Malware Silently Alters Wireless Router Settings

http://blog.washingtonpost.com/securityfix/2008/06/malware_silently_alters_wirele_1.html

 

We've seen these ones before. I hope people change their default passwords on their router.

 

This is still malware that needs to be executed on the target machine, however. The main thing here is not to get infected in the first place, because if you do and your changed password gets stolen (by say, a keylogger) they obviously can change the settings anyway. So yes, it's bad, yes, you should change the default password, but not getting infected in the first place is mandatory to be sure that this doesn't happen. What is mostly interesting about this is story that the user should routinely check his routers settings, because there IS malware that cares about something else than just your PC...

 

Excellent post. This is what I tell my clients all the time.

 

Don't rely on changing passwords on your router. I've got a WRT54G and as people have proberly seen a POC on bypassing the admin credentials for it. What you want to look at is forcing the router to have a static internal ip other than 192.169.1.1

 

How to do that?

 

What preventative measures do you recommend?

Two seem obvious,

1) user declines to install the codec

2) user scans the codec file, hoping that if infected, it will be detected.​

Detection has always been problematical. From an old thread,

http://www.dslreports.com/forum/remark,17163035

----
rich

 

Agreed.

Obtain codec and any and all other software from only trusted sources. This approach has never failed me.

 

Let's say you follow a link to a video on site you have never been to, and a popup says you need *this* codec in order to watch the video.

You recommend that the user decline?


----
rich

 

Good question and good example to use. Thinking it over, I have only followed links from trusted sites such as, for
example, and one that comes immediately to mind, cbc.ca, so the originating source of the link plays a role in the decision making. Now, the only codecs I remember being prompted to install are Apple QT codecs to view some videos, and not from cbc.ca. I remember this happening only when wanting to view theatrical (Famous Players or Cineplex Odeon) movie trailers and there have been some others but I can't remember what they were. These trailers are from the official movie sites. I don't like QT so instead I have chosen to install WMP Classic, which allows the playback of the .mov format. As with anything else I install, I obtain this from a known, trusted source.

In all, I consider the source of the link and then the subsequent prompt to install the required codec to view the video. If it looks fishy I won't install it, but I've never encountered anything codec-wise that appeared fishy and never been burned yet this way in ~12 years which is maybe a fluke to some extent, but I figure the odds are pretty good I can view these videos with impunity

Just occurring to me now, the only suspicious alerts I've received are from my firewall, where the video link needs to connect to some remote port I don't recognize as normal. I've always denied these.

*Edit*

FWIW, the only malware I've been burned by was the blaster worm during a Windows install and twice when looking for nice, "free" software from Limewire. The blaster infection was learning the hard way to be disconnected from the 'Net or behind a router during installs, and the latter two my own stupidity. Never again happened.

 

A few questions on this.

(1) Any recommendations on how strong to make it? Can you do 192.105.97.16 for example? What happens to the IP's dished out by DHCP to LAN computers and broadcast IP's? Or does the 4th number need to remain "1" with the 3rd number being anything from "0-255", and the second number staying at the default "169" or "168"?

(2) Just came across this in my browser. When entering the router IP in the address box, the history selection comes up below with the ip address there to be selected So it wouldn't matter what I made the Router IP, it'll be there for the taking somewhere on the computer.

Need to disable that browsing History, and what else?

(3) Is this about an impossible situation to prevent, especially considering that a keylogger could get all the info it needs to get into the router?

(4) Future Implementations - Routers with their own smart card or biometric security measures that require a physical acknowledgment on the router by the user before editing is allowed? Business opportunity here?