Your browser is obsolete!

The page may not load correctly.

Unexpected guests

Незваные гости

Other issues in this category (70)
  • add to favourites
    Add to Bookmarks

Under external control

Read: 3057 Comments: 3 Rating: 45

Thursday, August 11, 2016

You've launched your browser but instead of seeing the usual home page, you see a website that is unfamiliar to you?

Your bank’s website suddenly prompts you to enter your authentication data?

In situations like these, many users launch an anti-virus scanner. If nothing is found, some of them contact technical support. This is a normal reaction, but users have other options that are just as good.

Attackers are always searching for dark corners in a system where malware can escape an anti-virus’s attention. But, in the case of Windows/Linux/Mac, hardly any such nooks exist. Of course, malicious code could always be placed in a network adapter or battery firmware, but that is very unlikely—infections of this kind exist mostly as research concepts.

Dell warned some users of PowerEdge R310, PowerEdge R410, PowerEdge R510, and PowerEdge T410 that malware could be present in the server motherboard firmware. A message published on Dell's customer support forum indicated that a small lot of PowerEdge R410 motherboards was shipped with malicious code embedded in the server management firmware.

Usually, the problem is a different one altogether.

If Trojan.Rbrute has done its job in a system, users can be redirected to other sites that have been specially crafted by intruders.

Typically, an attack is carried out as follows:

  1. Win32.Sector infects a system and downloads Trojan.Rbrute onto the machine.
  2. Trojan.Rbrute receives a command to search for Wi-Fi routers and the password dictionary from a command and control server.

    The malware can mount brute-force attacks on the following Wi-Fi routers: D-Link DSL-2520U, DSL-2600U, TP-Link TD-W8901G, TD-W8901G 3.0, TD-W8901GB, TD-W8951ND, TD-W8961ND, TD-8840T, TD-8840T 2.0, TD-W8961ND, TD-8816, TD-8817 2.0, TD-8817, TD-W8151N, TD-W8101G, ZTE ZXV10 W300, ZXDSL 831CII, and some others.

    Trojan.Rbrute uses 'admin' or 'support' as a login.

  3. If successful, Trojan.Rbrute modifies the router's DNS server settings.
  4. When another 'healthy' machine attempts to connect to the Internet through the compromised router, the user is redirected to a specially crafted web page.
  5. From this page, Win32.Sector malware is downloaded onto the computer, which subsequently gets infected.

In addition to displaying whatever webpages the criminals want, the router—with its altered configuration files—can be used in more sophisticated attacks.

Altering a device's routing table was a distinguishing feature of attacks involving Trojan.Dyre.

To gain unauthorised access to routers, criminals either mounted a brute-force attack (many users don't even bother to change factory security settings, and some don't even regard them as a possible point of intrusion) or exploited vulnerabilities.

Added to the Dr.Web virus database as Linux.PNScan.1, the Trojan was supposedly installed on target machines by an attacker who exploited vulnerabilities like shellshock by launching the relevant script. Later it was downloaded and installed onto routers by Linux.BackDoor.Tsunami Trojans, which in turn were spread with the aid of Linux.PNScan.1.

Network devices in corporate networks are targeted along with home routers.

The company Mandiant has published the results of their research into the backdoor SYNful Knock which targeted Cisco routers.

The backdoor gets onto routers by using a modified Cisco IOS image. Intruders use a secret backdoor password to gain remote access to the router through the console and Telnet. The backdoor maintains its presence after a system restart. To overwrite the OS image, attackers use stolen account information and standard administrator passwords (users often forget to change default passwords).

According to the research, Cisco routers 1841, 2811 and 3825 are vulnerable to attack.

The attack described above is similar to the method that Cisco itself put forth as a possible scenario in August of last year. At that time, the company warned its customers that attackers could couldreplace the ROMMON (ROM Monitor) firmware with an altered copy. This method didn't require the use of any exploits. Attackers gained access to devices using actual logins and passwords which would appear to indicate that company employees—router owners or people who can access the device—participated in the attack.

Cisco routers aren't unique. Similar attacks can be mounted on devices produced by other manufacturers. For example, many researchers have published information about the malicious code in the operating system made by Juniper Networks.

The Anti-virus Times recommends

  • Never use default passwords to access network devices. Once a device is set up, change the password immediately.
  • Update the firmware of your devices to close vulnerabilities.
  • Always download firmware from the manufacturer's official site.
  • Use an anti-virus on the machines you use to control network devices.


Tell us what you think

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.