The Invisible Infection, Revisited

Hacking, Linux, Threat

Virus Vector?Around the start of the year, I wrote an article about invisibly infecting wifi and other routers.

In that article, I reflected on some research that came out of Indiana University about router-to-router virus infections.

I mentioned that the simple router-to-router case was possible, but that we’d sooner see a mixed mode attack, code that infected a PC, then took over your wifi or other router.

I pointed out that the flood of financial and personal data would be the payoff in this scenario, as most people would never know that their router had been compromised, until it was too late.

Today, The Register had an article from Dan Goodin in San Francisco, showing that the threat that I was talking about, two weeks ago, has come to pass. And, worse than even I expected, the threat can exploit routers where the local administrative password has been changed.

It seems that the Universal Plug and Play feature of “SOHO” routers can be manipulated to change internal router configuration. While it doesn’t appear to be able to re-flash the device with malicious software, it is able to override the following internal settings:

  • port forwarding - poke holes thru your router’s firewall.
  • port forwarding of your administrative interface to the outside world.
  • port forwarding to any external server on the Internet (using your router as a zombie to attack other sites)
  • change DNS settings, so that all your website addresses are resolved by bad-guy.com DNS servers. (this can make my-bank.com actually take you to bad-guy.com/my-bank for really quality phishing experience!)
  • change DNS settings, so that when you update your software (operating software, browser, antivirus, etc) you get a nifty package from bad-guy.com instead of Microsoft, Symantec, or McAfee
  • change your administrative credentials on the router
  • change IP address information for all interfaces
  • change WiFi settings
  • shutdown your connection
  • The most dangerous is that by port forwarding the admin interface to the outside world, and changing your admin credentials, someone else could manually reflash your router, with a totally malicious software load.

    The fine folks at GNUcitizen provided much of the information that I’m mentioning here, and they even have some carefully crafted exploit code that shows how this works.

    What’s going on is that a malicious flash website can talk to your router’s UPnP interface, and tell it all manner of evil, while you play some happy fun flash game (by the way, we’ll have our flash games up and running REAL SOON Now *evil grin*), and unless you were the type to obsessively check your router configuration after each website you visit, you might never even notice the change.

    Some of the changes, even if you did obsessively check, might not be noticed…

    How well do you know the addresses of the DNS servers your ISP provides?

    For those of you using routers provided by your broadband Internet provider who don’t even have administrative access to your router…

    …Do you trust your ISP to be on top of this issue, and have a plan of action for resolving this problem?

    I know that Comcast’s Home Networking package is a rebadged Linksys WiFi router, that they administer remotely, and that they do not even give you the password to.

    On the one hand, it means that it’s their problem to fix this, but on the other hand, will they be liable for any losses, when your banking information is used?

    Stay tuned, and watch for updates as we learn more on this subject!



    One Response

    1. [...] January 2008, I wrote two articles (Jan. 3, 2008 & Jan. 15, 2008)  about an computer virus infection vector that almost no one else had looked at.   Except [...]

    Leave a Reply

    Allowed tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>