A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #2672  by LeastPrivilege
 Tue Sep 07, 2010 3:11 pm
Thank you for sharing PX5. I'm curious, what kind of configuration do you have on your router, I've got two Wireless N's here, I'm going to try and see if my Linksys and my Netgear will hold up against this.
 #2678  by PX5
 Wed Sep 08, 2010 12:20 am
I should have explained the networks I speak of are used for infecting only, so I did all my quality electronic and computer shopping at the local wal-mart and never updated the firmware and o my, I forgot to use a unique login and password. ;)

All the same, this has never occured until just recently, as in the last 4 to 5 days, so far, over on a more secure network with a different ISP, using 2 VMs and or 2 VBoxes, Ive not experienced anything funny unless Im using wireless but restoring defaults the cheesy way fixes everything.

I still suspect some tendency for a more unique attack method of the router tho, since i had to actually replace the firmware on the infected network with a saved backup, restoring defaults just didnt do the trick for whatever reason.

This bugger is getting rather mean now and quite enjoyable to watch on dual-boot machines, x86(XP) crossed with x64(Win7).

Thank goodness for acronis true image. :lol:

Sorry folks, never did save the original hijacked firmware. :(
 #2684  by SimonZerafa
 Wed Sep 08, 2010 8:57 am
Hi PX5,

Have you been able to determine if your malware is actually a TDL3+ varient or is it perhaps downloading something else (perhaps a Zlob install) which is messing up your network hardware?

If it really is a TDL3+ varient which is directly messing up your router(s) at the firmware level then this is something I have never seen before (when cleaning infected PC's) and would be worrying to say the least :(

Kind Regards

Simon
 #2686  by tolbert
 Wed Sep 08, 2010 10:28 am
DragonMaster Jay's observation is correct. In the last few days I had several cases with TDL3 and messed up routers. The common thing was that there were no other infections dropped on the systems and the router's DNS settings were changed to some Russian DNS servers from this range (213.109.X.X). I was not able to confirm whether the router's settings were changed by the rootkit though...
 #2687  by SecConnex
 Wed Sep 08, 2010 10:31 am
AFAIK, it infected the firmware with code to keep the static DNS servers the same. So, even if they get changed, the malware will change them back.

This hack started back in early July...it just recently got worse.
 #2688  by SimonZerafa
 Wed Sep 08, 2010 10:50 am
HI,

So just to be clear; the routers firmware is being modified so that the DNS servers are hard coded to those "Russian" ones (or some other malicious DNS servers)?

You physically have to re-flash the firmware so that the malicious code is removed from the router?! :(

It not the case that you can just change the DNS settings via the routers UI back to the ISP supplied ones (or what ever free ones you wish to use) from a clean PC?

Kind Regards

Simon
 #2689  by SecConnex
 Wed Sep 08, 2010 10:57 am
Clean PC or not clean... does not matter... the computers connected to the infected router will still have internet redirects.

Since they are in the router, every single computer will be affected... not infected... just affected.
 #2690  by IndiGenus
 Wed Sep 08, 2010 1:04 pm
SimonZerafa wrote: You physically have to re-flash the firmware so that the malicious code is removed from the router?! :(
No, you don't have to actually flash the firmware. Just reset the router as DM jay had stated in his blog post.
 #2691  by rossetoecioccolato
 Wed Sep 08, 2010 2:40 pm
The hard reset may wipe out the static DNS servers. But the firmware still could be rooted. We won't know unless someone takes the time to save it (before and after).

Which came first? Did the hosts get rooted and then were used to reconfigure/flash the routers or were the routers rooted and then used to take down the hosts? If the hosts were rooted first it would not be unusual to use them to own the router.
  • 1
  • 18
  • 19
  • 20
  • 21
  • 22
  • 60