This router hack is injecting ads and porn into random websites

Discussion in 'malware problems & news' started by Dermot7, Mar 25, 2015.

  1. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    http://www.theverge.com/2015/3/25/8290277/router-hack-adware-porn-security-ara-labs
     
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Once a router is compromised ... Emphasis on once.
    Mrk
     
  3. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,050
    Location:
    USA
    Turn off DNS relay and put the DNS server IP address in your PC. Problem solved. Mostly.
     
  4. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Indeed. Gateway security. Everything else is mostly theatrics. I love it when a 'security' conscious dude drops a $19 Netgear on his Gateway, then spends days, even weeks, and $$$ locking down individual desktops.. :confused:
     
  5. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Most simple solution. But then DNS can be 'easily' hijacked by malware on individual systems.

    I actually like to disable DNSClient, and Asynchronous browser DNS, or you could use DNS Zones on AD, or use a DNS forwarded with validation. But for consumers? They are toast either way..
     
  6. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    I haven't covered all of the articles as I'm now busy, but it seems most attack will be prevented by setting strong password for router and disabling javascript. Remember, there're still ways to attack your router w/out script and that is CSRF, tho many CSRF utilize script.

    There're many ways to prevent CSRF, Noscript's ABE, RequestPolicy, Policeman, CSFire, uMatrix, etc.. If you don't want to use those addons and still prefer using browser-accessible router GUI then use dedicated browser different from your everyday browsing to access your router config with private mode, and never go to other site when you're logging in.
     
  7. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Lots of ways to secure router.

    1) Assign dedicated port on it's own subnet for admin, then adjust IPv4 settings on laptop to match, and plug that into router for admin.
    2) Assign odd port to router admin, disable admin from WAN.
    3) Enable MAC restricted, or IP restricted Admin Access.
    4) Console Only admin.

    On some high security areas we work the UTM has a port, such as Port 4 on the UTM with it's own subnet, and admin is restricted to THAT port only on THAT local subnet. So in effect the UTM cannot be accessed unless you physically take a laptop, adjust it to match the subnet, and plug it directly into that specific port, and then enter the credentials. You can also get really crazy.. Having 'windows' where admin access is permitted, such as only from 4pm-5pm each day, any other time it's 100% DENY/ALL. Or you can use a combination of things for ultimate security.
     
  8. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,148
    hi
    but a firmware update or a reset should fix it ? or even a reset and reload a clean configuration?
     
  9. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,050
    Location:
    USA
    I can't say I know enough about this to know if it is a persistent infection to accurately answer that. I doubt I would trust a reset. Hopefully someone that knows more about it can answer.
     
  10. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,148
    hi
    do you would be nice a tutorial? for to fix it...
     
  11. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    No, these attacks do not actually infect your router. They are CSRF and similar script-based attacks, not sth like common malware on your PC.

    You don't need to clean or disinfect router, but if you're affected then change router password to very strong one, and change your browsing habit e.g. do not go other website when you're logging in, periodically deleta cookies, also keep up-to-date in all your software on devices as well as router firmware etc.

    From a link in the link:
     
  12. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,087
    Keys words being "configuration requests". The scenario involves changes being made to the router, so it would require attention. Questions: What was changed and what do you have to do to fix it? If the exploit only changed user-visible settings, you could go in and change them back.

    However, what if less obvious changes were [also] made? There are too many different routers, firmware versions, and types of attacks to rule that out across the board. Especially if the scenario involves a router that can download updates on its own or involves a more sophisticated type of attack via cooperative local machine.

    Absent specifics that would justify a simpler approach, perhaps it would be wise to at least reset back to and/or reinstall known-good firmware and manually configure it again. On the other hand, if you did have reason to suspect that the firmware had been tampered with, you'd have to try to determine if there is a reliable way to verify the firmware and if necessary get back to a good build. If you can't establish that it is possible, the device must be written off for good.
     
    Last edited: Apr 7, 2015
  13. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    That's valid! I completely forgot about it despite the article mentioned DNS setting change. And I know some router don't give all settings in GUI thus I have to connect via telnet. So at least router reset is strongly recommended. But as to firmware modification, at least mentioned attacks are not relevant and common criminals won't/can't do that for a time. That can only happen in some targeted attack.
     
Loading...