Linksys and D-link Firewall/Router owners - beware of the latest attack!!

Several of my daily reading sources have pointed out new attacks on popular consumer firewall/router hardware including those of Linksys and D-link although not limited in any way to these ones.

The malware changes the DNS hosts to ones the bad-uglies control - and so instead of going where you think you are going when you browse the Internet, you go instead where the crooks want you to go with no obvious way of knowing you are in the wrong place.

The attack works because the malware tries to (and is successful) hack the router's web interface from one of the "protected" computers inside your Local Area Network (LAN). How the malware (DNSChanger Trojan) gets onto the inside computer is not specifically stated, probably because there are several ways currently being used:
1 - infected legitimate web sites that a user visits
2 - lots of e-mail methods including "phishing" and "social engineering" to get people to visit an infected site or download the malware directly.
3 - trying to view a video the system (itself compromised) tells you that you need a new video CODEC - and the codec is instead the trojan


The point is that the attack works in many cases because people don't change the default passwords on their routers when they are installed - and the default passwords are widely known and published. Either that or weak passwords are chosen and the "brute force" attack simply uses a dictionary of words and common password choices.

One of the things that makes this brute-force guessing fairly easy and swift is that most such routers do not "time out" if some small number of guesses are wrong like most PCs do, so the attack can run through a large number of guesses in very little time. Doing a similar attack on a PC running Windows or Linux or other desktop operating system usually runs up against the "anti-guessing" timeouts that can sometimes add minutes to each round of 3-5 guesses.

The crux of the attack, regardless of how the bad-uglies get access to your router/firewall is that they change the Domain Name System (DNS) settings to point to an infected computer they control instead of the DNS server from your ISP (which is hopefully itself uninfected)

This change in DNS system means that if/when you try to visit (for example) your BANK's WEBSITE - the DNS instead points to a machine that the crooks have set up to look like your bank instead - and since the URL in the browser bar looks correct, you have no reason to suspect that it is anything but your bank. All other DNS queries work properly, so you go to Google, or Yahoo, or Microsoft or whatever other sites you want to visit just as if the DNS server was in fact working correctly. You "log on" to their infected site and they pass your ID and password through to the real bank while they note it for later, or use it to drain your account while showing you a bogus "system is busy" message or some other social engineering stunt to make you wait - bogus ad video, status messages, or just take a long time to do something and hope you wait.

Any site that the BAD-UGLIES have created a PHISHING site to trap your information would get the bad DNS treatment - so it would not matter if you were banking with RBC, CIBC, Bank of America or whatever other bank you have seen phishing e-mail from recently. Other sites such as gaming and social networking sites are prime for phishing look alikes too - so they can get your login information and do nasty things with it.

The bottom line is - make sure your firewall router has something HARD to GUESS as the password for the administration web interface. And while you're at it, turn off (if you can) the "Plug-n-Play" feature as it too is a way that malware can do nasty things with your router.

Links with more information:
http://www.darkreading.com/document.asp?doc_id=156741&f_src=darkreading_default
http://blog.washingtonpost.com/securityfix/2008/06/malware_silently_alters_wirele_1.html

Edited to add:

The list of passwords this latest trojan is using tells me that it is attacking many different brands as well as what appears to be some that are private labeled for various ISPs. I see several combinations I recognize from my days with embedded systems at Lineo, as well as some I recognize from dealing with a couple of ISPs.