"Shenan Stanley" <newshelper@gmail.com> wrote in message
news:OJfVl4fiIHA.1204@TK2MSFTNGP03.phx.gbl...
> Entire Conversation:
> http://groups.google.com/group/micr...00b3456fe7e/5c31fc709607cf76#5c31fc709607cf76
>
>
>
> Kerry Brown wrote:
>> It sounds like your router may have been compromised.
>>
>> Unplug one of your computers from the router. Do a clean install of
>> Windows on this computer making sure you delete all partitions then
>> recreate them during the install. Leave this computer unplugged
>> from the router. Don't worry about updating it just yet. On a
>> different computer download the latest firmware for your router.
>> Burn this file to a CD or copy it to a flash drive. Make sure there
>> are no other files on the CD or flash drive. Unplug all of the
>> computers from the router. Unplug the router from the Internet.
>> Reset the router to the factory defaults. Plug in the computer with
>> the fresh Windows install. Use it to flash the router with the
>> downloaded firmware. Reset the router again. Set a password for the
>> admin account. Plug the router back in to the Internet and update
>> this computer. Do not plug in any of the other computers until they
>> have been wiped clean and a fresh install of Windows done.
>> The key is to flash the router with a clean computer then set a
>> password on the router before reconnecting to the Internet.
>
> BoaterDave wrote:
>> I feel there is much merit in what you say. FYI I did raise this
>> topic here
>> http://aumha.net/viewtopic.php?t=26677&start=0&postdays=0&postorder=asc&highlight=
>> before I became persona non grata at AumHa.
>> Are you aware of any way to check whether or not a router has been
>> compromised - *before* one follows the procedure you have outlined.
>> I should be interested to learn more about this subject. Do you (or
>> anyone else reading here) have any pointers as to where to begin?
>>
>> I found this item which I found interesting - others may too:-
>> http://www.pcadvisor.co.uk/news/index.cfm?newsid=12026
>>
>> A fairly recent news item here, too:
>> http://www.pcpro.co.uk/news/173883/chinese-backdoors-hidden-in-router-firmware.html
>
> While I know of no way to find out if a router has been compromised - if
> there is even one ounce of suspicion that it could have been compromised -
> it would be better to reset the router to defaults, set a new password
> (strong one) on it, leave remote management turned off, make sure wireless
> (if a feature of said router) is using WPA or WPA2 at least for security,
> etc.
>
> What makes that even better is doing that 'offline' - the router does not
> need a Internet connection for any of that.
>
> In this particular case (that where the original poster seems to have been
> targeted in some way - or overlooking some part of re-securing their
> entire system (not just the computer)) - the advice is spot-on in my
> opinion. Start from the first piece of equipment you can control and work
> your way through to the last - keeping them all 'offline' until you have
> changed the setup on all of them and secured them to the best of your
> ability.
>
There's currently two exploits for routers I know of. They both change the
DNS servers the router uses to compromised DNS servers. This means whatever
url you type in isn't necessarily where you end up. They can use the
compromised DNS servers to send you wherever they want. You type in
www.google.com and end up at some malware site that tries every trick in the
book to get more malware on your computer or more likely a site that is full
of advertising where you are enticed to click on ad links while trying to
get to where you wanted to go in the first place. It's a vicious circle.
Every legitimate site you try to go to you're redirected to a non-legitimate
site. They can even let you get to legitimate online AV sites to scan the
computer. Because the router is compromised, not the computer, all the AV
scans come up negative. The original trojan that compromised the router has
long since erased itself.
One exploit is a trojan that probes common IP addresses for a router. If it
finds one it takes advantage of the fact that most people never set a
password on the router and reprograms the DNS settings. The trojan tries a
few common passwords as well as no password. Setting a strong password on
the router admin account stops this exploit.
The other exploit uses a flaw in some older versions of Flash to change the
router's DNS settings via uPNP. All they have to do is trick you into
watching an infected Flash video. You go to what looks like a normal website
with some streaming video. While watching the video your router is
reprogrammed. Keeping Flash up to date and/or turning off uPNP on the router
stops this exploit.
Doing a hard reset of the router is probably enough to fix a changed DNS
setting. I have seen a couple of cases on networks that had highly
compromised computers where someone or something had tried to flash the
router unsuccessfully and the router was toast. This tells me there may be
an exploit that tries to flash a router. That's why I recommended flashing
the router.
--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/