Washington Post reports about new ZLOB variants that tinker with an infected user’s router to redirect legitimate URL requests to wholly different sites.
Trend Micro researchers have obtained samples like these in the wild, TROJ_ZLOB.CCT and TROJ_ZLOB.CCS. They are different from past ZLOB variants (and even from the DNS-changing ZLOBs) because of the specific attempt to target the user’s router. Routers are devices that pass data packets along different networks. Here is the attack algorithm of TROJ_ZLOB.CCT:
1. The Trojan first calls the Web page file used in setting up routers for initial use. The file names used suggest that targeted routers may include Linksys and D-Link.
2. Upon accessing the configuration page the Trojan is able to test out a pre-defined list of username and password combinations.
3. If entry is successful the Trojan modifies the system’s DNS records to lead all traffic to malicious URLs.
The danger of these modifications lie in whatever nasty suprises malware writers have in store on the URLs to which traffic is redirected. Users who are unaware of the infection may click on links on the site, trust its contents, or give up confidential information thinking they are still surfing in safe territories. Note that all PCs that use the affected router might have the same experience since the requests are modified on the “gate” itself.
If the Trojan has already changed the router settings (and it does so the moment it is executed) the system’s traffic may still be in trouble even after the malware has been completely removed. Thus the cleanup that needs to be done is two-fold: the PC must be rid of the Trojan and the router itself must be reset (including changing the password and/or the user name for the router).
DNS Changers are not new entrants to the threat landscape. Recently, half a million Web sites have been compromised to download ZLOB variants which in turn drop codes to change users’ DNS and browser settings. In another high-impact attack, DNS changers in Mexico also install botnet clients in victims’ PCs.
Do we expect more router-rigging malware in the future? You bet. Computer users hardly ever take time to change their router passwords, and some are not even aware that such a feature can be hijacked in the manner illustrated above. A strong password may be the only thing standing between re-routing hell and a PC impenetrable by router-hacking malware. Best practices for the creation of strong passwords include using a mix of alphanumeric characters, symbols, and uppercase and lowercase letters. Passwords should at least be eight characters long, and should be changed regularly.
The list of user names and passwords used by the ZLOB variants can be found in the technical details of TROJ_ZLOB.CCT. Needless to say, you should not be able to find your password in the said list.
Further reading: Rogue DNS servers are discussed in detail in a report by Feike Hacquebord and Chenghuai Lu, both Trend Micro analysts.