Sunday, July 3

An attack: Initiated from attacking dd-wrt router

You can check the Chinese version of this report here.

Apparently there is an active attack in the wild. It is targeting dd-wrt routers with weak password for root. After it successfully logs in the router, it changes startup script (2 monthes ago) or change DNS setting by adding
Then all internet requests from local network are directed to , prompting to download kb91021753.exe pactch. By that time, is also pointing to the malicious website

Only after you installed the malicious kb91021753.exe (with keylogger and remote control) then you can bypass the affected router to access internet. Or you can go to DNS setting of your network connection to set DNS Server to, Google's free DNS server, because that is how the kb91021753.exe bypass the affected router.

To prevent this attack, please set a strong password for dd-wrt, and/or disalow remote login.

If your router has been hacked, you can either clean all the nvram and reload a clean image, or figure out what was modified. Checking the startup scripts and the Additional DNSMasq Options might help.

If you have executed the kb91021753.exe, you should immediately update your antivirus software to latest update. For Symantec users, you should download the newest Rapid Release

Check the DNS Server of your network connection. You might want to reset that to Automatic Setting.

Other attack cases:1, 2.

This isn't anything that's so dangerous to write a post about. Anyone knowing how to flash ddwrt etc would know the basic safety measures to fend off such attacks. And as people pointed out, it is easy to spot from any non-windows machine in the same network, even if the weird behavior of windows did not alert the user enough.
You need to make sure that your connection is safe from potential hackers.
Using a secure connection will assure you safe browsing. Always be mindful of the links you are clicking and web sited that you're visiting. You'll never know if you've been attacked if you don't have a secured connection.

Shared hosting for everyone.

Saturday, July 2

An attack: Initiated from attacking dd-wrt router 从路由器发起的攻击

English version of this report can be found here.

首先,我估计,攻击者猜测密码,telnet进入dd-wrt路由器,在Additional DNSMasq Options里加入一句:

总之,路由器被攻击之后,局域网内的所有internet访问都被解释到119.226.118.217,一台位于印度的服务器,然后被转向到 页面,假装是微软的官方通知,要求访问者紧急下载kb91021753.exe补丁。注意,这时候也是被DNS解释成119.226.118.217。




经过精细对比,从dd-wrt路由器上确认了Additional DNSMasq Options被修改。改正后重启路由器,干净电脑的访问正常了。修改访问权限,只有局域网内才能telnet进来,拒绝远程登陆。

关于已经安装了“补丁”的电脑,我提交了相关信息给赛门铁克,两小时后被确认是新的恶意文件,发布了相关补丁,只要更新特征码(Live Update)之后,杀毒软件就可以查杀了。


这个对于局域网内没有 windows 机器的,岂不是一下子就露馅了。