How do you compromise a router?

Discussion in 'other security issues & news' started by Searching_ _ _, Dec 19, 2009.

Thread Status:
Not open for further replies.
  1. Searching_ _ _
    Offline

    Searching_ _ _ Registered Member

    Pharming vulnerability at home

    If this goes undetected in many systems, will this continue to be a launch point for reinfections?
    How can you prove a router has been compromised?
    What methods are used to fix a compromised router issue?
    Last edited: Dec 19, 2009
  2. chronomatic
    Offline

    chronomatic Registered Member

    The best way is to simply avoid having it hijacked in the first place. Don't allow remote admin access, or if you do, use an ssh key and a white list of allowed IP's. This simple action will stop these attacks.

    And of course, if the router supports it, it would be wise to flash it with third party open-source firmware like Tomato or DD-WRT. Although these are not bullet proof from vulns (DD-WRT had a major one a while back), the amount of options they provide as far as security usually is more than what the limited factory firmware allows.
  3. Searching_ _ _
    Offline

    Searching_ _ _ Registered Member

    Many routers may be susceptible to attack.
    How do you detect it?
    Is this theoretical or is it in use?
    http://nenolod.net/~nenolod/router-malware.pdf
  4. Dregg Heda
    Offline

    Dregg Heda Registered Member

    Very interesting!
  5. Searching_ _ _
    Offline

    Searching_ _ _ Registered Member

    http://dronebl.org/blog/8
  6. Searching_ _ _
    Offline

    Searching_ _ _ Registered Member

    Router malware...psyb0t
    botnet-running-on-mips-cpu-devices

    Where are MIPS?
    http://en.wikipedia.org/wiki/MIPS_architecture

    The FiOS Actiontec MI424WR
    Actiontec MI424WR Datasheet PDF
  7. Mrkvonic
    Offline

    Mrkvonic Linux Systems Expert

    It all begins by not having any malware in your local network and using a strong password for your router. And that's it, basically.

    As to all that mumb-jumbo pseudo hacking stuff, what if your router does not have telnet? And even if it does, you know telnet does not allow root by default?

    Mrk
  8. Page42
    Offline

    Page42 Registered Member

    My router password can be up to 64 characters long. I selected one that is 34 characters, upper/lower case, alpha/numeric plus assorted characters.

    Remote access is disabled also.
    How do these settings look on a Linksys?

    Attached Files:

  9. Searching_ _ _
    Offline

    Searching_ _ _ Registered Member

    :shifty:
    :eek:
    http://www.wilderssecurity.com/showpost.php?p=1593370&postcount=3

    o_O
    See above. Also, other services are vulnerable, check the articles, I may not have c&p'd the info.

    :cool:
    It seems to be the major commonality in all articles to reduce it's ability to root the firmware.

    :thumb::cool::cool:
    Yeah, that's strong.

    Possibly vulnerable to psyb0t:
    A list of some devices that are Linux MIPS based.

    http://www.linux-mips.org/wiki/Realtek_SOC

    It appears that psyb0t is mips specific. Routers and modems that use ARM processors are not vulnerable to this malware sample.
    Is it only a matter of time before an ARM version that attacks routers becomes public?
    There is at least one bot for the ARM processor, ikee.b botnet affects ARM based iphones, is a worm with C&C.
    The router is our gateway to the internet. The average user is busy trying to overcome fakealert, smitfraud, popups and various other infectors.
    Most need the help of a tech to help clean their system, so a rootkit on a router would make the router the malware dropper and almost invisible to them. If the router isn't ruled out as being infected during a malware clean up process, then after, the user is a good little user, will still get reinfected or identity stolen.
  10. Mrkvonic
    Offline

    Mrkvonic Linux Systems Expert

    To get your firmware flashed, you need to execute code.
    If you don't, it don't happen ... As simple as that.
    Mrk
  11. Searching_ _ _
    Offline

    Searching_ _ _ Registered Member

    You're right.
    For the firmware to get flashed, malware needs admin access on the infected router. If the malware can not guess your router password, it can not flash the firmware.
    The malware can still operate on the router though, eavesdropping, traffic logging and MITM you. This can be overcome by VPN, like what Xerobank offers.
    The only issue left is logging in to the router while it is infected and details being captured.
    What part does the browser play in this since that is the vehicle to the log in session?
  12. Searching_ _ _
    Offline

    Searching_ _ _ Registered Member

    routers_potential_malware_infection

    I would like to save the present router firmware first, to preserve the traces of the malware, if it is indeed present also, but how?

    Can I do a memory dump from a running router or modem?

    Can anyone explain in more detail what Hal suggested about the setup of the devices?

    Since modems are also capable of being infected, how do I scan/sniff from the cable side with it's WTF-connector?

    If my firmware is infected and I can't upgrade the firmware through the router what can I do?
  13. Searching_ _ _
    Offline

    Searching_ _ _ Registered Member

    Bits fromBill
  14. acuariano
    Offline

    acuariano Registered Member

    hey searching great post.
    now changing the default password.
    -how often?.
    -password..regular password or strong passwords?..lenght?
    -also usernames?..
  15. Searching_ _ _
    Offline

    Searching_ _ _ Registered Member

    This might answer your question by consensus.
    http://www.wilderssecurity.com/showthread.php?t=248673
    I try to use 20+ on very important stuff. The router has been recently added to "very important stuff".
    I was very careless about security, not sure what I was thinking. Now I hope that no one gets pwned.

    Another article, though not new news.

    http://www.symantec.com/connect/blogs/dns-pharming-attacks-using-rogue-dhcp

    I know this malware is not designed to attack a router. DNS and DHCP are what point you every where you have to go with a computer. If that were compromised at the router, it would be a potent combination.

    hmmm...-----< Trojan router.flush.m >




  16. Searching_ _ _
    Offline

    Searching_ _ _ Registered Member

    The poster believes it is possible his router is infected, but unsure because of lack of networking knowledge. His main symptom, lots of traffic when their should be little to none.

    BEFSR41 Ver 2 taken over by Malware?

    Also included is a how to set up to scan the wan and lan to diagnose if a malicious issue is occurring.
Thread Status:
Not open for further replies.