Saturday, June 28, 2014

Home routers can be infected with malware

IT pros  have found a malicious worm that has infected  different home and small office Linksys routers, including the E1000, the E1200, and the E2400.

Then there is also an Asus firmware vulnerability: An IT researcher named Kyle Lovett also found a vulnerability in a number of heavy duty Asus routers that had faulty firmwares.

Rightrdia has recommended DD-WRT firmware enabled routers in the past. However, this vulnerability also affects some routers with DD-WRT firmware. A Netgear Wnd3700V4 router that Rightardia uses appears to have been infected with this malware and firmware upgrades and a configuration default did not eliminate the problem.

Sunbelt Software also reported  that a Buffalo router that provisioned with DD-WRT firmware was pulled out of a retail box and easily infected with the router malware.

A Washington Post article stated:

". . . Sunbelt was able to confirm that the malware successfully changed the DNS settings on a Linksys router (model BEFSX41), pulled straight out of the factory box (with the default username and password). Another test showed that the Zlob variant successfully changed the DNS settings on a Buffalo router running the DD-WRT open source firmware.

Sunbelt also found that if there are multiple machines using the same router, all of the systems connected to that router will have their traffic hijacked."

DD-WRT recommends  to disabling the graphical user interface on the router and change the admin login and use a stronger password. DD-WRT has also suggesting defaulting the config will eliminate the worm.

Rightardia discovered that re-flashing the router or defaulting the configuration did not work.

We did find this information in a forum.
"If you got the problem that in every loaded page appears a javascript tag like <script language="javascript" SRC=""></script> this is the solution for your problem.

The cause is a trojan horse (virus) on another computer in your network!
This other computer is telling your PC that it is the gateway to the Internet by modifying its hardware address (MAC). Your computer is in consequence sending all traffic to the infected PC which forwards it to the Internet and filters it in order to put its malicious code.

You can find out which computer is the evil one by typing following into your command line:

arp -a

In the appearing table search for a double assigned physical address which is once assigned to the gateway IP address and once assigned to another IP.

Find out which computer is the other IP and you will have the virus host.
Scan that one for virus and malware (we are just about to conduct that scan)."

The best option at this point would be to replace an infected  router with Tomato firmware installed. If your home router is not infected, disable remote access and change the login ID and password. Use a complex password that would not respond to a brute force dictionary attack.

You can purchase  a Tomato enabled router form Amazon. The NetGear WNR3500L Rangemax Wireless-N Gigabit Router with Tomato VPN firmware (Refurbished) appears to be a good option. 

Rightardia would expect DD-WRT to release new firmware to fix this problem in the immediate future. 


Subscribe to the Rightardia feed: 

  Creative Commons License

Rightardia by Rightard Whitey of Rightardia is licensed under a Creative Commons Attribution 3.0 Unported License.

Permissions beyond the scope of this license may be available at

No comments: