Team Cymru spots 300,000 compromised SOHO gateways It's time to check the DNS settings on your broadband gateway, with security research group Team Cymru discovering an attack that could have redirected as many as 300,000 devices to a malicious resolver. Once a gateway is compromised, the devices behind it would be sent to the attacker's DNS, exposing them to drive-by attacks …
Many of the (better) routers have internet and wireless access to the management interface disabled by default; but check to be sure.
Also a good idea to change the IP address range of the LAN so it's not the obvious 192.168.1.x or 192.168.0.x but make sure it's still an RFC 1918 address:
https://tools.ietf.org/html/rfc1918
The JS attack can still get around this if the infected machine is on the wired LAN though; another good reason for using NoScript.
@anon: "Maybe you should take the time to read the Team Cymru report to understand how they believe the majority of the hacks took place. Then you'd understand that it is not thought to stem from any remote access."
"Malicious Javascript is loaded by a computer inside the local network and forces a local machine to automatically change the routers DNS settings" WhitePaper
Would this 'computer` be running on Microsoft Windows?
This DNS redirecting hack is at least a decade old ..
You read the "how is it done bit" ?
Compromise via local machine using Jscript is only part of it.
Using a static IP and DNS for all LAN side machines seems good enough mitigation.
I do this for all machines on my LAN they each have a static IP and specified DNS servers.
Of course most home and SOHO users just accept the defaults out of the box. And this is where potential problems arise. Ease of use over security is where the consumer and much of the professional hardware providers put all their eggs.
All I am saying is it should be the other way around, Security first, convenience as a secondary consideration.
I found I had this at home last night. DNS of the ADSL modem router set to those in the article. I found it because an internet device (not a computer or a mobile) had stopped working over the weekend.
It's a D-Link router, not on the vulnerable list. No Windows PCs on the network., only Macs, an iPhone (not mine!) and a PS3. Router password was not the manufacturer's. Scary.
So how did this happen? A malicious javascript? And what should I do now, besides resetting the router's DNS and changing passwords for everything useful which might have been accessed with the router on the bad settings, and the router itself? The Macs are set to use specified DNS servers, not the router.
Most worrying, the web interface of the router, which is about 2 years old, does not allow altering Remote Management. Time to get a new router? Any recommendations for a SOHO ADSL modem router which comes with remote management turned off out of the box?
Here's a thought. If this is down to just two DNS servers are dodgy why are ISPs not simply blocking access to those addresses?
Actually it would make sense if ISPs only allowed DNS requests from end users to go to their own DNS servers unless the user specifically requested it. It's hardly rocket surgery.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
