Malware alters DNS data on routers

posted Jun 12th 2008 2:50pm by Juan Aguilar
filed under: news

The Zlob trojan, also known as DNSChanger, has been around for a few years, but recent Zlob variants to appear in the wild attempt to log into routers using a list of default admin/password combos. If they succeed, they alter the DNS records on the router to reroute traffic through the attacker’s server.

Our friend [Dan Kaminisky] recently did a presentation warning against vulnerabilities in internet browser plugins that allow attackers to mount DNS rebinding attacks against routers with default passwords.. Though it achieves the same end, Zlob is different because it infects by the tried-and-true method of fooling users into downloading it inside a fake video codec. Once it is running on a client machine, it is free to attempt to use the default admin id and password of the router to log in and alter DNS settings. It even supports the DD-WRT firmware.

Even if a system is wiped clean of Zlob trojans, the router could still be compromised. The good news is that it is easy to fix and even easier to prevent. Fixing it takes no more than wiping all network clients clean, then resetting the router and restoring custom settings. Prevention is a simple matter of changing the router’s password.

[photo: fbz]

Read

Comments [7]

tagged: dankaminsky, default, defaultpassword, dns, dnsattack, dnschanger, dnsrebinding, router, trojan, trojanhorse, zlob

Reader Comments

What about *detection*? How do we know if our router has been compromised?

Posted at 4:18 pm on Jun 12th, 2008 by James

thats easy james, just send me your credit card details, and if anyone but me empties your account you’ve been infected.

that goes for anyone =]

seriously though, this is making me nervous. i run DD-wrt on my router, but i run ubuntu on my desktop. if i need a codec i open synaptic and install it for vlc. does this mean i’m pretty secure from this bug?

Posted at 4:35 pm on Jun 12th, 2008 by monster

Check the routers dns settings. They should jive with your isp’s dns servers, or opendns’ servers if that’s how you roll.

Posted at 4:37 pm on Jun 12th, 2008 by barry99705

The Ubuntu repositories should be fairly safe. You don’t have any third party repositories do you?

Posted at 4:39 pm on Jun 12th, 2008 by barry99705

Monster-

If you have changed the default password for dd-wrt, you are safe from getting your router infected, even if you did install a zlob trojan as a video codec.

I doubt there’s many out there able to install dd-wrt who wouldn’t also at least change the default password to a weak one automatically.

Posted at 10:05 pm on Jun 12th, 2008 by Dave

I’ve compiled a countermeasures list to stop and prevent DNSChanger

check here
http://extremesecurity.blogspot.com/2008/06/use-default-password-get-hijacked.html

Posted at 4:08 pm on Jun 13th, 2008 by Aa\'ed Alqarta

I see a simple way of using a captcha system to prevent attacks, even if the router has a default password. simply in addition to the normal user name and password, have a captcha field on the login screen to verify that it’s a person logging in to make the changes.

Posted at 1:58 pm on May 13th, 2009 by Chris

Malware alters DNS data on routers

Recent Posts

Reader Comments

Leave a Reply

Hacks

Resources

RSS newsfeeds

Most commented on (30 days)

Recent comments