Malware alters DNS data on routers


The Zlob trojan, also known as DNSChanger, has been around for a few years, but recent Zlob variants to appear in the wild attempt to log into routers using a list of default admin/password combos. If they succeed, they alter the DNS records on the router to reroute traffic through the attacker’s server.

Our friend [Dan Kaminisky] recently did a presentation warning against vulnerabilities in internet browser plugins that allow attackers to mount DNS rebinding attacks against routers with default passwords.. Though it achieves the same end, Zlob is different because it infects by the tried-and-true method of fooling users into downloading it inside a fake video codec. Once it is running on a client machine, it is free to attempt to use the default admin id and password of the router to log in and alter DNS settings. It even supports the DD-WRT firmware.

Even if a system is wiped clean of Zlob trojans, the router could still be compromised. The good news is that it is easy to fix and even easier to prevent. Fixing it takes no more than wiping all network clients clean, then resetting the router and restoring custom settings. Prevention is a simple matter of changing the router’s password.

[photo: fbz]

Comments

  1. James says:

    What about *detection*? How do we know if our router has been compromised?

  2. monster says:

    thats easy james, just send me your credit card details, and if anyone but me empties your account you’ve been infected.

    that goes for anyone =]

    seriously though, this is making me nervous. i run DD-wrt on my router, but i run ubuntu on my desktop. if i need a codec i open synaptic and install it for vlc. does this mean i’m pretty secure from this bug?

  3. barry99705 says:

    Check the routers dns settings. They should jive with your isp’s dns servers, or opendns’ servers if that’s how you roll.

  4. barry99705 says:

    The Ubuntu repositories should be fairly safe. You don’t have any third party repositories do you?

  5. Dave says:

    Monster-

    If you have changed the default password for dd-wrt, you are safe from getting your router infected, even if you did install a zlob trojan as a video codec.

    I doubt there’s many out there able to install dd-wrt who wouldn’t also at least change the default password to a weak one automatically.

  6. I’ve compiled a countermeasures list to stop and prevent DNSChanger

    check here
    http://extremesecurity.blogspot.com/2008/06/use-default-password-get-hijacked.html

  7. Chris says:

    I see a simple way of using a captcha system to prevent attacks, even if the router has a default password. simply in addition to the normal user name and password, have a captcha field on the login screen to verify that it’s a person logging in to make the changes.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 92,330 other followers