Broadband Tech > Security > Security > In the Wild: Zlob Changing Router Settings to Hijack DNS

In the Wild: Zlob Changing Router Settings to Hijack DNS

quote:

---

A new Trojan horse masquerading as a video "codec" required to view content on certain Web sites tries to change key settings on the victim's Internet router so that all of the victim's Web traffic is routed through servers controlled by the attackers.

According to researchers contacted by Security Fix, recent versions of the ubiquitous "Zlob" Trojan (also known as DNSChanger) will check to see if the victim uses a wireless or wired hardware router. If so, it tries to guess the password needed to administer the router by consulting a built-in list of default router username/password combinations. If successful, the malware alters the victim's domain name system (DNS) records so that all future traffic passes through the attacker's network first. DNS can be thought of as the Internet's phone book, translating human-friendly names like example.com into numeric addresses that are easier for networking equipment to handle.

While researchers have long warned that threats against hardware routers could one day be incorporated into malicious software, this appears to be the first time this behavior has been spotted in malware released into the wild.

The type of functionality incorporated into this version of the Zlob Trojan is extremely concerning for a number of reasons. First, Zlob is among the most common type of Trojan downloaded onto Windows machines. According to Microsoft, the company's malicious software removal tool zapped some 14.3 million instances of Zlob-related malware from customer machines in the second half of 2007.

The other, more important reason this shift is scary is that a Windows user with a machine infected with a Zlob/DNSChanger variant may succeed in cleaning the malware off an infected computer completely, but still leave the network compromised. Few regular PC users (or even PC technicians) think to look to the router settings, provided the customer's Internet connection is functioning fine.

Philip Sloss, a software engineer for myNetwatchman.com, said he first observed the activity while examining a Zlob variant distributed on May 22. The DNS hijack occurs, he said, during the installer program, so by the time the user sees the fake codec installer screen, the malware has already attempted to change DNS settings on the victim's router.

I reached out to researchers at Sunbelt Software to check Sloss's data, and Sunbelt was able to confirm that the malware successfully changed the DNS settings on a Linksys router (model BEFSX41), pulled straight out of the factory box (with the default username and password). Another test showed that the Zlob variant successfully changed the DNS settings on a Buffalo router running the DD-WRT open source firmware.

Sunbelt also found that if there are multiple machines using the same router, all of the systems connected to that router will have their traffic hijacked.

"This is definitely something we have not seen before," said Eric Sites, chief technology officer at Sunbelt. Sites said his team is testing the new Zlob variants against multiple routers to see how they fare against the malware. "It was only a matter of time before someone started using this attack."

Sloss said he captured traffic showing the Zlob variant trying to reconfigure different routers by requesting the local Web page for the various "setup wizards" that ship with the devices. Some of the requests he noticed are listed below, with my own research noted next to them:

"/index.asp" (still checking, but I believe this is used on DD-WRT and some Linksys routers);
"/dlink/hwiz.html" (D-Link routers);
"wizard.htm" (appears to be used by several different router manufacturers, including Linksys).
"/home.asp" (no idea)

Relatively few people ever change the default username and password on their wireless routers. I see this often, even among people who have locked down their wireless routers with encryption and all kinds of other security settings: When I confront them about why they haven't changed the default credentials used to administer the router settings, their rationale is that, 'Well, why should I change it? An attacker would need to already have a valid connection on my network in order to reach the router administration page, so what's the difference?'

Obviously, an attack like this illustrates the folly of that reasoning.

What's more, the various components dropped onto victim PCs by this malware are fairly ill-detected by most anti-virus tools out there today. A scan of these three files at Virustotal.com -- which checks submitted files against 31 different anti-virus engines -- indicates that only 11 of the anti-virus products currently detect any of them as malicious.

---

Wow...some very interesting stuff.

I'm constantly amazed as well, at how many people don't even bother to do something as simple as change the default user names and passwords on their Routers. (Apparently, that "admin" guy is very popular).
I can't tell you how many people I've run across who say: "Hey, you just plug it in, and it works!".

Some of them don't know that a Configuration page even exists, let alone that it requires an administrative password to change settings. ("What settings?")

This nonsense just gets better all the time.
--
I had a life once.....now I have a Computer and a Modem.

reply to bcastner
Interesting read.

Thank.

reply to jabarnut
I guess none of those folks that never have changed the default password have ever tried to do any number of things on a Linksy router. Something like enabling UPnP without then typing the password TWO times (no prompting, no mention that you must do this) results in the router arbitrarily changing the password and the user can't access the router's config page any longer. The only solution is a factory reset which is a hassle if you have flashed the firmware and use beta firmware which is hard to find again.

Considering all the security bugs, over the past almost 5 years, in regards to the password on the Linksy router I have I would have thought no one leaves the default password on the router anymore.

How could anyone not know a config page exists? How were they able to set up the router if they didn't go the config page?
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason

Huh? How can you buy a "preset" router? Granted mine will be 5 years old in November but I don't understand what you mean. You have to clone the MAC address for one thing. That can't be done at Amazon.

Cloning a MAC address isn't always necessary. I know for me with Comcast, that when the modem is powered on, it looks at the MAC address of the network device plugged into it, and if it's a router, it latches onto it just as it would if it was a computer's network card. (Where one enters trouble is if they change what the modem is plugged into - it won't work until the modem is power-cycled and the modem picks up the new MAC address.)

If I go to Best Buy, pick out a router/switch/WAP all-in-one device, come home and plug it in, it will work out of the box because the router will pull an address from the cable modem, will perform no logging in which is ok as that's not needed on a Comcast Internet connection, and the interal DHCP is set to hand out IP address to clients on the home network.

While this works with Comcast, other ISPs may have different needs, such as if a DSL connection requires logging in via PPPoE, for example, or if the ISP ties the login with a specific MAC address (such as the one used to complete the sign-up).

Hope I was helpful. It is 1:30am and I struggle with clarity when I'm sleepy.

Aaron

[Edit to get the signature with the all-important disclaimer included.]
--
Aaron Hulett | Senior Spyware Researcher | Microsoft Malware Protection Center
This posting is provided "AS IS" without warranty, and confers no rights.

reply to Mele20

reply to ahulett

said by ahulett:

Cloning a MAC address isn't always necessary. I know for me with Comcast, that when the modem is powered on, it looks at the MAC address of the network device plugged into it, and if it's a router, it latches onto it just as it would if it was a computer's network card. (Where one enters trouble is if they change what the modem is plugged into - it won't work until the modem is power-cycled and the modem picks up the new MAC address.)

If I go to Best Buy, pick out a router/switch/WAP all-in-one device, come home and plug it in, it will work out of the box because the router will pull an address from the cable modem, will perform no logging in which is ok as that's not needed on a Comcast Internet connection, and the interal DHCP is set to hand out IP address to clients on the home network.

While this works with Comcast, other ISPs may have different needs, such as if a DSL connection requires logging in via PPPoE, for example, or if the ISP ties the login with a specific MAC address (such as the one used to complete the sign-up).

Hope I was helpful. It is 1:30am and I struggle with clarity when I'm sleepy.

Aaron

[Edit to get the signature with the all-important disclaimer included.]

reply to Cudni

reply to Mele20

reply to Mele20

reply to Mele20

reply to CajunTek

See ahulett 's post. That describes it pretty well.

»Re: In the Wild: Zlob Changing Router Settings to Hijack DNS

As far as those "user-friendly Setup Wizard" CD's, I just throw them in the garbage or use them for target practice myself.
--
I had a life once.....now I have a Computer and a Modem.

reply to Mele20

reply to Mele20

reply to jabarnut

said by jabarnut:

See ahulett 's post. That describes it pretty well.

»Re: In the Wild: Zlob Changing Router Settings to Hijack DNS

As far as those "user-friendly Setup Wizard" CD's, I just throw them in the garbage or use them for target practice myself.

quote:

---

Relatively few people ever change the default username and password on their wireless routers

---