Sunday, July 3

An attack: Initiated from attacking dd-wrt router

You can check the Chinese version of this report here.

Apparently there is an active attack in the wild. It is targeting dd-wrt routers with weak password for root. After it successfully logs in the router, it changes startup script (2 monthes ago) or change DNS setting by adding
address=/#/119.226.118.217
Then all internet requests from local network are directed to http://update.windows.com/.kb910 , prompting to download kb91021753.exe pactch. By that time, update.windows.com is also pointing to the malicious website 119.226.118.217.

Only after you installed the malicious kb91021753.exe (with keylogger and remote control) then you can bypass the affected router to access internet. Or you can go to DNS setting of your network connection to set DNS Server to 8.8.8.8, Google's free DNS server, because that is how the kb91021753.exe bypass the affected router.

To prevent this attack, please set a strong password for dd-wrt, and/or disalow remote login.

If your router has been hacked, you can either clean all the nvram and reload a clean image, or figure out what was modified. Checking the startup scripts and the Additional DNSMasq Options might help.

If you have executed the kb91021753.exe, you should immediately update your antivirus software to latest update. For Symantec users, you should download the newest Rapid Release

Check the DNS Server of your network connection. You might want to reset that to Automatic Setting.

Other attack cases:1, 2.

This isn't anything that's so dangerous to write a post about. Anyone knowing how to flash ddwrt etc would know the basic safety measures to fend off such attacks. And as people pointed out, it is easy to spot from any non-windows machine in the same network, even if the weird behavior of windows did not alert the user enough.
 
You need to make sure that your connection is safe from potential hackers.
 
Using a secure connection will assure you safe browsing. Always be mindful of the links you are clicking and web sited that you're visiting. You'll never know if you've been attacked if you don't have a secured connection.

Shared hosting for everyone.
 

Saturday, July 2

An attack: Initiated from attacking dd-wrt router 从路由器发起的攻击

English version of this report can be found here.

首先,我估计,攻击者猜测密码,telnet进入dd-wrt路由器,在Additional DNSMasq Options里加入一句:
address=/#/119.226.118.217
论坛里有人报告路由器被修改了启动代码,用很复杂的方式修改dns。

总之,路由器被攻击之后,局域网内的所有internet访问都被解释到119.226.118.217,一台位于印度的服务器,然后被转向到 http://update.windows.com/.kb910 页面,假装是微软的官方通知,要求访问者紧急下载kb91021753.exe补丁。注意,这时候update.windows.com也是被DNS解释成119.226.118.217。

此时,本局域网内的三台电脑安装着不同品牌的杀毒软件,均没有报警。

因此,我以为微软发生安全大漏洞,才用这种非常规方式(所有internet访问都出现微软网站报警)来通知所有人安装补丁,因此执行了该kb91021753.exe,到此,病毒软件入侵成功,安装了keylogger和远程控制模块,并修改了dns设置,电脑才能绕过已被改造的路由器,正常访问互联网。

能够访问互联网之后,我才可以查询到微软并没有大崩溃。这时我的三台电脑都已经安装了该“补丁”,幸好还有一台还是正常的,专门显示update.windows.com,我才可以从它查询到dns被修改了,因此dd-wrt论坛找到另一个投诉的案例,才肯定下来被黑了。

经过精细对比,从dd-wrt路由器上确认了Additional DNSMasq Options被修改。改正后重启路由器,干净电脑的访问正常了。修改访问权限,只有局域网内才能telnet进来,拒绝远程登陆。

关于已经安装了“补丁”的电脑,我提交了相关信息给赛门铁克,两小时后被确认是新的恶意文件,发布了相关补丁,只要更新特征码(Live Update)之后,杀毒软件就可以查杀了。

进展:香港一个dd-wrt用户也报告了相同的攻击

这个对于局域网内没有 windows 机器的,岂不是一下子就露馅了。