malware changing router settings

[David H. Lipman]

From: "smurf" <smurf@smurf.com>

| Spotted it today, a dg834g netgear router was accessed by some malicious
| software which followed a limewire download. The software logged onto the
| router (using default password) and changed dns settings from automatic to a
| set of manual addresses.

| The consequence was, of say a google search, any link had a results5 prefix.

| The standard fix for results5 infections was the tdds killer etc, of course
| no good here as the source of the problem was hte router.

| removed the dns addresses, changed the password on the router and flushed
| the dns cache of the connected machines.

| First time come across this.


http://www.trustedsource.org/blog/42...s-into-routers

http://www.pc1news.com/news/0017/war...-settings.html

http://vil.nai.com/vil/content/v_141841.htm

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[zxcar]

On 8/6/2010 7:35 PM, David H. Lipman wrote:

>
> http://www.trustedsource.org/blog/42...s-into-routers
>
> http://www.pc1news.com/news/0017/war...-settings.html
>
> http://vil.nai.com/vil/content/v_141841.htm
>

Thanks...
Here's 2 others for the list that I found under the HKLM > System >
CurrentControlSet > Services > TCPIP > Parameters > DHCPNameServer >
213.109.64.5 213.109.72.21 0.1.1.1 They are under Interfaces too. I've
read that a NameServer Key will override those settings?

[David H. Lipman]

From: "zxcar" <zxcar@sumting.com>

| On 8/6/2010 7:35 PM, David H. Lipman wrote:


>> http://www.trustedsource.org/blog/42...s-into-routers

>> http://www.pc1news.com/news/0017/war...reless-router-
>> settings.html

>> http://vil.nai.com/vil/content/v_141841.htm


| Thanks...
| Here's 2 others for the list that I found under the HKLM > System >
| CurrentControlSet > Services > TCPIP > Parameters > DHCPNameServer >
| 213.109.64.5 213.109.72.21 0.1.1.1 They are under Interfaces too. I've
| read that a NameServer Key will override those settings?


All products of a DNSChanger trojan.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Lil' Abner]

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news:i3i7s002u63@news6.newsguy.com:

> From: "smurf" <smurf@smurf.com>
>
>| Spotted it today, a dg834g netgear router was accessed by some
>| malicious software which followed a limewire download. The software
>| logged onto the router (using default password) and changed dns
>| settings from automatic to a set of manual addresses.
>
>| The consequence was, of say a google search, any link had a results5
>| prefix.
>
>| The standard fix for results5 infections was the tdds killer etc, of
>| course no good here as the source of the problem was hte router.
>
>| removed the dns addresses, changed the password on the router and
>| flushed the dns cache of the connected machines.
>
>| First time come across this.
>
>
> http://www.trustedsource.org/blog/42...n-hacks-into-r
> outers
>
> http://www.pc1news.com/news/0017/war...n-modifies-wir
> eless-router-settings.html
>
> http://vil.nai.com/vil/content/v_141841.htm

OK, now you have *me* nervous. I had a problem earlier day with newegg.com
getting redirected to dpbolvw.net. The latter is bad news and is blocked in
my HOSTS file. So I got to reading this thread and decided to check my
firewall settings in my D-Link 604 router.
Look at http://mewnlite.com/di-604.gif
The 4 circled items were not put there by me. The rest of them are all
items I have listed under virtual server. According to what I've Googled,
the legit Teredo has something it do with IPv6. The LIMExxxxxxxxx entries
do not ring a bell with me - do they to anyone else?

--
--- Everybody has a right to my opinion. ---

[Lil' Abner]

"Lil' Abner" <blvstk@dogpatch.com> wrote in
news:Xns9DCCF2C61E263butter@wefb973cbe498:

> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
> news:i3i7s002u63@news6.newsguy.com:
>
>> From: "smurf" <smurf@smurf.com>
>>
>>| Spotted it today, a dg834g netgear router was accessed by some
>>| malicious software which followed a limewire download. The software
>>| logged onto the router (using default password) and changed dns
>>| settings from automatic to a set of manual addresses.
>>
>>| The consequence was, of say a google search, any link had a results5
>>| prefix.
>>
>>| The standard fix for results5 infections was the tdds killer etc, of
>>| course no good here as the source of the problem was hte router.
>>
>>| removed the dns addresses, changed the password on the router and
>>| flushed the dns cache of the connected machines.
>>
>>| First time come across this.
>>
>>
>> http://www.trustedsource.org/blog/42...an-hacks-into-
>> r outers
>>
>> http://www.pc1news.com/news/0017/war...an-modifies-wi
>> r eless-router-settings.html
>>
>> http://vil.nai.com/vil/content/v_141841.htm
>
> OK, now you have *me* nervous. I had a problem earlier day with
> newegg.com getting redirected to dpbolvw.net. The latter is bad news
> and is blocked in my HOSTS file. So I got to reading this thread and
> decided to check my firewall settings in my D-Link 604 router.
> Look at http://mewnlite.com/di-604.gif
> The 4 circled items were not put there by me. The rest of them are all
> items I have listed under virtual server. According to what I've
> Googled, the legit Teredo has something it do with IPv6. The
> LIMExxxxxxxxx entries do not ring a bell with me - do they to anyone
> else?
OK. Since that post, I hooked up a spare router that was programmed
exactly the same as the original. The Teredo and Limexxxxx entries were
not there. So I hooked the original router back up and now the entries
are gone there too! OK, the LIMExxxxx entry made me wonder about
Limewire. I do have it installed but I haven't used it forever. So just
for kicks I started it up and sure enough the LIMExxxx entries ahowed
back up in my router. The Toredo ones did not. And when I shut Limewire
down the entry went away again.
So now I'm thoroughly confused. My router is protected with a very unique
password. How can an application change my settings so easily?

--
--- Everybody has a right to my opinion. ---

[Roger]

On Sat, 07 Aug 2010 02:31:00 -0500, "Lil' Abner"
<blvstk@dogpatch.com> wrote:

>How can an application change my settings so easily?

UPnP ? Well it's the first thing I'd look for.
--
Roger

[David H. Lipman]

From: "Roger" <invalid@invalid.invalid>

| On Sat, 07 Aug 2010 02:31:00 -0500, "Lil' Abner"
| <blvstk@dogpatch.com> wrote:

>>How can an application change my settings so easily?

| UPnP ? Well it's the first thing I'd look for.


Correct and is NOT the OP's problem.

DNSChanger trojans modify the DNS Servers on the Router and thus the nodes on the LAN.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp