How to Check Your Router for Malware

[Batu69]

Consumer router security is pretty bad. Attackers are taking advantage of lackadaisical manufacturers and attacking large amounts of routers. Here’s how to check if your router’s been compromised.

The home router market is a lot like the Android smartphone market. Manufacturers are producing large numbers of different devices and not bothering updating them, leaving them open to attack.

How Your Router Can Join the Dark Side

Attackers often seek to change the DNS server setting on your router, pointing it at a malicious DNS server. When you try to connect to a website — for example, your bank’s website — the malicious DNS server tells you to go to a phishing site instead. It may still say bankofamerica.com in your address bar, but you’ll be at a phishing site. The malicious DNS server doesn’t necessarily respond to all queries. It may simply time out on most requests and then redirect queries to your ISP’s default DNS server. Unusually slow DNS requests are a sign you may have an infection.

Sharp-eyed people may notice that such a phishing site won’t have HTTPS encryption, but many people wouldn’t notice. SSL-stripping attacks can even remove the encryption in transit.

Attackers may also just inject advertisements, redirect search results, or attempt to install drive-by downloads. They can capture requests for Google Analytics or other scripts almost every website use and redirect them to a server providing a script that instead injects ads. If you see pornographic advertisements on a legitimate website like How-To Geek or the New York Times, you’re almost certainly infected with something — either on your router or your computer itself.

Many attacks make use of cross-site request forgery (CSRF) attacks. An attacker embeds malicious JavaScript onto a web page, and that JavaScript attempts to load the router’s web-based administration page and change settings. As the JavaScript is running on a device inside your local network, the code can access the web interface that’s only available inside your network.

Some routers may have their remote administration interfaces activated along with default usernames and passwords — bots can scan for such routers on the Internet and gain access. Other exploits can take advantage of other router problems. UPnP seems to be vulnerable on many routers, for example.

How to Check

[Cereberus]

good tips. and it's for this reason i use third party firmware in my case shibby tomato.

he regularly updates the router firmware with the latest ssl and other security/performance patches among other things.

[Cereberus]

i forgot to mention that the FCC has taken a weird stance, to be anti third party firmware for groups like dd-wrt, and most likely tomato as well

http://www.extremetech.com/computing/213351-new-fcc-rules-could-ban-dd-wrt-and-router-modification

which is ironic, because it is due to these third party firmware, which has helped patched in security fixed as soon as their released. so why are the fcc so against them ?

[thunderpants]

deleted

[CODYQX4]

i forgot to mention that the FCC has taken a weird stance, to be anti third party firmware for groups like dd-wrt, and most likely tomato as well

http://www.extremetech.com/computing/213351-new-fcc-rules-could-ban-dd-wrt-and-router-modification

which is ironic, because it is due to these third party firmware, which has helped patched in security fixed as soon as their released. so why are the fcc so against them ?

Apparently because of some deluded belief that someone would screw up the frequencies for shits and giggles, and wouldn't be able to without CFW. Because you totally couldn't just build your own radio for that.

Meanwhile, I've yet to use CFW that caused such an issue.