New malware component changes router's DNS settings remotely

News by Steve Gold

Routers from Cisco, D-Link, Huawei, TP-Link and ZTE have been identified as vulnerable.

New malware research from ESET has spotted a potentially nasty variant of Win32Sality, a trojan-driven botnet that has been around for around 11 years. 

The new version, says analyst Benjamin Vanheuverzwijn, continues the modular approach to darkware coding - and since the code is digitally signed, it is both resilient to protocol manipulation, and likely to be treated as legitimate in a corporate environment. 

So what's changed with the new version of the malware? 

Because the trojan is modular, like the infamous Zeus financial malware, cyber-criminals can add to, and even change the direction of, the darkware. 

Just recently, says Vanheuverzwijn, a new component has been seen in the trojan, one that has the ability to change a home/small business broadband gateway router's primary DNS address. So far, he adds that routers from Cisco, D-Link, Huawei, TP-Link and ZTE have been identified as vulnerable to the malware attack vector. 

Vanheuverzwijn  says that this component builds on the success of the IP address scanner component - Win32/Brute - that was first spotted in October of last year by Russia's Dr Web security consultancy, and updated this February.

The ESET researcher hints that Win32Saility may feature a very large set of botnets, as his team's' research suggests that there are more than 115,000 IP addresses being used as super-peers that are used by cybercriminals to keep the botnet alive, and propagate commands to regular peers. 


Sality's approach to changing a router's DNS is to scan the internet for router admin pages.

The trojan can then change the router's DNS settings using a brute force attack vector - a step that Vanheuverzwijn says allows for everything from the theft of bank credentials to blocking communications with security vendors. 

Bob Tarzey, an analyst and director with Quocirca, says that the new attack vector used by Win32Sality is a key one, as, if there any candidate for outsourcing to a third party expert provider, it is the DNS infrastructure. 

"It is a utility, but a critical one. It is obvious that the DNS infrastructure is becoming more and more of an attack target,” he said. 

Fellow analyst Sarb Sembhi, meanwhile, said that the evolution of Win32Sality highlights the challenge that lies ahead with the ‘Internet of Everything', as the rising number of devices in a home or office all tend to route through a single internet gateway, the main router. 

"Any point at which we connect to the Internet is potentially vulnerable," he said, adding that, in order to reduce the risk surface, router vendors - and the ISPs that issue routers, usually free-of-charge, to their customers, need to raise their security game. 

"This is because the role of the router is becoming more and more important. As the Internet of Everything takes off, so the available attack surface in a home or office starts to increase. There are already a lot of devices that can use a router as a gateway, and that number will only increase as the Internet of Everything starts to become widespread," he explained. 

Sembhi went on to say that the router security situation caused by Win32Sality is made far worse by the fact that only a small number of users ever bother to update the firmware on their routers, even though the regularly patch and update many other IT systems in the home and/or office. 

"It's clear to me that the router vendors and ISPs need to clean their act up. A router has become the single point of failure for wide range of Internet-linked devices. ISPs and vendors need to develop an auto-updating system for the routers, as well as improve security around the modem itself," he said.

Jon-Marc Wilkinson, distribution manager with WatchGuard, said that the situation with small office and home routers - which are widely used in business - is that ISPs often use standard wireless routers with a legacy built-in firewall for home users.

"These devices are easily compromised by even the simplest attacks," he said. 

"We would recommend using an appliance with pre-configured settings which protect against DNS attacks, straight out of the box. This is extremely important for companies and organisations that adopt distributed enterprise networks, which cater for high levels of home working," he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews