mikenolan7
Premium
join:2005-06-07
Torrance, CA
 ·Sprint Mobile Broa..
1 edit | reply to Mele20
Re: In the Wild: Zlob Changing Router Settings to Hijack DNS
I don't consider the necessity to use MAC address cloning to be a feature that makes an ISP superior. It is essentially breaking the way things were designed to work, with no two pieces of hardware having the same MAC address. I like to tinker with different security solutions, and frequently have different NAT routers, or home built firewalls on different OS's as the first thing the ISP sees. I don't want to be cloning MAC addresses all over the place, that would eventually lead to communication problems within my LAN.
I don't have RR any more, but when I did, MAC address cloning was not required. It took a few minutes for a new MAC address to be recognized and accepted, but eventually it was given a DHCP address.
News about exploits designed to attack NAT routers automatically from within your LAN is becoming more and more frequent. A good defense is a rule on your software firewalls that prevents outgoing traffic from the machines within your LAN to your router. Disable the rule temporarily to administer your router.
For home users, that are able to shut down internet access for a few minutes, it is a good idea to disconnect your WAN port when making modifications to your router configuration. Most NAT routers are more susceptible to shenanigans when rebooting. I would even recommend disconnecting LAN ports other than the one you are administering the router from when you make configuration changes.
Router exploits are very high risk. Without monitoring on your WAN port, which is very difficult to maintain due to the large number of log entries you get, how would you know if your router was compromised?
Edit: spelling |
|
Cthen
join:2004-08-01
Ypsilanti, MI
 ·Comcast
| reply to Mele20
said by Mele20  :Yes. I read Aaron's post. But it doesn't apply to this Linksy router. I quoted from the Linksy page for this router. You have to set it up ...even the current version. I just answered two posts recently (not here) from users who had just bought this router and had questions about setting it up. Obviously, SOME ROUTERS AND SOME ISPS allow you to do nothing but plug in the router. Obviously, my ISP and router are superior because they require you to not be a dumb idiot who does stupid things regarding routers. But teaching your children or anyone else to not configure the router really surprises me since this is a security forum. ALL USERS need to be educated properly about security including how to use a router securely. If this is done then there will be no problems regarding default passwords. Geez. All your arguing through this amounts to squat at what the article is referring to. Sure you may or may not have to configure a router to get a connection but that point means nothing. Either way this type of exploit needs a connection to be up and running for anything to happen or to even get the malware on your machine in the first place.
So here is how it all plays out. Joe Blow buys a router (and this can even be your beloved Linksys model), he did what he needed to do in configuring it so he could get a connection. That's all he did because hey, it works now! So Joe Blow visits a site to see a video but it tells him he needs to download a codec to play the video. Well ofcourse he wants to see the video so he downloads and installs this codec and gets to see his video. Due to Joe Blow's ignorance his router is about to get pwned in the next few minutes. Why? Joe Blow never changed his default user name and password to his router! Sure he cloned the MAC addy as needed and had to do maybe a few other thing to get the connection going, but that was it.
Sadly, that's the reality here. You can buy any router you want from any store be it online or brick and mortar. Configure said router any which way you please. However if the default username and password isn't changed, it will get pwned by this if it's on one of your machines.
Now do you get it?  |
|
dadarkside
Premium
join:2006-05-20
The Moon
| reply to bcastner
Can we here more about the Codec?
And this is for the MS Spyware guru too...
How about a rehash of the steps needed to prevent Media Player from auto downloading new or missing codecs...
My wife does video, she edits, creates and animates. And she's not always security conscious. This is an infection vector that really troubles me, for these very reasons. |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
 ·Callcentric
·RoadRunner Cable
·AT&T CallVantage
| reply to bcastner
Yesterday's "useless POC" becomes ...
Well, seems like the DSLR folk were ahead of the curve on this one too - there were several topics related to this type of exploit. Among them;
»Raising Awareness: Another CSRF Attack (Linksys)
»Router hacking challenge at Hacker Webzine
»Harden your router/AP in five steps
Yesterdays FUD and impractical concept becomes today's successful exploit 
--
If dogs travel in space at the speed of light, do they reach their destination in dog-light years? |
|
bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs: 
 ·Verizon Online DSL
| This is a completely different attack vector than the ones using Flash and javascript discussed earlier.
In this case you have Zlob using the address space of several components of the Winlogon process, and the edits to the router itself are done through straight Winsock calls.
But yes, this Forum has been right there on this issue of the router itself as an attack surface from early on. |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
·Callcentric
·RoadRunner Cable
·AT&T CallVantage
1 edit | said by bcastner :This is a completely different attack vector than the ones using Flash and javascript discussed earlier. ... But yes, this Forum has been right there on this issue of the router itself as an attack surface from early on. I agree the method used (scripting versus malware) is different, but still uses the concept of exploiting a router's default settings from the LAN side. The big argument presented in the earlier discussions was that it was impractical to consider LAN side attempts unless one was hacking one's own network.
However that is now discredited, at least in part, by a working "in the wild" exploit that has taken advantage of the opportunity and complacence of the user community.
And yes, you and others here are right at the forefront - that's what I like about this bunch 
--
If dogs travel in space at the speed of light, do they reach their destination in dog-light years? |
|
DownTheShore
Maddie Knows Poopie
Premium
join:2003-12-02
Beautiful NJ
clubs:
| reply to bcastner
Re: In the Wild: Zlob Changing Router Settings to Hijack DNS
What you folks have to remember about routers is that you all tend to say "I have a router so I don't worry about that" or "Get a router and you won't have to worry about that" in your posts. So to those of us who only have a modium of technical awareness, we think we are taking a big step forward by getting the router and hooking it up. I know that I had no fuss when hooking up my router to the OOL system. But I knew from being here for years that one of the things I should do is change the name and password, which I did immediately. But that's not something the average person would even think about.
There's a lot of knowledge about things that is "understood" here by people which is never articulated because the assumption is that everyone knows what the next steps should be, or what the consequences are, or how the thing actually works - but that always isn't true. A lot of us have just a finite bit of understanding, and sometimes we just don't know the follow-up questions that should be asked. For example, I'm learning now in another thread some basic answers about imaging a hard driver, things that I was never quite clear about - like whether or not the image is the actual size or a compressed size.
--
Life is simply one damned thing after another. |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
·AT&T Midwest
| There's a lot of knowledge about things that is "understood" here by people which is never articulated because the assumption is that everyone knows what the next steps should be, or what the consequences are, or how the thing actually works - but that always isn't true. Perhaps. However, the importance of changing the router administrative password has been often repeated here.
--
AT&T dsl; Westell 327w modem/router; SuSE 10.1; firefox 2.0.0.14 |
|
Raz
@tele.dk
 from:
Grail Knight
| reply to Mele20
said by Mele20 :Obviously, my ISP and router are superior because they require you to... ...clone your MAC address?  |
|
nukscull
@rr.com
| reply to Mele20
said by Mele20 :Road Runner requires the MAC address be entered. No they don't. You just have to power cycle the modem to get it to recognize a new MAC address. I do this all the time with if I have to connect something other than my router direct to the modem. It will not work if you just plug something in, you need to power cycle it and it will register the new MAC now plugged in and give you a new IP. |
|
Aaed Alqarta
from:
EGeezer
| reply to bcastner
I've compiled a countermeasures list to stop and prevent DNSChanger. Check here:
»extremesecurity.blogspot.com/200···ked.html |
|
altermatt
Premium
join:2004-01-22
White Plains, NY
·Verizon Online DSL
| reply to bcastner
It's also interesting to see that 11 of 32 anti-malware products detected this. Here are the results at Virus Total of the three separate scans of the three nasties submitted there that are related to this; the analysis is broken down by product; for each that does detect something, the name of what they think it is, is shown:
»www.virustotal.com/analisis/d5c3···acc41d3a
»www.virustotal.com/analisis/a5a4···69df1363
»www.virustotal.com/analisis/6af3···fc2c930e
--
The truth of a thing is the feel of it, not the think of it. -- Stanley Kubrick |
|
Cheese
Premium
join:2003-10-26
Naples, FL
clubs:
| reply to Mele20
said by Mele20 :Huh? How can you buy a "preset" router? Granted mine will be 5 years old in November but I don't understand what you mean. You have to clone the MAC address for one thing. That can't be done at Amazon. You go to the store and buy it. |
|
Cheese
Premium
join:2003-10-26
Naples, FL
clubs:
1 edit | reply to Mele20
said by Mele20 :said by ahulett :Cloning a MAC address isn't always necessary. I know for me with Comcast, that when the modem is powered on, it looks at the MAC address of the network device plugged into it, and if it's a router, it latches onto it just as it would if it was a computer's network card. (Where one enters trouble is if they change what the modem is plugged into - it won't work until the modem is power-cycled and the modem picks up the new MAC address.) If I go to Best Buy, pick out a router/switch/WAP all-in-one device, come home and plug it in, it will work out of the box because the router will pull an address from the cable modem, will perform no logging in which is ok as that's not needed on a Comcast Internet connection, and the interal DHCP is set to hand out IP address to clients on the home network. While this works with Comcast, other ISPs may have different needs, such as if a DSL connection requires logging in via PPPoE, for example, or if the ISP ties the login with a specific MAC address (such as the one used to complete the sign-up). Hope I was helpful. It is 1:30am and I struggle with clarity when I'm sleepy. Aaron [Edit to get the signature with the all-important disclaimer included.] Road Runner requires the MAC address be entered. Plus, I had to configure both computers (one is a 98SE box) and then configure the router. Not hard to do but it certainly wasn't automatic out the box, plug it in, and whamo everything works. Besides being required to enter the router interface to configure it, I had to get into the interface to be able to change the DHCP lease time. The router I have is Version 3 and Linksy has a Version 4 that people are still buying and you have to configure the computers and then the router still. I never had to put a MAC address in for RR, they ran the line, hooked up the router and it connected, no configuring needed.
Mele, no offense, but I see you spread alot of FUD around here, maybe you shouldn't talk if you don't know what you are talking about |
|
ahulett
Life Without Walls
Premium
join:2003-02-02
Bellevue, WA
2 edits | It could be her specific market requires MAC registration whereas other markets do not (or maybe it's changed since initial sign-up - these things do change). Such as sometimes when a modem is registered in one Comcast service area and the customer moves to another, one may need to call to have the modem removed from that market's database so it can be registered in the new market. In my case, I didn't hit that when moving to from Michigan to Redmond, but I've seen others experience this when using their own modems.
The key here is to a) get router usernames/passwords off defaults, and b) help protect customers from such malicious code that leverages default usernames/passwords. While I have a much better shot at B than I do A, maybe an idea that router manufacturers can take away (Are any of you lurking?), if they're not already doing this today, is to jail WAN access until the default username/password is changed. This way, users are automatically sent to a configuration page and are walked through making the necessary changes to help secure their router.
[Edit - add my signature (with disclaimer) that seems to not add itself automatically when quick-replying]
--
Aaron Hulett | Senior Spyware Researcher | Microsoft Malware Protection Center
This posting is provided "AS IS" without warranty, and confers no rights. |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
·Callcentric
·RoadRunner Cable
·AT&T CallVantage
1 edit | reply to nukscull
Re: swapping devices
said by nukscull :
You just have to power cycle the modem to get it to recognize a new MAC address. I do this all the time with if I have to connect something other than my router direct to the modem. It will not work if you just plug something in, you need to power cycle it and it will register the new MAC now plugged in and give you a new IP.
I have had TWRR for several years. That's how mine works too. I occasionally swap devices (PCs, routers, network printers etc) for configuration and testing purposes. My steps are as follows;
1) Power off downstream device
2) Power off modem
3) Swap device
4) Power up modem
5) Power up device
Works every time.
Now if I were to move my modem to another location - or get another modem, that's a different situation. I have to have TWRR register that modem at that location.
--
If dogs travel in space at the speed of light, do they reach their destination in dog-light years? |
|
Annorax
join:2001-03-27
Apex, NC
| reply to Mele20
Re: In the Wild: Zlob Changing Router Settings to Hijack DNS
Road Runner requires the MAC address be entered.
Not So!
Road Runner will take a new MAC address if you leave the cable modem powered-off for 90 seconds or so before powering it back up again with new router (powered off) attached.
Once the modem has sync'ed up, power-on the router and it should work just fine with its default MAC address |
|
daveinpoway
Premium
join:2006-07-03
Poway, CA
| It seems to me that a lot of this could be avoided if the router manufacturers would make it mandatory that you go into the setup and set a new password before the unit will function; I believe this could be done by only adding a minimal amount of extra code to the router's internal firmware. To do it right, the setup screen should give the user some tips on creating a secure password.
Unfortunately, concerns about things like extra tech-support time being required to walk clueless users through this step means that something like this probably will not become common any time soon. |
|
cork1958
Cork
join:2000-02-26
Fruitport, MI
·Verizon Online DSL
·Charter Pipeline
| reply to Raz
said by Raz :said by Mele20 :...And most routers somehow know to clone the MAC address? Maybe you need to clone the MAC address. Not everybody needs to do that. I certainly do not. I have NEVER yet come across a router that didn't just work out of the box, as long as you boot things in the correct order especially (modem, router, then computer).
--
The Firefox alternative.
»www.mozilla.org/projects/seamonkey/ |
|
Annorax
join:2001-03-27
Apex, NC
| reply to daveinpoway
said by daveinpoway :It seems to me that a lot of this could be avoided if the router manufacturers would make it mandatory that you go into the setup and set a new password before the unit will function Unfortunately, the vast majority of potential users are stoopid. The only way to make money from this group of the "great unwashed" is to make your product super easy to use.
They get away with this by packing in a lot of warning messages in the documentation (that goes unread by the stoopid people) and when the stoopid people complain the manufacturer is covered. "Didn't you read the manual?"
Reminds me of a Dilbert cartoon I love. "... now stand on your chair and yell "does anyone know how to read a manual?" |
|
