The Zlob trojan, also known as DNSChanger, has been around for a few years, but recent Zlob variants to appear in the wild attempt to log into routers using a list of default admin/password combos. If they succeed, they alter the DNS records on the router to reroute traffic through the attacker’s server.
Our friend [Dan Kaminisky] recently did a presentation warning against vulnerabilities in internet browser plugins that allow attackers to mount DNS rebinding attacks against routers with default passwords.. Though it achieves the same end, Zlob is different because it infects by the tried-and-true method of fooling users into downloading it inside a fake video codec. Once it is running on a client machine, it is free to attempt to use the default admin id and password of the router to log in and alter DNS settings. It even supports the DD-WRT firmware.
Even if a system is wiped clean of Zlob trojans, the router could still be compromised. The good news is that it is easy to fix and even easier to prevent. Fixing it takes no more than wiping all network clients clean, then resetting the router and restoring custom settings. Prevention is a simple matter of changing the router’s password.
[photo: fbz]
What about *detection*? How do we know if our router has been compromised?
thats easy james, just send me your credit card details, and if anyone but me empties your account you’ve been infected.
that goes for anyone =]
seriously though, this is making me nervous. i run DD-wrt on my router, but i run ubuntu on my desktop. if i need a codec i open synaptic and install it for vlc. does this mean i’m pretty secure from this bug?
Check the routers dns settings. They should jive with your isp’s dns servers, or opendns’ servers if that’s how you roll.
The Ubuntu repositories should be fairly safe. You don’t have any third party repositories do you?
Monster-
If you have changed the default password for dd-wrt, you are safe from getting your router infected, even if you did install a zlob trojan as a video codec.
I doubt there’s many out there able to install dd-wrt who wouldn’t also at least change the default password to a weak one automatically.
I’ve compiled a countermeasures list to stop and prevent DNSChanger
check here
http://extremesecurity.blogspot.com/2008/06/use-default-password-get-hijacked.html
I see a simple way of using a captcha system to prevent attacks, even if the router has a default password. simply in addition to the normal user name and password, have a captcha field on the login screen to verify that it’s a person logging in to make the changes.