New trojan threat able to ‘control’ network routers

News 19 Jun, 2008

Attackers have new ways to get past tougher network security, and are now taking over the device which controls your network.

A new trojan threat has been revealed which attacks the network routers of users who are connecting to the internet.

Secure Computing researchers told IT PRO that it was a new variant of the DNSChanger trojan, and worked by changing the router settings to redirect internet traffic in whatever way the attacker desired.

They would usually point it to a host address, and from there any DNS query coming from the network passing through the compromised router would be under the control of the attacker.

This meant that even if the affected user cleaned his PC that had caught the malware, the router would be still modified so that all computers connected to the first affected user would also be compromised by the attack.

“Imagine a small company where all the computers were connected by one router,” said Christophe Alme, lead principal researcher at Secure Computing’s Anti-Malware Lab in Germany. “All these users will be affected, only if one even if only one of their computers actually caught the malware.”

Secure said that it was the first time it had seen a major malware family in the wild attacking a router. The DNSChanger trojan worked by going through a list of web interface URL’s of popular routers from brands such as D-Link and Linksys and checking whether the URL is accessible.

The trojan then attempts to lock into the router and interface using default user name and passwords that the routers ship with. Secure said the trojan was capable of trying one combination approximately very 100 milliseconds, or 600 combinations per minute.

“What’s important for users is to change their default user password to not get infected at all” said Alme. “But it is also important is to install up to date virus software.”

The more secure Microsoft products were getting (Office, Windows etc…) the more attackers were switching to alternative software and platforms. DNSChanger was believed to be affiliated with the Zlob malware family, which Secure said was the first major malware family to be ported to the Mac OSX platform.

Alme said: “The Zlob malware family set up fake websites that looked like popular video portals showing screenshots of adult video. When you clicked on the picture it showed you another fake site which looks like Windows Media Player and looks like its about to start.

“It would give you an error message requiring a video codec to play back the video. Then you would get the executable which would carry the malware.”

Alme said that he believed this threat was more targeted at home users and small companies as at larger corporations routers were not accessible from the desktop of end users as firewalls made sure that users could not access the web interface of the router.

“Small businesses should definitely check whether their routers are accessible from desktop computers and make sure they aren’t using default passwords,” he said.