Results 1 to 18 of 18

Thread: Can a router be 'infected'?

  1. #1
    BD2
    Guest

    Can a router be 'infected'?

    Here is a quote made recently by MVP PABear in a Microsoft newsgroup:-

    "It *is* his computer and it was yours, too. The infection you had also
    "infected" the router."

    Please will someone explain exactly how this can happen and how to check
    that one's router is 'clean'?

    Thanks.
    --
    Dave

  2. #2
    Martin
    Guest

    Re: Can a router be 'infected'?

    BD2 wrote:
    > Here is a quote made recently by MVP PABear in a Microsoft newsgroup:-
    >
    > "It *is* his computer and it was yours, too. The infection you had also
    > "infected" the router."
    >
    > Please will someone explain exactly how this can happen and how to check
    > that one's router is 'clean'?


    Yes routers can become infected. It's not going to be the same infection
    that would infect a computer though. The usual way is that the owner
    didn't change the default username/password and has admin control
    allowable from the internet.

    Then the malware can be installed into the router allowing the remote
    user to gain access to the internal network. Or even just setting up a
    PPTP connection or something that the user doesn't know about. Both are
    possible.

    How to tell? I don't know that you could unless you can get the digest
    of the firmware build and check it against the suppliers website. Keep
    an eye out for strange incoming connections to your PC. Rebuild the
    router and lock it down.

    I don't think the computer infection would infect the router, totally
    different beasts.
    >
    > Thanks.
    > --
    > Dave


  3. #3
    David H. Lipman
    Guest

    Re: Can a router be 'infected'?

    From: "BD2" <BoaterDave@hotmail.co.uk>

    | Here is a quote made recently by MVP PABear in a Microsoft newsgroup:-

    | "It *is* his computer and it was yours, too. The infection you had also
    | "infected" the router."

    | Please will someone explain exactly how this can happen and how to check
    | that one's router is 'clean'?

    | Thanks.
    | --
    | Dave

    An off the shelf SOHO Router can NOT become "infected" it can become compramised. Robear
    Dyer used the wrong terminology.

    A DNSChanger Trojan can use a dictionary attack on a given SOHO Router and if the default
    password has NOT been set to a strong password then the DNS Server table can be changed
    and malaicious DNS servers, such as 85.255.x.y, may be inserted in the DNS Server table
    redirecting LAN nodes to malicious sites.

    The Router itself can not be "infected" such there is malware now running on that
    appliance. It becomes compromised where it acts on behalf of the malicious actor's
    desires by altering its settings.


    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



  4. #4
    Leythos
    Guest

    Re: Can a router be 'infected'?

    In article <ALadnaVWk5CijI7XnZ2dnUVZ_vydnZ2d@giganews.com>,
    DLipman~nospam~@Verizon.Net says...
    > The Router itself can not be "infected" such there is malware now running on that
    > appliance. It becomes compromised where it acts on behalf of the malicious actor's
    > desires by altering its settings.
    >


    Many routers no permit uploading an OS or other to their firmware - so,
    technically, I believe you could load an OS that would support a virus
    or other.

    --
    - Igitur qui desiderat pacem, praeparet bellum.
    - Calling an illegal alien an "undocumented worker" is like calling a
    drug dealer an "unlicensed pharmacist"
    spam999free@rrohio.com (remove 999 for proper email address)

  5. #5
    David H. Lipman
    Guest

    Re: Can a router be 'infected'?

    From: "Leythos" <spam999free@rrohio.com>


    | Many routers no permit uploading an OS or other to their firmware - so,
    | technically, I believe you could load an OS that would support a virus
    | or other.

    You mean flash a new firmware ?

    It would NOT support a virus/malware. It would have to be malicious code embedded within
    the firmware image.

    The problem here is what model ?
    While you can do a dictionary attack on know passwords, you can't assume a particular
    model SOHO Router. There are so many models out there -- which one ?

    To date, I have not heard of this occuring with *any* models.


    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



  6. #6
    Martin
    Guest

    Re: Can a router be 'infected'?

    David H. Lipman wrote:
    > From: "Leythos" <spam999free@rrohio.com>
    >
    >
    > | Many routers no permit uploading an OS or other to their firmware - so,
    > | technically, I believe you could load an OS that would support a virus
    > | or other.
    >
    > You mean flash a new firmware ?
    >
    > It would NOT support a virus/malware. It would have to be malicious code embedded within
    > the firmware image.


    I don't see why you wouldn't call it malware, isn't that malicious code?

    > The problem here is what model ?
    > While you can do a dictionary attack on know passwords, you can't assume a particular
    > model SOHO Router. There are so many models out there -- which one ?


    True, but if you telnet or web-browse in and it says "Linksys 826e" in
    the banner then it might well be worth trying admin/password :) There
    are an awful lot of very badly configured home routers out there.

    > To date, I have not heard of this occuring with *any* models.


    I had a vague recollection reading about it around a year or so ago, but
    must confess I can't find anything now, so maybe I didn't remember
    correctly.
    >
    >


  7. #7
    David H. Lipman
    Guest

    Re: Can a router be 'infected'?

    From: "Martin" <usenet21@etiqa.co.uk>

    | David H. Lipman wrote:
    >> From: "Leythos" <spam999free@rrohio.com>



    >> | Many routers no permit uploading an OS or other to their firmware - so,
    >> | technically, I believe you could load an OS that would support a virus
    >> | or other.


    >> You mean flash a new firmware ?


    >> It would NOT support a virus/malware. It would have to be malicious code embedded
    >> within
    >> the firmware image.


    | I don't see why you wouldn't call it malware, isn't that malicious code?

    Sure, there are all kinds of malicious code.

    You may say; del *.* /y
    is malaicious code.

    My point is that it would not be the standard trojan you see running under a desktop OS
    environment, it would have to be embedded within the entire code of the so-called
    firmware.

    >> The problem here is what model ?
    >> While you can do a dictionary attack on know

    | passwords, you can't assume a particular
    >> model SOHO Router. There are so many models

    | out there -- which one ?

    | True, but if you telnet or web-browse in and it says "Linksys
    | 826e" in
    | the banner then it might well be worth trying admin/password :) There
    | are
    | an awful lot of very badly configured home routers out there.

    Yeah, a dictionary attack. This is what the DNSChanger Trojan is already doing to SOHO
    Routers.
    BTW: This DNSChanger is not limited to windows, there are MAC versions.

    >> To date, I have not

    | heard of this occuring with *any* models.

    | I had a vague recollection reading about it
    | around a year or so ago, but
    | must confess I can't find anything now, so maybe I didn't
    | remember
    | correctly.


    I have read many articles on how to compramise a SOHO Router from uPnP to dictionary
    attacks to SOAP. None however was a case were a complete firware replacement has taken
    place by TFTP or other means.

    This may happen in the future. There *may* be a malicious actor who might learn how to
    repalec the formware of say a Linksys BEFSR41 v3 SOHO router. The problem woould be
    limitations in how few may accomplish this. Fisrt you have to infect a platform on the
    LAN side. Then you have to discern if it a Linksys BEFSR41. Hey, it may be a v1 or V2
    and not a V3 model. Thus even for a particular model it won't work for all versions.

    I see a very limited scope. Malicious actors tend to to want to do he most damage in the
    shortest time possible. A dictionary type attack (now being exploited) has the widest
    effect and result. The above limited scope is too much work for too little result.



    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



  8. #8
    Leythos
    Guest

    Re: Can a router be 'infected'?

    In article <rbadna7qzJMsgo7XnZ2dnUVZ_tmdnZ2d@giganews.com>,
    DLipman~nospam~@Verizon.Net says...
    >
    > From: "Leythos" <spam999free@rrohio.com>
    >
    >
    > | Many routers no permit uploading an OS or other to their firmware - so,
    > | technically, I believe you could load an OS that would support a virus
    > | or other.
    >
    > You mean flash a new firmware ?
    >
    > It would NOT support a virus/malware. It would have to be malicious code embedded within
    > the firmware image.
    >
    > The problem here is what model ?
    > While you can do a dictionary attack on know passwords, you can't assume a particular
    > model SOHO Router. There are so many models out there -- which one ?
    >
    > To date, I have not heard of this occuring with *any* models.


    Me either, but, my thought was that if it can be programmed it can be
    infected. I've seen many open-source replacements for Linksys routers,
    it could be possible to compromise one at the firmware level.

    --
    - Igitur qui desiderat pacem, praeparet bellum.
    - Calling an illegal alien an "undocumented worker" is like calling a
    drug dealer an "unlicensed pharmacist"
    spam999free@rrohio.com (remove 999 for proper email address)

  9. #9
    David H. Lipman
    Guest

    Re: Can a router be 'infected'?

    From: "Leythos" <spam999free@rrohio.com>

    | In article <rbadna7qzJMsgo7XnZ2dnUVZ_tmdnZ2d@giganews.com>,
    | DLipman~nospam~@Verizon.Net says...

    >> From: "Leythos" <spam999free@rrohio.com>



    >> | Many routers no permit uploading an OS or other to their firmware - so,
    >> | technically, I believe you could load an OS that would support a virus
    >> | or other.


    >> You mean flash a new firmware ?


    >> It would NOT support a virus/malware. It would have to be malicious code embedded
    >> within
    >> the firmware image.


    >> The problem here is what model ?
    >> While you can do a dictionary attack on know passwords, you can't assume a particular
    >> model SOHO Router. There are so many models out there -- which one ?


    >> To date, I have not heard of this occuring with *any* models.


    | Me either, but, my thought was that if it can be programmed it can be
    | infected. I've seen many open-source replacements for Linksys routers,
    | it could be possible to compromise one at the firmware level.

    Yes, there are some 3rd party firmware for a couple of Wireless Linksys Routers. So there
    is the possibility that a malicious firmware could be conceived.

    Which brings us to my reply to Martin.


    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



  10. #10
    ~BD~
    Guest

    Re: Can a router be 'infected'?

    Martin wrote:
    > BD2 wrote:
    >> Here is a quote made recently by MVP PABear in a Microsoft newsgroup:-
    >>
    >> "It *is* his computer and it was yours, too. The infection you had
    >> also "infected" the router."
    >>
    >> Please will someone explain exactly how this can happen and how to check
    >> that one's router is 'clean'?

    >
    > Yes routers can become infected. It's not going to be the same infection
    > that would infect a computer though. The usual way is that the owner
    > didn't change the default username/password and has admin control
    > allowable from the internet.
    >
    > Then the malware can be installed into the router allowing the remote
    > user to gain access to the internal network. Or even just setting up a
    > PPTP connection or something that the user doesn't know about. Both are
    > possible.
    >
    > How to tell? I don't know that you could unless you can get the digest
    > of the firmware build and check it against the suppliers website. Keep
    > an eye out for strange incoming connections to your PC. Rebuild the
    > router and lock it down.
    >
    > I don't think the computer infection would infect the router, totally
    > different beasts.
    >>
    >> Thanks.
    >> --
    >> Dave


    Thank you for your reply, Martin (and thanks to other respondents too)

    Essential information about your web browser may be found here:-
    http://www.browserreport.com/

    If you visit, you will note that much more information than you might
    think is given away. Perhaps other sites can even identify one's SOHO
    router too.

    Armed with such information it might be relatively straight-forward to
    automate an attack on the router.

    Just a thought!
    --
    Dave

  11. #11
    ~BD~
    Guest

    Re: Can a router be 'infected'?

    David H. Lipman wrote:
    > From: "BD2" <BoaterDave@hotmail.co.uk>
    >
    > | Here is a quote made recently by MVP PABear in a Microsoft newsgroup:-
    >
    > | "It *is* his computer and it was yours, too. The infection you had also
    > | "infected" the router."
    >
    > | Please will someone explain exactly how this can happen and how to check
    > | that one's router is 'clean'?
    >
    > | Thanks.
    > | --
    > | Dave
    >
    > An off the shelf SOHO Router can NOT become "infected" it can become compramised. Robear
    > Dyer used the wrong terminology.
    >
    > A DNSChanger Trojan can use a dictionary attack on a given SOHO Router and if the default
    > password has NOT been set to a strong password then the DNS Server table can be changed
    > and malaicious DNS servers, such as 85.255.x.y, may be inserted in the DNS Server table
    > redirecting LAN nodes to malicious sites.
    >
    > The Router itself can not be "infected" such there is malware now running on that
    > appliance. It becomes compromised where it acts on behalf of the malicious actor's
    > desires by altering its settings.
    >
    >


    You said "Robear Dyer used the wrong terminology".

    Will you post in that thread and tell him so? If not - why not?

    Should you *not* wish to correct him (so notifying the OP as well) I
    trust you have no objection to me posting there and quoting exactly what
    you have said here, David.

    --
    Dave

  12. #12
    Todd H.
    Guest

    Re: Can a router be 'infected'?


    Yes, a router can be infected. See below.

    "David H. Lipman" <DLipman~nospam~@Verizon.Net> writes:
    > Yes, there are some 3rd party firmware for a couple of Wireless
    > Linksys Routers. So there is the possibility that a malicious
    > firmware could be conceived.


    David,

    You're a bit behind on this impression i'm afraid. It's way more than
    a couple. And it's way more than Linksys:
    http://www.dd-wrt.com/wiki/index.php/Supported_Devices

    OpenWRT and Tomato are other popular third party open source firmware
    distro's that are basically stripped down Linux for the broadcom
    platform.

    And to the original poster's question, yes, there are worms for
    routers. dd-wrt main page has a link to the psybot worm:
    http://www.dd-wrt.com/dd-wrtv3/index.php
    specifically
    http://www.dd-wrt.com/dd-wrtv3/commu...uter-worm.html


    --
    Todd H.
    http://www.toddh.net/

  13. #13
    ~BD~
    Guest

    Re: Can a router be 'infected'?

    Todd H. wrote:
    > Yes, a router can be infected. See below.
    >
    > "David H. Lipman" <DLipman~nospam~@Verizon.Net> writes:
    >> Yes, there are some 3rd party firmware for a couple of Wireless
    >> Linksys Routers. So there is the possibility that a malicious
    >> firmware could be conceived.

    >
    > David,
    >
    > You're a bit behind on this impression i'm afraid. It's way more than
    > a couple. And it's way more than Linksys:
    > http://www.dd-wrt.com/wiki/index.php/Supported_Devices
    >
    > OpenWRT and Tomato are other popular third party open source firmware
    > distro's that are basically stripped down Linux for the broadcom
    > platform.
    >
    > And to the original poster's question, yes, there are worms for
    > routers. dd-wrt main page has a link to the psybot worm:
    > http://www.dd-wrt.com/dd-wrtv3/index.php
    > specifically
    > http://www.dd-wrt.com/dd-wrtv3/commu...uter-worm.html
    >
    >


    Interesting snippets, Todd. Thank you! :)

    --
    Dave

  14. #14
    David H. Lipman
    Guest

    Re: Can a router be 'infected'?

    From: "Todd H." <comphelp@toddh.net>


    | Yes, a router can be infected. See below.

    | "David H. Lipman" <DLipman~nospam~@Verizon.Net> writes:
    >> Yes, there are some 3rd party firmware for a couple of Wireless
    >> Linksys Routers. So there is the possibility that a malicious
    >> firmware could be conceived.


    | David,

    | You're a bit behind on this impression i'm afraid. It's way more than
    | a couple. And it's way more than Linksys:
    | http://www.dd-wrt.com/wiki/index.php/Supported_Devices

    | OpenWRT and Tomato are other popular third party open source firmware
    | distro's that are basically stripped down Linux for the broadcom
    | platform.

    | And to the original poster's question, yes, there are worms for
    | routers. dd-wrt main page has a link to the psybot worm:
    | http://www.dd-wrt.com/dd-wrtv3/index.php
    | specifically
    |
    | http://www.dd-wrt.com/dd-wrtv3/commu...uter-worm.html


    Thank you Todd. You provided information that shows I'm NOT up-to-date and wrong.
    http://www.adam.com.au/bogaurd/PSYB0T.pdf

    "As described in the Drone BL Blog the worm works with a brute force attack using
    dictonary based random passwords"..."As far as we know the worm does not yet install
    itself resistant ..."

    http://www.eset.com/threat-center/blog/?p=810
    "This bot looks interesting, though, in that it doesn’t seem to target PCs (at least, not
    for recruiting as drones): instead, it targets routers and DSL modems, containing
    shellcode for a number of mipsel devices (that is, devices running on an architecture
    supported by some flavours of embedded linux), and including some wrinkles that would make
    it difficult for a home user to get back control of their router, even if they became
    aware of the problem."


    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



  15. #15
    Todd H.
    Guest

    Re: Can a router be 'infected'?

    "David H. Lipman" <DLipman~nospam~@Verizon.Net> writes:

    > From: "Todd H." <comphelp@toddh.net>
    >
    >
    > | Yes, a router can be infected. See below.
    >
    > | "David H. Lipman" <DLipman~nospam~@Verizon.Net> writes:
    >>> Yes, there are some 3rd party firmware for a couple of Wireless
    >>> Linksys Routers. So there is the possibility that a malicious
    >>> firmware could be conceived.

    >
    > | David,
    >
    > | You're a bit behind on this impression i'm afraid. It's way more than
    > | a couple. And it's way more than Linksys:
    > | http://www.dd-wrt.com/wiki/index.php/Supported_Devices
    >
    > | OpenWRT and Tomato are other popular third party open source firmware
    > | distro's that are basically stripped down Linux for the broadcom
    > | platform.
    >
    > | And to the original poster's question, yes, there are worms for
    > | routers. dd-wrt main page has a link to the psybot worm:
    > | http://www.dd-wrt.com/dd-wrtv3/index.php
    > | specifically
    > |
    > | http://www.dd-wrt.com/dd-wrtv3/commu...uter-worm.html
    >
    >
    > Thank you Todd. You provided information that shows I'm NOT
    > up-to-date and wrong.


    I'm not sure what you're trying to say here David. I'm getting the
    impression you're trying to refute something?

    To clarify, my note of not being up to date referred only to the
    quoted information regarding the scope of supported platforms for
    third party open source firmware.

    --
    Todd H.
    http://www.toddh.net/

  16. #16
    David H. Lipman
    Guest

    Re: Can a router be 'infected'?

    From: "Todd H." <comphelp@toddh.net>



    >> Thank you Todd. You provided information that shows I'm NOT
    >> up-to-date and wrong.


    | I'm not sure what you're trying to say here David. I'm getting the
    | impression you're trying to refute something?

    | To clarify, my note of not being up to date referred only to the
    | quoted information regarding the scope of supported platforms for
    | third party open source firmware.

    Todd, I am thanking you and saying ...
    You provided information that shows I'm NOT up-to-date and I'm wrong.

    I not refruting anything, I'm admitting my mistake.


    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



  17. #17
    Todd H.
    Guest

    Re: Can a router be 'infected'?

    "David H. Lipman" <DLipman~nospam~@Verizon.Net> writes:

    > From: "Todd H." <comphelp@toddh.net>
    >
    >
    >
    >>> Thank you Todd. You provided information that shows I'm NOT
    >>> up-to-date and wrong.

    >
    > | I'm not sure what you're trying to say here David. I'm getting the
    > | impression you're trying to refute something?
    >
    > | To clarify, my note of not being up to date referred only to the
    > | quoted information regarding the scope of supported platforms for
    > | third party open source firmware.
    >
    > Todd, I am thanking you and saying ...
    > You provided information that shows I'm NOT up-to-date and I'm wrong.
    >
    > I not refruting anything, I'm admitting my mistake.


    Gotcha. Hard to read ASCII accents sometimes. :-)


    --
    Todd H.
    http://www.toddh.net/

  18. #18
    Junior Member
    Join Date
    Nov 2010
    Posts
    1
    I wonder whether anyone would be able to explain to me what to do if one thinks ones router has been infected. Does this mean the router has to be thrown away and a new one purchased?

    I think my router has been compromised but I don't know how to tell. Having tried to download some software from the internet my router closed down and then came up with the initial message that it gave when I first set it up along the lines of "Congratulations, your router is now configured/connected etc.?" It is a speed touch router.

    I am not very computer literate (VERY not computer literate would be more accurate) however I have managed to look at some of the settings for my router a Thomson Speed Touch and they seem to be normal ... ie 192. etc. and not the 85. mentioned in the post above.

    Does that mean that my router is okay? Or could it still be infected and show the right settings for connecting with talk talk (my internet provider)?

    If the router has been compromised can/will it have been able to compromise any other computers on the network and/or my iphone? That is to ask, if I now throw away this router and buy another one and set it up, is there a possibility that the bug has installed itself on my and other computers and iphone (potentially) and will re-infect the new router or is that impossible?

    I have now run MacScan and it hasn't come up with anything. I don't really understand how spyware detectors work but would it detect if something had messed with the router settings?

Similar Threads

  1. Ports for Ultra VNC behind a firewall - for remote support
    By Leythos in forum alt.computer.security
    Replies: 13
    Last Post: 10-19-15, 03:04 AM
  2. Wireless Router Connectivity Issues
    By whitsey in forum Wireless Networks & Routers
    Replies: 2
    Last Post: 10-20-08, 07:08 PM
  3. Having Trouble with Wireless Router
    By purecomedy in forum Wireless Networks & Routers
    Replies: 1
    Last Post: 03-16-08, 10:48 PM
  4. Help, DSL router probs
    By russnettle in forum General Broadband Forum
    Replies: 2
    Last Post: 04-29-07, 11:23 AM
  5. Cable Modem to Computer, Computer to Router... how, please :)
    By Jiketsu in forum Wireless Networks & Routers
    Replies: 2
    Last Post: 12-18-06, 04:12 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •