An attack: Initiated from attacking dd-wrt router
You can check the Chinese version of this report here.
Apparently there is an active attack in the wild. It is targeting dd-wrt routers with weak password for root. After it successfully logs in the router, it changes startup script (2 monthes ago) or change DNS setting by adding
address=/#/220.127.116.11Then all internet requests from local network are directed to http://update.windows.com/.kb910 , prompting to download kb91021753.exe pactch. By that time, update.windows.com is also pointing to the malicious website 18.104.22.168.
Only after you installed the malicious kb91021753.exe (with keylogger and remote control) then you can bypass the affected router to access internet. Or you can go to DNS setting of your network connection to set DNS Server to 22.214.171.124, Google's free DNS server, because that is how the kb91021753.exe bypass the affected router.
To prevent this attack, please set a strong password for dd-wrt, and/or disalow remote login.
If your router has been hacked, you can either clean all the nvram and reload a clean image, or figure out what was modified. Checking the startup scripts and the Additional DNSMasq Options might help.
If you have executed the kb91021753.exe, you should immediately update your antivirus software to latest update. For Symantec users, you should download the newest Rapid Release
Check the DNS Server of your network connection. You might want to reset that to Automatic Setting.
Other attack cases:1, 2.
Using a secure connection will assure you safe browsing. Always be mindful of the links you are clicking and web sited that you're visiting. You'll never know if you've been attacked if you don't have a secured connection.|
Shared hosting for everyone.