Results 1 to 10 of 29

Thread: Home routers under attack...

Threaded View

Previous Post Previous Post   Next Post Next Post
  1. #14
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation DNS settings modified to malicious servers...

    FYI...

    When Networks Turn Hostile ...
    - http://blog.trendmicro.com/trendlabs...-turn-hostile/
    May 20, 2014 - "We’ve previously discussed how difficult it is to safely connect to networks when on the go... many holiday lodges and hotels today have made Wi-Fi access an integral part of their offered amenities... it is easy to take secure Internet access for granted... using the provided Internet access, the Facebook app on my smartphone refused to connect. Other apps and websites worked fine, however. Trying to access Youtube using the mobile browser resulted in this:
    Fake Youtube alert:
    > http://blog.trendmicro.com/trendlabs...05/router1.png
    Obviously, the above warning made no sense on an Android device. What would happen if I tried to access Facebook on a PC, then? The same issue occurred – and an off-guard user might not find it suspicious at all:
    Fake Facebook alerts:
    > http://blog.trendmicro.com/trendlabs...05/router2.png
    > http://blog.trendmicro.com/trendlabs.../router-2a.png
    If the user actually clicked the OK button on either of the two messages the following pages would appear:
    Fake Internet Explorer update:
    > http://blog.trendmicro.com/trendlabs...0comment04.jpg
    Fake Adobe Flash Player update:
    > http://blog.trendmicro.com/trendlabs...0comment05.jpg
    ... Clicking on any part of the site results in a malicious file, detected as TSPY_FAREIT.VAOV, being downloaded and run on the affected system. FAREIT malware is typically used to download other threats onto an affected system. So, how was this done? A little investigation found that the DNS settings had been -modified- so that DNS queries went to a malicious server, that redirected users... The router of the network was a TP-Link TD-W8951ND all-in one modem/router, which combined a DSL modem and a wireless router in just one device. However, this router contains a fairly serious vulnerability: an external user can access the page where the router’s firmware can be upgraded or backed up. However, this firmware file can be easily decoded; once decoded it contains the root password in the very first line... The list of targeted sites was fairly extensive, with more than 600 domains being targeted. Some of the sites targeted (aside from Facebook and Yahoo) include Ask, Bing, Google, Linkedin, Pinterest, and SlideShare. All of these sites used the .com top-level domain...
    How do you prevent yourself from becoming a victim of this attack? One suggestion is to explicitly use public DNS servers, such as those of Google (8.8.8.8 and 8.8.4.4). This can usually be done in the operating system’s network settings, and is applicable to both mobile and non-mobile systems... [or OpenDNS 208.67.222.222 and 208.67.220.220]* ... Two settings can also help in reducing the risks from these attacks: first, port 80 should be forwarded to a non-existent IP address. In addition, the web management interface of the router should not be accessible from the WAN side of the network."
    * https://store.opendns.com/setup/
    ___

    Multiple Vulnerabilities in SNMP ...
    - http://atlas.arbor.net/briefs/
    High Severity
    May 23, 2014
    "... these devices are considered end-of-life, they will likely not receive firmware upgrades addressing these security issues. Metasploit exploit code for these vulnerabilities is available. Attackers often make use of available exploit code for known vulnerabilities to target vulnerable systems..."

    Disable SNMP wherever possible, ASAP.


    - https://www.grc.com/port_161.htm
    "... If our port analysis ever shows that a router (for example) or other network device exposed to the Internet has its SNMP interface open you will want to arrange to disable and close that port immediately..."

    Related Ports: https://www.grc.com/port_23.htm

    Last edited by AplusWebMaster; 2014-05-28 at 23:01.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •