www.misk.

com/tools/

https://www.dnsleaktest.com/results.html

http://voices.washingtonpost.com/securityfix/2008/06/malware_silently_alters_wirele_1.html

Comments

Other than changing a router's default password, also be sure to keep it patched with the latest firmware
obtained from the manufacturer.

Personally, I refuse to use a wireless router as I can't readily control where the signal can go and who may
be able to sniff it and attempt to hack into it. At least with a wired unit (firewall and router), they would
have to physically connect to it or attempt to infect my systems with something first, which isn't going to
happen very easily since I use defense in depth strategies on each computer and the network in general.
Regardless though, it is still wise to remain vigilant.

Posted by: TJ | June 11, 2008 7:31 PM | Report abuse

so, does this affect macs, osx, linux or only windoze?

Posted by: sprintusuks.com | June 11, 2008 7:52 PM | Report abuse

Besides a non-admin (limited user) account and AV software, another effective defense against these
types of malware is a blocking hosts file:

http://www.mvps.org/winhelp2002/hosts.htm

They also have a related blog that covers a lot of these types of malware tricks using codecs.

http://msmvps.com/blogs/hostsnews/default.aspx
Posted by: Tim | June 11, 2008 8:00 PM | Report abuse

What DNS setting does it change it to? What are we looking for on the DNS setting to tell if it's been
hijacked?

Posted by: Mark | June 11, 2008 8:09 PM | Report abuse

I was researching this a few weeks ago and unless you have a very different form of router patcher
DNSChanger the info here is very wrong .

The version I tested got into a router through a wireless connection with both a non-standard username
and password combined with access denied to all non hard wired connections . It gets in through upnp in
the router so the advice here will do nothing if upnp is left on . I just did a search on this page and upnp is
not even mentioned , a little more research would not have hurt you guys .

http://www.google.com/search?hl=en&q=upnp+exploit+router
Posted by: nosirrah | June 11, 2008 8:15 PM | Report abuse

This is NOT just a Windows issue...

http://www.f-secure.com/v-descs/trojan_osx_dnschanger.shtml

http://isc.sans.org/diary.html?storyid=4361
Posted by: TJ | June 11, 2008 8:20 PM | Report abuse

One way to check the DNS setting in your router is going to http://www.whois.net/
I put the DNS from my router and it came back with my ISP.

Posted by: Mark | June 11, 2008 9:03 PM | Report abuse

@Sprint: If the router's DNS settings are compromised, then the traffic flowing to and from all systems
behind that router -- be they Mac, Windows or Linux boxes -- will also be compromised. That is, unless
the individual machines have their own DNS servers hard-coded in, which isn't likely.

@Mark: I don't have the exact IPs handy, but they both start with 85, so 85.x.x.x, e.g.

Posted by: Bk | June 11, 2008 9:13 PM | Report abuse

I use a Soekris 5501 running Linux as my router. The only administrative access is through its serial port. I
need Windows for work, so those machines are on their own subnet with no internet access. I use
sneakernet for software updates on them. Our Mac user accounts have no administrative access so we
can't install anything. We do all administration from a special account used only for that purpose.
Posted by: Fran Taylor | June 11, 2008 9:54 PM | Report abuse

nosirrah,

On the routers used to test this a Linksys model BEFSX41. UPNP is disabled by default on this model and
other Linksys models because it is not a secure protocol.

The ethernet captures of a machine infected with this malware show no UPNP.

So the advice of the Brian's article is correct.

Cheers,
Eric Sites, CTO
Sunbelt Software

Posted by: Eric Sites | June 11, 2008 11:23 PM | Report abuse

@nosirrah -- this attack appears to work just fine with universal plug and play (UPnP) turned off. The
attack works best against routers that are straight out of the box factory settings; at least on the three
routers I mention in the piece (linksys plain, linksys custom firmware, and Buffalo custom firmware) UPnP
was NOT enabled, and yet the attack worked by guessing/bruting the username/password.
Also, the Sunbelt people are still going through that massive amounts of traffic this thing generates, but
so far no UPnP packets to speak of.

Posted by: Bk | June 11, 2008 11:29 PM | Report abuse

@nosirrah -- Also, we just added a link in the second paragraph that shows more than 700 passwords this
malware tries against each router administration page it finds. It appears to be just brute-forcing the
password.

Here's the list:

http://blog.washingtonpost.com/securityfix/zlobpass.txt

Posted by: Bk | June 11, 2008 11:49 PM | Report abuse

@Mark -- I finally got the IPs that the malware enters into a hijacked router's DNS settings:
85.255.116.164 and 85.255.112.81.

If you see those IPs, or something close to it, there's a good chance your machine/router belongs to
someone else.

Posted by: Bk | June 11, 2008 11:56 PM | Report abuse

DNSChanger has two platforms: Windows and Mac; and as far as I understand this feature exist in
Windows(win32 file) as of the moment. The latest Mac DNSChanger doesn't suggest this behavior.

Posted by: Meths | June 12, 2008 2:14 AM | Report abuse

Eric and Brian have nicely supplemented the original post here, just wanted to note a couple of other
things:

First, the DNS server IP addresses can vary, probably with the specific copy of the malware. If you see DNS
settings on your router that start with 85.255.xxx.xxx, that's likely bad.

Second, non-admin accounts (a.k.a. limited user accounts) only protect the operating system and won't
prevent the router from being compromised. In other words, the malware doesn't need administrator-
level privileges on Windows to change the *router* settings -- all it needs is the router credentials.

Philip Sloss
myNetWatchman.com
Posted by: Philip Sloss | June 12, 2008 7:14 AM | Report abuse

Does this threat also apply to wired routers? If not, should default pswds be changed anyway?

Posted by: Bartolo | June 12, 2008 8:17 AM | Report abuse

@Bartolo
2nd sentence in the story:

According to researchers contacted by Security Fix, recent versions of the ubiquitous "Zlob" Trojan (also
known as DNSChanger) will check to see if the victim uses a wireless or WIRED hardware router

Posted by: RTFA | June 12, 2008 8:20 AM | Report abuse

All I'm saying is that the malware that hit my test box got through router security set up so that from my
computer I cant even get to a router log on screen so passwords are irrelevant against it . I have started
asking around and have had a few friends where upnp was on so it is not 100% the default to have it off .
Strong user/pass + upnp off would prevent both forms of router hijack . I was not implying that the info
here about passwords was incorrect , just not as complete as it could be given that two identical outcome
but different cause DNS hijacks are in the wild at the same time .

IMO mentioning defence that would prevent BOTH DNSChanger router hijacks (attacks that from what I
can tell coincided time wise and were likely from the same clowns) would be a good idea .

Another thing and likely just a nitpick is that Zlob and DNSChanger are two completely different codecs
and infections . The 5 most common codecs (from my research) are Zlob , VAC , IEDefender , DNSChanger
and ISecurity . For me Zlob (currently) install 2 progrms folder folders (trojans and rogue) , 1 %SYSDIR% dll
(downloader for rogue) and one %SYSDIR% folder that contains the trojan BHO . DNSChanger codec
installs DNS hijacks and sometimes Rootkit.DNSChanger in %SYSDIR% . If I were to lump multiple families
into one group , codec malware would describe them better then calling them all zlob . Even codec
malware is not completely correct though because multiple exploit born infections will download and
install these without any user interaction at all so a fake codec does not factor in . If it were not for
DNSChanger you could collectively call the group FakeAlert because all the rest generate fake security
warning and advertise/install rogue security software .

Posted by: nosirrah | June 12, 2008 9:18 AM | Report abuse

I am seeing UDP d-port 53 request to d-ip in 85.255.112.0/24 way to much traffic to that block to be all
legit DNS servers. assume same for the other block.

bigfoot.

Posted by: lagrandefoote | June 12, 2008 9:27 AM | Report abuse

The confusion between Zlob(s) and DNSChanger is that they use the same vector: Fake Codecs, and they
are from the same Gang. Looking at servers hosting the fake sites, the trojan.downloaders and the
droppers you can see the link.
They look radically different: DNS.Changer is silent. No fake alerts, no popups, no rogues. The others are
promoting rogues softwares.
DNS.Changer come alone, but some of the others are downloading other infections so rogues can detect
real malware on the system.

Posted by: S!Ri | June 12, 2008 9:39 AM | Report abuse

Yes this threat is to any router - wired or wireless. Some are more at risk than others (maybe certain ones
are targeted more if they're notorious for a default admin password & has a browser-based admin
console). Just like Windows vs Linux, there are tons of certain brands, so attackers also may focus on the
larger attack base.

Original Question:

Does this threat also apply to wired routers? If not, should default pswds be changed anyway?
Posted by: Bartolo | June 12, 2008 8:17 AM

Posted by: @Bartolo - | June 12, 2008 10:02 AM | Report abuse

Yes, let's all switch to routers based on Windows 3.1.

How about Apple routers?

It's not enough to show that the Zlob variant successfully changed the DNS settings on a Buffalo router
running the DD-WRT open source firmware. You also have to contribute a fix to the open source
firmware.

http://www.dd-wrt.com
Posted by: Singing Senator | June 12, 2008 10:13 AM | Report abuse

Does this threat also apply to wired routers? If not, should default pswds be changed anyway?

Default Password should/must always been changed.

Posted by: S!Ri | June 12, 2008 10:13 AM | Report abuse

FYI for BK, I've confirmed that DD-WRT uses index.asp page for setup, and that it has UPnP enabled by
default.

Posted by: Will | June 12, 2008 10:31 AM | Report abuse

What can we do with an old wireless router, just throw it out? If the new ones are no good, then waht?

Posted by: Jack, Burke | June 12, 2008 11:49 AM | Report abuse

@Jack: What can we do with an old wireless router, just throw it out? If the new ones are no good, then
waht?

I don't think the point is that if you have old equipment you're vulnerable. It's that if you aren't
CHANGING THE DEFAULT ADMIN PASSWORD to console into the router and configure it, then you may be
vulnerable. The malware probably attempts to enumerate and identify your router, and then sends pre-
determined default passwords to try logging into it.

ALSO THIS COULD AFFECT BOTH WIRED AND WIRELESS ROUTERS

Posted by: My humble answers | June 12, 2008 12:54 PM | Report abuse

How does Microsoft know how many copies of anything are deleted by its software.

It it calling home ?
Is this worth an article ?

Posted by: huh? | June 12, 2008 1:44 PM | Report abuse

What intrigues me is how there are not many people who have heard of or tried some of the newest
security tools designed to prevent such networking attacks; all newbie's running or setting up a home
network should use Network Magic.

Pure Networks, the creator of Network Magic and the newly released Speed Meter Pro, their software
utility is designed specifically to help prevent such attacks from happening. Pure Networks has even
created a free wireless network security scan to help ease the hassle of manually checking each security
setting on your computer and home network. You can find the network security scanner here:
http://www.purenetworks.com/securityscan/

As we all know, there are A LOT of necessary settings that everyone must have to properly ensure a safe
and secure networking environment.

The Network Magic health and security feature continuously scans your network, alerts you to any
security issues and in many cases helps you fix the issue. As mentioned in the above article, the security
of your network is only as strong as its weakest link - the best way to identify and eliminate your "weakest
links" is with Network Magic.

http://www.networkmagic.com/product/network-security.php

Hopefully this helps!

Posted by: Derek | June 12, 2008 1:53 PM | Report abuse

The headline for this story "Malware Silently Alters Wireless Router Settings" is inaccurate. The word
"Wireless" should be deleted.

Posted by: KD | June 12, 2008 2:43 PM | Report abuse

Ok, how do I find out if the router sending out the open wifi signal I may borrow while at lunch is
compromised. Mine router at home is protected, but how am I to know if I borrow my cousin's neighbor's
signal or the insurance company's signal while in Nashua.

Posted by: Peter B | June 12, 2008 8:05 PM | Report abuse

what I'd like to know is why is this post considered to be new ? Such DNSChanger was already seen in
2007...

Posted by: Cedric Pernet | June 13, 2008 4:29 AM | Report abuse
The difference here is, as I see it, is that THIS DNS changer goes after your router instead of creating a
static network setting (DNS) in your computer. This lets it affect all machines on the network that get their
DNS dynamically, not just one PC at a time.

Posted by: TheGhostInYourMachine | June 13, 2008 8:16 AM | Report abuse

I always try to convince people concerned with PC security that a firewall should monitor outgoing traffic
as critically as incoming traffic. The less programs on your PC are allowed to access the internet the
better. And if it comes to multimedia, you better first download music or video to your hardrive if
possible. With streaming media, you should know the codec pack you installed is to be trusted. In fact,
you should never trust new software or plugins right away!

Posted by: Frank Hoogerbeets | June 13, 2008 9:47 AM | Report abuse

Good discussions - and hi to some old friends.

@ Eric - the article credits Sunbelt with, "It's important to note, however, that if there are other Zlob-
infected machines using the same router, they will need to be cleared of the trojan before resetting the
router."

Ummm, this would not be the best procedure. If there are other Zlob-infected machines, turn them off!
Get them off the network! Pull their plug! Then with the disinfected machine, reconfigure the router -
without the other infected machines interfering.
Posted by: Bill_Bright (AKA:Digerati) | June 13, 2008 10:33 AM | Report abuse

For more on changing the password on a router see my blog posting

Defending your router, and your identity, with a password change
http://blogs.cnet.com/8301-13554_1-9889160-33.html

@Frank: A firewall will not help in this case

@Peter: One way to find out of a borrowed router (WiFi or wired) is compromised is to look at the DNS
servers it assigned to your computer. In Windows XP, Vista and 2000, an "ipconfig /all" command will
show you the DNS servers being used. However, determining good DNS servers from bad ones may not
be practical. An earlier comment from Philip Sloss said that the bad DNS server IP addresses can vary.

So, an excellent defense against this type of attack is not to let the router assign you DNS servers, but
instead, to pick your own. I suggest OpenDNS. For more on this see my blog posting
OpenDNS provides added safety for free
http://blogs.cnet.com/8301-13554_1-9834579-33.html

Posted by: Michael Horowitz | June 13, 2008 11:31 AM | Report abuse

I wonder why manufacturers can't use the hardware serial number as the default password. It could be
automated during the manufacture process.

Posted by: IT Guy | June 13, 2008 12:05 PM | Report abuse

Interesting. Would hard coding OpenDNS values avoid the issue?

I'm on a Linux laptop, so I don't have the issue of actually getting the trojan (I stick to software in the
repositories or compile my own if I trust the source) but using a router that's been compromised is
possible of course.

If hard coding is an option

edit this file
/etc/dhcp3/dhclient.conf

just add the ip addresses to the line that says "prepend domain-name-servers"

Posted by: Fran | June 13, 2008 12:30 PM | Report abuse

One way to avoid needing to trust the router's DNS settings that works especially well on Linux is to
simply run your own instance of BIND on each computer.

Since BIND does DNS resolves starting from the root, it doesn't matter if the router's DNS settings are
altered to point to bad DNS servers--they won't be used.

I first started doing this because I wanted a minimum of hassle when moving between two networks, one
of which uses DHCP, the other uses a static configuration (Win98SE ICS on a dial-up Internet link--the DNS
servers the ISP gives occasionally change). The only way to make DNS work easily on both was to run
BIND on localhost.

Another issue here is that quite a few authentication bypass vulnerabilities have been found in various
routers, so even if Universal Plug 'n Pray is turned off and a secure password set, it may still be possible to
alter the router configuration.

Posted by: Out there | June 13, 2008 12:34 PM | Report abuse

@IT Guy: Good idea about varying the default password. I ran across one router that does that, from
Cradlepoint. Its default password is the last few characters of the MAC address.

@Fran: Yes, hard coding DNS servers in your operating system would avoid this problem because then
you are not using DNS servers from the router. Brian said as much is a comment, see above on June 11th
at 9:13PM.

Posted by: Michael Horowitz | June 13, 2008 1:23 PM | Report abuse

@ IT Guy: Correct, I feel that vendors are helping malware writers "hey there, our router's default
password is password, don't forget to tell your worm"

I've compiled a "countermeasures against DNSChanger" list here on my blog

http://extremesecurity.blogspot.com/2008/06/use-default-password-get-hijacked.html
Posted by: Aa'ed Alqarta | June 13, 2008 2:47 PM | Report abuse

We published some more information on how DNSChanger on our blog as well:

http://www.trustedsource.org/blog/42/New-DNSChanger-Trojan-hacks-into-routers

Posted by: Secure Computing | June 13, 2008 5:49 PM | Report abuse

For DNS, I use OpenDNS. For routing, I have been using Untangle.......

D.

Posted by: DOUGman | June 14, 2008 1:17 AM | Report abuse

Fran:

You're just increasing your attack surface area by adding BIND. BIND's security track record isn't stellar.

The simple fix it; change the default password to a strong unique password. If possible, change admin
user name as well. This should be the case with ANY device.

I'm also for disabling uPNP; while it may inconvenience novice users, it's just too much of a security risk
to have floating around there. As with uPNP, mDNS is another one of those "zero-config" protocols that's
ripe for abuse.

Remember, most of these routers run some form of Linux. What if the trojan used a GRE tunnel to funnel
the traffic instead of DNS? Alternatively, wrote an IPTABLES rule to redirect all traffic to the attacker's
host. You would still appear to go to your normal "safe" DNS server, it might even serve up real DNS
responses from that server, but everything (or just what the attacker wants) could be tunneled from your
network over a GRE tunnel to a man-in-the-middle. A smart attacker would keep the redirects to a bare
minimum to not create suspicion, say just pick off financial or banking websites. A local DNS server would
not help in this case.

Singing Senator:

As far as DD-WRT having a vulnerability, the author is not claiming that DD-WRT contains a vulnerability,
he is stating that if you don't change the default password it is vulnerable. I think his point was, even a
third party firmware is being targeted.

As far as DD-WRT, one of the nice features on there is the ability to assign the "Cisco Button" to "do
something". One could write a script to possibly turn remote management (GUI/Telnet/SSH/uPNP even)
on/off when that button is pressed. How many times a day does one have to administer their router? It
would be more difficult for a trojan to hijack a router when there is no administrative interface to attack.
Heck, even changing the default ports for GUI/Telnet/SSH could be enough to slow it down (security
through obscurity). :)

Posted by: wmchurch | June 15, 2008 11:56 AM | Report abuse

@Michael Horowitz

Thanks so much for the info on how to check the DNS servers of my laptop(s). Not everyone who reads
Krebs is as knowledgeable as the rest of you people, and I greatly appreciate it. Maybe Krebs will read this
and think to include information like this in warning articles.

Posted by: Peter | June 16, 2008 9:27 AM | Report abuse

I like the idea of the default password being the serial number, although I think doing that would require
the serial number be easier to find; for some devices, it would also need to be easier to read.

Running ones own DNS works, so long as one is up to the task. That having been said, given its lackluster
security history, BIND has too much market share (that is, it has exploits, generally at least once a year.
Since nigh everyone uses it, these exploits are targeted moderately heavily - at least, I'm assuming that's
what's probing my box at port 53, since I don't run a public DNS server and I am aware of no NS records
pointing to my box.) I think it would be better to point people to djbdns or another relatively obscure DNS
server - it may not be as well reviewed, and it may not be as well documented, but it's probably not as
likely to be exploited immediately after a new exploit is found. djbdns has the advantage of having an
excellent security record, as far as I am aware, although the disadvantage of having been written by
someone with a poor standards-compliance record (I'm not a DNS person, so I can't say how well djbdns
complies with DNS standards) and very slow on adopting new features.

Posted by: Ed | June 23, 2008 12:42 PM | Report abuse

I think this is an important story and would benefit from other NowPublic contributors working on it. I've
flagged it as News Wanted and invite others in relevant locations to look for more evidence.
cheap viagra,buy viagra
Buy levitra
Buy cialis, cialis online

Posted by: peter | June 25, 2008 6:27 AM | Report abuse

Which video Codec is it? I coudln't find the name of this codec (or program with this malware). The thing
is, I use often various codecs for video conversion of my artworks, and I fear now, I could download that
codec one day.

Posted by: Rob | June 26, 2008 4:06 AM | Report abuse

Bk said:
"If the router's DNS settings are compromised, then the traffic flowing to and from all systems behind
that router -- be they Mac, Windows or Linux boxes -- will also be compromised. That is, unless the
individual machines have their own DNS servers hard-coded in, which isn't likely."

What, you don't have DNS settings in your computer? My /etc/resolv.conf is full of OpenDNS IPs.

Posted by: Mackenzie | June 26, 2008 3:13 PM | Report abuse

The comments to this entry are closed.

https://www.howtogeek.com/227384/how-to-check-your-router-for-malware/

https://www.howtogeek.com/173921/secure-your-wireless-router-8-things-you-can-do-right-now/

https://www.howtogeek.com/168379/10-useful-options-you-can-configure-in-your-routers-web-
interface/

https://www.howtogeek.com/122845/htg-explains-what-is-dns/

http://www.routercheck.com