Tuesday, July 1, 2014

More on router malware that hacks Gmail and installs bogus passwords in your browser.

Rightardia reported earlier that both the Linksys and Netgear routers can be infected with malware that is called DNSChanger and is supposedly a variant of Zlob malware.   The Linksys router was a WND3700V4 that had been flashed with DD-WRT firmware, that is supposed to be more secure than commercial firmware.

Rightardia changed the password in the router. This did not fix the problem. Also tried port forwarding by redirecting port 80 to port 8080. That didn't work either.

Virus scans on all of the PC in the network followed. The malware infection was surprising because our network is Linux based, Today we discovered something interesting.

We use a password browser plugin for password manager that saves the passwords to the Linux Mint home directory. The same password manager account is used by both browsers. Use this plugin in both the FireFox and the Chrome browser. Oddly the password manager for the FireFox browser worked, but not in Chrome.

Decided to check the browser's passwords. I found no problems in Chrome but Mozilla's FireFox was different matter. Had two passwords that shouldn't be there. One password was for Gmail which the password manger uses to authenticate. The other password was for the router at IP address Both used the bogus password d6nw5v1x2pc7st9m.

Neither bogus password worked with Gmail or the router. However  had changed the router password long ago and then immediately changed my Gmail password today. it is possible that hackers have developed a technique to piggy back of of existing passwords with a secondary password.

Check your browser's saved passwords in Firefox' Settings | Security.

Recommend you delete the bogus passwords form your 'saved passwords" list. Also, change both your router's password and Gmail password if you you find any extra browser passwords. Also recommend changing the router's IP address form to another address on your network.

Disable web GUI management and  require HTTPS (secure) connections to your router for configuration changes.

This malware MO suggests the router malware is used to create a botnet. In a botnet, the"zombie master"  hacker will direct the 1000's of bots to ping a certain IP address that results in a denial of service attack (DDOS).

So far my router and Internet is functioning normal.

Knock on wood!  

The hacker that invented the router exploit must quite exceptional. Very ingenious.

Subscribe to the Rightardia feed: 
  Creative Commons License

Rightardia by Rightard Whitey of Rightardia is licensed under a Creative Commons Attribution 3.0 Unported License.

Permissions beyond the scope of this license may be available at

No comments: