Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 24

Thread: Home routers under attack - archive

  1. #11
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Linksys WRT54G firmware updates...

    FYI...

    Linksys WRT54G Security Bypass vuln - updates available
    - http://secunia.com/advisories/29344/
    Release Date: 2008-03-21
    Impact: Security Bypass
    Where: From local network
    Solution Status: Vendor Patch
    OS: Linksys WRT54G Wireless-G Broadband Router
    ...The vulnerability is reported in firmware version 1.00.9. Other versions may also be affected.
    Solution: Install updated firmware versions.
    WRT54G v5/v6: Install version 1.02.5.
    WRT54G v8: Install version 8.00.5.
    WRT54G v8.2: Install version 8.2.05 ...
    > http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1247
    Last revised: 3/11/2008
    CVSS v2 Base score: 10.0 (High)
    "...allows -remote- attackers to perform arbitrary administrative actions.."

    Linksys WRT54G » Downloads
    - http://preview.tinyurl.com/2qykkj
    WRT54G v5/v6: Install version 1.02.5. (3/03/2008)
    WRT54G v8: Install version 8.00.5. (1/18/2008)
    WRT54G v8.2: Install version 8.2.05 (1/18/2008) ...

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #12
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Question D-Link router based worm?

    FYI...

    D-Link router based worm?
    - http://isc.sans.org/diary.html?storyid=4175
    Last Updated: 2008-03-21 16:44:10 UTC - "...I suspect someone is using snmp to reconfigure the router to its default password or to read it's admin password and then accessing the D-Link via telnet to modify the routers configuration or firmware. The D-Link DWL-1000AP had an snmp based password confidentiality vulnerablity reported back in 2001... I doubt this attack includes changing the firmware of the router itself to become router based self propagating worm. While possible it is more difficult then compromising one of the home systems. Given control of a device like this in the network it would be relatively simple to redirect consumer's traffic to a site with client side exploits that would compromise any computer that was not fully patched..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #13
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Post

    FYI...

    - http://www.techworld.com/security/ne...11&pagtype=all
    08 April 2008 - "...The technical details of a DNS rebinding attack are complex, but essentially the attacker is taking advantage of the way the browser uses the DNS system to decide what parts of the network it can reach... On Tuesday, OpenDNS will offer users of its free service a way to prevent this type of attack, and the company will also set up a website* that will use Kaminsky's techniques to give users a way to change the passwords of vulnerable routers. The attack "underscores the need for people to be able to have more intelligence on the DNS," Ulevitch said. Although this particular attack takes advantage of the fact that routers often use default passwords that can be easily guessed by the hacker, there is no bug in the routers themselves..."
    * http://www.fixmylinksys.com/

    Last edited by AplusWebMaster; 2008-04-09 at 13:46.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #14
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation

    FYI... 4.10.2008

    - http://www.symantec.com/business/sec...onse/index.jsp
    (Symantec ThreatCon / Environment / Network Activity Spotlight)
    "The DeepSight Threat Analyst Team is monitoring TCP port 23 and UDP port 161. These ports have both been associated with recent reports of a new bot that is exploiting and installing itself on D-Link routers.
    The bot is designed to attack only D-Link routers over port 23 (Telnet) and contains functionality to scan for TCP port 23, launch IRC clone floods, and launch DDoS attacks. The author of this malicious software is charging 200 US dollars for the software, making it likely that this malware and variants of this malware will become widespread."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #15
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Cool

    FYI...

    Home Wireless AP Hardening in 5 Steps
    - http://isc.sans.org/diary.html?storyid=4282
    Last Updated: 2008-04-11 19:58:32 UTC - "... There are dangers in all consumer network hardware that require the attention of everyone that installs these devices regardless of the vendor. Taking a device out of the box, plugging it in and letting it go can expose you to "worms" or other remote-based exploitation. This stems from a similar problem with software and operating systems, namely, these things do not ship in a secure-by-default configuration.
    Here are 5 easy steps to take when you get a network device / access point to harden yourself against "easy" exploitation (and this applies to ALL hardware):
    1) Change the default passwords...
    2) Disable remote administration...
    3) Update the firmware...
    4) Disable unused services...
    5) Change the default settings of the device..."

    (More detail at the Internet Storm Center URL above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #16
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Zlob Trojan -aka- DNSChanger ...

    FYI...

    - http://blog.washingtonpost.com/secur..._wirele_1.html
    June 11, 2008 - "...recent versions of the ubiquitous "Zlob" Trojan (also known as DNSChanger) will check to see if the victim uses a wireless or wired hardware router. If so, it tries to guess the password needed to administer the router by consulting a built-in list* of default router username/password combinations. If successful, the malware alters the victim's domain name system (DNS) records so that all future traffic passes through the attacker's network first. DNS can be thought of as the Internet's phone book, translating human-friendly names like example.com into numeric addresses that are easier for networking equipment to handle. While researchers have long warned that threats against hardware routers could one day be incorporated into malicious software, this appears to be the first time this behavior has been spotted in malware released into the wild. The type of functionality incorporated into this version of the Zlob Trojan is extremely concerning for a number of reasons. First, Zlob is among the most common type of Trojan downloaded onto Windows machines. According to Microsoft, the company's malicious software removal tool [MSRT] zapped some 14.3 million instances of Zlob-related malware from customer machines in the second half of 2007. The other, more important reason this shift is scary is that a Windows user with a machine infected with a Zlob/DNSChanger variant may succeed in cleaning the malware off an infected computer completely, but still leave the network compromised. Few regular PC users (or even PC technicians) think to look to the router settings, provided the customer's Internet connection is functioning fine... Specific, manufacturer-based video tutorials on how to secure your wireless router are available at this link**..."
    * http://blog.washingtonpost.com/securityfix/zlobpass.txt

    ** http://onguardonline.gov/tutorials/i...rials-wireless

    - http://www.trustedsource.org/blog/42...s-into-routers
    June 13, 2008 - "...behavior is entirely controlled by the attackers’ DNS servers. These could even redirect existing domain names to servers hosting crafted content (Phishing) or servers dynamically modifying real content. Once your DNS settings are under control, the bad possibilities are nearly unlimited. And, even clean machines are affected once a previous infection on just one client behind the shared router successfully cracked the router login..."

    Last edited by AplusWebMaster; 2008-06-18 at 14:22.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #17
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation ZLOB - 900 rogue DNS servers

    FYI...

    - http://blog.trendmicro.com/zlob-ente...engine-market/
    August 7, 2008 - "More than a year ago, Trend Micro threat researchers uncovered a network of over 900 rogue DNS (Domain Name System) servers related to the ZLOB Trojan family. We gave examples showing that these rogue DNS servers are part of click fraud and leakage of personal information. Just recently, however, we discovered that this network is now targeting four of the most popular search engines. In a large scale click fraud scheme, the ZLOB gang appears to hijack search results and to replace sponsored links with DNS “tricks”... These ZLOB Trojans we found, silently change the local DNS settings of affected systems to use two out of the abovementioned 900+ rogue DNS servers. These Trojans spread by advanced social engineering tricks; an example would be professional-looking Web sites that promise Internet users access to pornographic movies after installing malware that pose as video codecs. The number of ZLOB-related infections is huge — for the last six months of 2007, Microsoft reported more than 14,000,000 infections. It now appears that the ZLOB gang has entered the multibillion-dollar search engine market. ZLOB’s rogue DNS servers resolve several domain names of the main engines to fraudulent IP addresses. Among others, this criminal operation has even set up rogue sites of the UK and Canadian versions of one of the largest search engines. Even searches performed via the installed browser toolbar (provided by the same company) are now being hijacked by ZLOB. Another popular search engine company has been hit even harder — most, if not all, domain names of the search engine that give back search results get resolved to fraudulent Web sites by the rogue DNS servers. The primary objective of ZLOB here appears to be stealing traffic and clicks from search engines, making money along the way. Affected users are immediately redirected to sites that are not at all related to their original search queries. All sponsored search hits of the two main search engines we analyzed were hijacked by ZLOB. Clicks on sponsored links then are not credited to big search engine companies, but to the ZLOB gang instead..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #18
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation DNSChanger...

    FYI...

    - http://www.viruslist.com/en/analysis?pubid=204792017
    Sep 01 2008 - "... most widespread malicious programs... This table shows the malicious programs detected on users’ computers...
    1. Trojan.Win32.DNSChanger.ech ..."


    'Still around (i.e.):
    - http://www.grisoft.com/ww.download-update
    IAVI: / 1655 - Added detection of new variant of Win32/Virut, Worm/Brontok,
    new variants of trojans DNSChanger, Dropper.Bravix, Downloader.Tiny.
    September 5, 2008

    Last edited by AplusWebMaster; 2008-09-06 at 16:53. Reason: Added description of latest def. files...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #19
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Wi-Fi networks unsecured...

    FYI...

    - http://preview.tinyurl.com/5cg8nh
    September 15, 2008 - "...Instead of scouring for anonymous proxies to stay faceless on the internet, cyber criminals are increasingly targeting unsecured Wi-FI networks to get the job done. A combination of war driving tools such as NetStumbler along with a listing of default router usernames and passwords* is all it takes to freely connect to unsecured Wi-FI networks. Especially since most Wi-Fi routers use default security settings that come pre-installed by the vendor rather than it having being configured by the end user. SOHO routers log every connection and DHCP lease but these logs are flushed once the router is rebooted. If an attacker has access to the administrative console of the router (thanks to the default password), once their nefarious actives have been carried out, a simple restart of the router will erase all tracks. The extent to which an unsecured Wi-Fi connection can be abused is purely left to imagination of the attacker..."
    * http://www.routerpasswords.com/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #20
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Exposed wireless networks...

    FYI...

    - http://voices.washingtonpost.com/sec...ireless_a.html
    September 26, 2008 - "...Why is changing the default settings on wireless access point a big deal? Because there are plenty of Web sites that list the default user names and passwords built into every brand of router out there... For instance, if I were looking for an exposed wireless network, I'd probably start by searching the local zip code for the default SSID assigned to many popular routers. After all, these would most likely be the networks powered by users who yanked their shiny new routers straight out of the box and plugged them right into the user's modem without modifying a thing..."
    * http://wigle.net/gps/gps/main/ssidstats

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •