Posted: 17th Jun, 2008 By: MarkJ
Security experts at
Trend Micro have warned that new variants of the ZLOB Trojan are becoming quite effective at hijacking broadband routers, such as those manufactured by D-Link & LinkSys. The variants, such as
TROJ_ZLOB.CCT and
TROJ_ZLOB.CCS, tinker with an infected users router to redirect legitimate URL requests to wholly different sites:
Attack algorithm of TROJ_ZLOB.CCT:
1. The Trojan first calls the Web page file used in setting up routers for initial use. The file names used suggest that targeted routers may include Linksys and D-Link.
2. Upon accessing the configuration page the Trojan is able to test out a pre-defined list of username and password combinations.
3. If entry is successful the Trojan modifies the systems DNS records to lead all traffic to malicious URLs.
The attack algorithm suggests that once the Trojan has infected your computer, it targets your router using a default list of username and password combinations. ISPs and manufacturers typically ship their broadband routers with a common pre-defined login and password, which many consumers often fail to change.
Failing to customise your routers login and password could leave you very vulnerable to this Trojan, so it is important to take action. Usually doing this is a simple case of logging in with the default details and then just finding the menu for the change. Note: DO NOT alter your ISPs username and password details; those are separate from the routers.
The danger of these modifications lie in whatever nasty surprises malware writers have in store on the URLs to which traffic is redirected. Users who are unaware of the infection may click on links on the site, trust its contents, or give up confidential information thinking they are still surfing in safe territories. Note that all PCs that use the affected router might have the same experience since the requests are modified on the gate itself.
If the Trojan has already changed the router settings (and it does so the moment it is executed) the systems traffic may still be in trouble even after the malware has been completely removed. Thus the cleanup that needs to be done is two-fold: the PC must be rid of the Trojan and the router itself must be reset (including changing the password and/or the user name for the router).