Security experts at Trend Micro have warned that new variants of the ZLOB Trojan are becoming quite effective at hijacking broadband routers, such as those manufactured by D-Link & LinkSys. The variants, such as TROJ_ZLOB.CCT and TROJ_ZLOB.CCS, tinker with an infected user’s router to redirect legitimate URL requests to wholly different sites:


The attack algorithm suggests that once the Trojan has infected your computer, it targets your router using a default list of username and password combinations. ISPs and manufacturers typically ship their broadband routers with a common pre-defined login and password, which many consumers often fail to change.

Failing to customise your routers login and password could leave you very vulnerable to this Trojan, so it is important to take action. Usually doing this is a simple case of logging in with the default details and then just finding the menu for the change. Note: DO NOT alter your ISPs username and password details; those are separate from the routers.

The danger of these modifications lie in whatever nasty surprises malware writers have in store on the URLs to which traffic is redirected. Users who are unaware of the infection may click on links on the site, trust its contents, or give up confidential information thinking they are still surfing in safe territories. Note that all PCs that use the affected router might have the same experience since the requests are modified on the “gate” itself.

If the Trojan has already changed the router settings (and it does so the moment it is executed) the system’s traffic may still be in trouble even after the malware has been completely removed. Thus the cleanup that needs to be done is two-fold: the PC must be rid of the Trojan and the router itself must be reset (including changing the password and/or the user name for the router).