If you’ve never gotten around to changing the default password on your home Internet router, and there’s a lot of you who haven’t, then you should go change it right now. There’s a new trojan making the rounds that’s really bad news:
A new Trojan horse masquerading as a video “codec” required to view content on certain Web sites tries to change key settings on the victim’s Internet router so that all of the victim’s Web traffic is routed through servers controlled by the attackers.
According to researchers contacted by Security Fix, recent versions of the ubiquitous “Zlob” Trojan (also known as DNSChanger) will check to see if the victim uses a wireless or wired hardware router. If so, it tries to guess the password needed to administer the router by consulting a built-in list of default router username/password combinations. If successful, the malware alters the victim’s domain name system (DNS) records so that all future traffic passes through the attacker’s network first. DNS can be thought of as the Internet’s phone book, translating human-friendly names like example.com into numeric addresses that are easier for networking equipment to handle.
[…] The type of functionality incorporated into this version of the Zlob Trojan is extremely concerning for a number of reasons. First, Zlob is among the most common type of Trojan downloaded onto Windows machines. According to Microsoft, the company’s malicious software removal tool zapped some 14.3 million instances of Zlob-related malware from customer machines in the second half of 2007.
The other, more important reason this shift is scary is that a Windows user with a machine infected with a Zlob/DNSChanger variant may succeed in cleaning the malware off an infected computer completely, but still leave the network compromised. Few regular PC users (or even PC technicians) think to look to the router settings, provided the customer’s Internet connection is functioning fine.
Checking router settings is certainly not one of the things I think to do when cleaning up an infected machine as this is a first as far as anyone knows. You can bet it’ll be something I consider looking at from now on, especially if I know the user in question doesn’t know anything about DNS routing. You should always change the default password on your router along with, if possible, the username of the administrator account itself. Attackers don’t have to have physical access to your machine to attack your router any longer.