Malware Alters DNS Data On Routers

The Zlob trojan, also known as DNSChanger, has been around for a few years, but recent Zlob variants to appear in the wild attempt to log into routers using a list of default admin/password combos. If they succeed, they alter the DNS records on the router to reroute traffic through the attacker’s server.

Our friend [Dan Kaminisky] recently did a presentation warning against vulnerabilities in internet browser plugins that allow attackers to mount DNS rebinding attacks against routers with default passwords.. Though it achieves the same end, Zlob is different because it infects by the tried-and-true method of fooling users into downloading it inside a fake video codec. Once it is running on a client machine, it is free to attempt to use the default admin id and password of the router to log in and alter DNS settings. It even supports the DD-WRT firmware.

Even if a system is wiped clean of Zlob trojans, the router could still be compromised. The good news is that it is easy to fix and even easier to prevent. Fixing it takes no more than wiping all network clients clean, then resetting the router and restoring custom settings. Prevention is a simple matter of changing the router’s password.

[photo: fbz]

7 thoughts on “Malware Alters DNS Data On Routers

  1. thats easy james, just send me your credit card details, and if anyone but me empties your account you’ve been infected.

    that goes for anyone =]

    seriously though, this is making me nervous. i run DD-wrt on my router, but i run ubuntu on my desktop. if i need a codec i open synaptic and install it for vlc. does this mean i’m pretty secure from this bug?

  2. Monster-

    If you have changed the default password for dd-wrt, you are safe from getting your router infected, even if you did install a zlob trojan as a video codec.

    I doubt there’s many out there able to install dd-wrt who wouldn’t also at least change the default password to a weak one automatically.

  3. I see a simple way of using a captcha system to prevent attacks, even if the router has a default password. simply in addition to the normal user name and password, have a captcha field on the login screen to verify that it’s a person logging in to make the changes.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.