New Router Attack Displays Fake Warning Messages

Just because security researchers report about threats doesn’t mean we’re exempted from them.

I recently experienced an incident at home that involved tampered DNS router settings. I was redirected to warning pages that strongly resemble those used in previous FAKEAV attacks. I noticed that my home internet router DNS settings have been modified from its default settings. (My router is a modem/router combo that was provided by my ISP.)

Sensing that my home router settings may have been tampered with, I did some more checking to see if it has been infected. I tried to browse through HTTP websites, but all HTTP websites displayed a warning message on all of the devices I used (I used my Windows Phone, iPad, and my laptop). This is a sample warning message that shows that my system has been found with “two malicious viruses” and that my personal information “may not be safe.”

Figure 1. Warning message displayed on HTTP websites from my infected router (Click to enlarge)

I checked the DNS settings in the router to check for anything suspicious. To my knowledge, the settings are supposed to be as follows:

Figure 2. Original DNS settings

Instead, the DNS settings were:

Figure 3. Tampered settings lists the primary DNS IP address as 5[.]104[.]175[.]151

I looked up the newly listed IP address via Trend Micro IP reputation service, which lists the new IP as ‘bad.’

Figure 4. New IP address in DNS settings is listed as ‘bad’ by Trend Micro IP Reputation Service

I am not entirely sure how the DNS settings were modified, considering that the router already came pre-configured by my ISP. It isn’t unlikely, however, that the router may have been tampered with since the supply chain is a known target and could represent a weak point in any organization.

Rising number of vulnerable routers on a global scale

My experience led me to think of other router attacks that have happened in the past months and years. As early as 2010, researchers have demonstrated attacks on home routers that combined DNS rebinding and cross-site request forgery. If done successfully, this particular router attack may allow attackers to change the router’s DNS settings, making everyone connected to it vulnerable to phishing attacks.

In 2014, we uncovered a router-based attack on our own. Routers manufactured by Netcore were incidentally sold with a wide-open backdoor that can be easily exploited to run arbitrary code, rendering the routers vulnerable. And just last March, we wrote about malware that attempts to connect to home routers to search for connected devices.

Data from Asus home routers with the Trend Micro Smart Home Network Solution shows that these types of attacks are ongoing. For example, we have detected and blocked attacks involving the vulnerability CVE-2015-0554. These attacks were mostly observed in Australia, China, and Spain.

Keeping your home network secure

Routers make an ideal target for cybercriminals—tampering with any wireless router can allow cybercriminals to monitor their targeted users’ online activities. And from past incidents, we can see that cybercriminals use different ways of launching these attacks.

Securing the router should be a primary concern as these often come with important default settings that may be critical in terms of security. Default settings make routers easier to configure but it can also make them more vulnerable to unauthorized access. Creating a strong router login password is just one way to keep routers safe from potential threats.

Changing the router login credentials is the first step to securing a home network. Cybercriminals often use malware and scripts to launch router attacks. Security solutions like Trend Micro security for their computers and Trend Micro Mobile for Android and iOs for smartphones can detect and prevent malware from running in devices. Other security practices like double-checking links, emails, and attachments can go a long way in securing computers and networks.

Users may also call their ISP provider for assistance as DNS tampering may be the result of ISP issues.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

New Router Attack Displays Fake Warning Messages