it. Noting is ever 100% secure, however, if you just take your time to actually setup your router and network properly with relevant security measures taken then it shouldn't be a problem.

18th Jun 2008, 15:35	#11
-EVRE- Supermodder Join Date: May 2004 Location: Idaho U.S.A Posts: 343	I thought a router wouldnt respond to a login attempt from the wan side, only the lan side....? __________________ (Phenom II 940)(Foxcon A7DA)(8gb OCZ DDR2 800 )(8800gt aka hair dryer)(Big yellow case, CPU, GPU)(Enermax Liberty 500w)(lite-on DVD-RW w/LightScribe)(Seagate 300gb sata)(Seagate 320gb x2)(WD 200gb)(Dell 3007WFP 30"LCD, 19" Samsung, Acer 1280x720 projector)

18th Jun 2008, 17:41	#14
mclean007 Officious Bystander Join Date: May 2003 Location: Nodnol Posts: 1,595	I'm sorry to admit it, but I'm actually quite impressed by the devious ingenuity of this. Not that there's any excuse for this sort of thing mind. The clever part is that most people don't ever check their router's settings unless their internet connection disappears. This attack very effectively puts a man in the middle for every computer in the network, which can get there by infecting a single machine with a Trojan and which remains there even if the Trojan is removed or if the whole computer is removed. __________________ Demand Naked DSL in the UK!

18th Jun 2008, 20:12	#15
chrisb2e9 Dont do that... Join Date: Jun 2007 Location: Alberta, Canada Posts: 3,068	so it infects your pc and then goes after the router, so if I run something like AVG i'm safe right? but that would have to be on every pc on the network, and if someone comes over to my house and I let them on my network and they have the trojan, then I'm in danger? right? or did I miss something. Once a router gets affected by this how would you know about it and how would you fix it? __________________ attack life, it's going to kill you anyway. Long-term relationships are like urban tomatoes: they only grow under special conditions. - Prestidigitweeze Don't hold on to the reigns once you've fallen off the horse, your just going to get dragged to death - SNiiPE_DoGG

18th Jun 2008, 20:22	#16
Tomm I also ride trials :¬) Join Date: Apr 2004 Location: Fallowfield, Manchester Posts: 2,233	It is somewhat worrying that my PC (albeit via Firefox which is largely bulletproof) knows the passwords to my router login anyway... A 12 digit random password is no use if it's stored on your (infected) PC! __________________ Carrot cake cheesecake Shuttle SN85G4V2 \| A64 3200+ / Apple PowerBook 12

18th Jun 2008, 23:48	#19
Amon inch-perfect Join Date: Jun 2007 Location: cannoning into the reds, Toronto, Canada Posts: 2,456	My router password isn't even English. __________________ Defunct Socket 939 San Diego 4000+::2GB PC3200::Radeon 9600 SE 128MB::200GB HDD::24" Dell 2407WFP-HC::WinXP x64/x86 dual boot Dell Vostro 1500 laptop::Socket P Merom T7100::2GB PC5400::Go 8600m GT 256MB::660GB HDD::15.4" WXGA+, 24" Dell 2407WFP-HC::WinXP::Fanatec 911 Wheel+Pedals