A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #2692  by EP_X0FF
 Wed Sep 08, 2010 2:51 pm
rossetoecioccolato wrote:The hard reset may wipe out the static DNS servers. But the firmware still could be rooted. We won't know unless someone takes the time to save it (before and after).

Which came first? Did the hosts get rooted and then were used to reconfigure/flash the routers or were the routers rooted and then used to take down the hosts? If the hosts were rooted first it would not be unusual to use them to own the router.
And what is the problem? Maybe someone wants to test this? :) All is needed - router and tdl3 dropper.
 #2693  by IndiGenus
 Wed Sep 08, 2010 3:29 pm
EP_X0FF wrote:
rossetoecioccolato wrote:The hard reset may wipe out the static DNS servers. But the firmware still could be rooted. We won't know unless someone takes the time to save it (before and after).

Which came first? Did the hosts get rooted and then were used to reconfigure/flash the routers or were the routers rooted and then used to take down the hosts? If the hosts were rooted first it would not be unusual to use them to own the router.
And what is the problem? Maybe someone wants to test this? :) All is needed - router and tdl3 dropper.
I can do some testing. I have a couple spare linksys routers pretty common to what many users have today. Do we know if there is a specific dropper that plants it? If so do we have one?
 #2694  by USForce
 Wed Sep 08, 2010 3:57 pm
t4L wrote:Anyone can confirm this TDLx64 works like this: patch winload before it reaches OslArchTransferToKernel then patch uncompressed Bootmgr?
ldr16 is just patching BCD and then passing the control to ldr32/64
 #2696  by EP_X0FF
 Wed Sep 08, 2010 3:59 pm
IndiGenus wrote:I can do some testing. I have a couple spare linksys routers pretty common to what many users have today.
I can look with Cisco linksys router later, but I never saw such tdl3 behavior earlier.
 #2699  by SimonZerafa
 Wed Sep 08, 2010 5:36 pm
@IndiGenious,

Thanks for your confirmation.

So this is basically similar to the Zlob type infections which alter the DNS settings in the router. Not using default admin passwords should help mitigate this.

For one moment I thought we had something really new which was altering / patching the code in the router firmware. That would be a pain to resolve but not impossible.

Does anyone know, or care to speculate, if using manual DNS server settings in TCP/IP properties would have any useful effect on this?

If you don't use your router as a DNS server / relay / proxy then the malware can chage the DNS server settings all it want's to and the connected devices will just ignore them.

I assume the malware compremises the TCP/IP stack anyway to make this an ineffective way to work-around the issue?

Kind Regards

Simon
 #2701  by IndiGenus
 Wed Sep 08, 2010 6:02 pm
I can't really "confirm" anything as I've not tested this. Typically yes when the router was altered a hard reset would fix it. But as stated by others here....
rossetoecioccolato wrote:The hard reset may wipe out the static DNS servers. But the firmware still could be rooted. We won't know unless someone takes the time to save it (before and after).

Which came first? Did the hosts get rooted and then were used to reconfigure/flash the routers or were the routers rooted and then used to take down the hosts? If the hosts were rooted first it would not be unusual to use them to own the router.
This may not be the case. But I've seen no evidence or proof of this either way yet. The dropper that was given earlier does nothing to my default setup Linksys router so far, just checked. It did install TDL but no affect on router. Seems there is more testing and investigation that needs to be done.
 #2702  by SecConnex
 Wed Sep 08, 2010 6:37 pm
There are actually different ways to look at this situation for the hard reset.

But first, if it was TDL3, then this has been happening since mid-July. I am helping a user defeat this current issue, and have been helping him since early-mid July. He got this infection back in early July.

The infection has two ways of entry... default admin password for router, or it can install a keylogger and if the user logs in to their router using their password, the infection can grab the password and use it in the future to hack in to the router.

Now, on to the hard resets.

(1) Holding the reset button down for 30 seconds is a hard reset. This will only reset the IP address, and reset the password and a few other simple settings. However, this will NOT reset the firmware.

(The non-factory variables in the firmware will still be there)

(2) 30/30/30 reset: Hold the reset button down for 30 seconds, unplug the router, and keep the reset button down for 30 more seconds. Then, plug the router back in, keeping the reset button down for 30 more seconds. This should fully clear the nvram on the router, and reset the firmware.

If the 30/30/30 reset does not work the first time, it may have to be done once or twice more to make sure the reset occurred properly.


Note: if you want to try a cold boot for the router... it will require 30 seconds for the power to be off on the router. After any reset for the above, a password for the router will be reset to admin. The password will need to be customized for security purposes.
 #2703  by fatdcuk
 Wed Sep 08, 2010 6:48 pm
I'm not 100% sure the router tampering malware is TDL related guys,

Random named.dll loader being the common visual fallout from either dropper in %SYSDIR%\spool\prtprocs\w32x86
Usual vector for that router malware is rotated on seat 1 of Fraudpack(abc) downloaders.

"Daniel" is a cheeky chap at the mo ;)
Attachments
(83.78 KiB) Downloaded 82 times
 #2704  by 4everyone
 Wed Sep 08, 2010 7:02 pm
Hope Everyone is speaking about this DNS Hijack.

Image

If it is so, then i can say that, This issue persists for a long time. I've encountered this many number of times in machines with out TDL3 infection. Hope its not related to TDL3.

And yes, this DNS Hijack makes Search Engines to redirect as well . Mostly to result5.google.com :)
  • 1
  • 19
  • 20
  • 21
  • 22
  • 23
  • 60