An attack: Initiated from attacking dd-wrt router
You can check the Chinese version of this report here.
Apparently there is an active attack in the wild. It is targeting dd-wrt routers with weak password for root. After it successfully logs in the router, it changes startup script (2 monthes ago) or change DNS setting by adding
address=/#/119.226.118.217Then all internet requests from local network are directed to http://update.windows.com/.kb910 , prompting to download kb91021753.exe pactch. By that time, update.windows.com is also pointing to the malicious website 119.226.118.217.
Only after you installed the malicious kb91021753.exe (with keylogger and remote control) then you can bypass the affected router to access internet. Or you can go to DNS setting of your network connection to set DNS Server to 8.8.8.8, Google's free DNS server, because that is how the kb91021753.exe bypass the affected router.
To prevent this attack, please set a strong password for dd-wrt, and/or disalow remote login.
If your router has been hacked, you can either clean all the nvram and reload a clean image, or figure out what was modified. Checking the startup scripts and the Additional DNSMasq Options might help.
If you have executed the kb91021753.exe, you should immediately update your antivirus software to latest update. For Symantec users, you should download the newest Rapid Release
Check the DNS Server of your network connection. You might want to reset that to Automatic Setting.
Other attack cases:1, 2.
3 Comments:
This isn't anything that's so dangerous to write a post about. Anyone knowing how to flash ddwrt etc would know the basic safety measures to fend off such attacks. And as people pointed out, it is easy to spot from any non-windows machine in the same network, even if the weird behavior of windows did not alert the user enough.
You need to make sure that your connection is safe from potential hackers.
Using a secure connection will assure you safe browsing. Always be mindful of the links you are clicking and web sited that you're visiting. You'll never know if you've been attacked if you don't have a secured connection.
Shared hosting for everyone.
<< Home