Malware Silently Alters Wireless Router Settings

Discussion in 'other security issues & news' started by midway40, Jun 12, 2008.

Thread Status:
Not open for further replies.
  1. midway40

    midway40 Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    1,257
    Location:
    SW MS, USA
  2. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    We've seen these ones before. I hope people change their default passwords on their router.
     
  3. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    This is still malware that needs to be executed on the target machine, however. The main thing here is not to get infected in the first place, because if you do and your changed password gets stolen (by say, a keylogger) they obviously can change the settings anyway. So yes, it's bad, yes, you should change the default password, but not getting infected in the first place is mandatory to be sure that this doesn't happen. What is mostly interesting about this is story that the user should routinely check his routers settings, because there IS malware that cares about something else than just your PC...
     
  4. SirMalware

    SirMalware Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    133
    Excellent post. This is what I tell my clients all the time.
     
  5. Rapid Dr3am

    Rapid Dr3am Registered Member

    Joined:
    Jun 14, 2008
    Posts:
    60
    Don't rely on changing passwords on your router. I've got a WRT54G and as people have proberly seen a POC on bypassing the admin credentials for it. What you want to look at is forcing the router to have a static internal ip other than 192.169.1.1
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    How to do that?
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    What preventative measures do you recommend?

    Two seem obvious,
    1) user declines to install the codec

    2) user scans the codec file, hoping that if infected, it will be detected.​
    Detection has always been problematical. From an old thread,

    http://www.dslreports.com/forum/remark,17163035

    ----
    rich
     
  8. wat0114

    wat0114 Guest

    Agreed.

    Obtain codec and any and all other software from only trusted sources. This approach has never failed me.
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Let's say you follow a link to a video on site you have never been to, and a popup says you need *this* codec in order to watch the video.

    You recommend that the user decline?


    ----
    rich
     
  10. wat0114

    wat0114 Guest

    Good question and good example to use. Thinking it over, I have only followed links from trusted sites such as, for
    example, and one that comes immediately to mind, cbc.ca, so the originating source of the link plays a role in the decision making. Now, the only codecs I remember being prompted to install are Apple QT codecs to view some videos, and not from cbc.ca. I remember this happening only when wanting to view theatrical (Famous Players or Cineplex Odeon) movie trailers and there have been some others but I can't remember what they were. These trailers are from the official movie sites. I don't like QT so instead I have chosen to install WMP Classic, which allows the playback of the .mov format. As with anything else I install, I obtain this from a known, trusted source.

    In all, I consider the source of the link and then the subsequent prompt to install the required codec to view the video. If it looks fishy I won't install it, but I've never encountered anything codec-wise that appeared fishy and never been burned yet this way in ~12 years which is maybe a fluke to some extent, but I figure the odds are pretty good I can view these videos with impunity :)

    Just occurring to me now, the only suspicious alerts I've received are from my firewall, where the video link needs to connect to some remote port I don't recognize as normal. I've always denied these.

    *Edit*

    FWIW, the only malware I've been burned by was the blaster worm during a Windows install and twice when looking for nice, "free" software from Limewire. The blaster infection was learning the hard way to be disconnected from the 'Net or behind a router during installs, and the latter two my own stupidity. Never again happened.
     
    Last edited by a moderator: Jun 18, 2008
  11. kencat

    kencat Registered Member

    Joined:
    Jan 25, 2008
    Posts:
    47
    Location:
    Ontario, Canada
    A few questions on this.

    (1) Any recommendations on how strong to make it? Can you do 192.105.97.16 for example? What happens to the IP's dished out by DHCP to LAN computers and broadcast IP's? Or does the 4th number need to remain "1" with the 3rd number being anything from "0-255", and the second number staying at the default "169" or "168"?

    (2) Just came across this in my browser. When entering the router IP in the address box, the history selection comes up below with the ip address there to be selected :ouch: So it wouldn't matter what I made the Router IP, it'll be there for the taking somewhere on the computer.

    Need to disable that browsing History, and what else?

    (3) Is this about an impossible situation to prevent, especially considering that a keylogger could get all the info it needs to get into the router?

    (4) Future Implementations - Routers with their own smart card or biometric security measures that require a physical acknowledgment on the router by the user before editing is allowed? Business opportunity here?
     
Loading...
Thread Status:
Not open for further replies.