Scott Hanselman

Router redirecting to unwanted Adobe Flash update malware site - Moon Virus?

May 29, '15 Comments [37] Posted in Tools
Sponsored By

1000wmainBear with me, for now this will be a tiny post, a placeholder, but I am looking for feedback, ideas, comments and I will keep this post updated.

The scenario: My local sandwich shop where I often hang out and work remotely has a wireless router that started to redirect me to a fake "update your flash" and download a "Install flashplayer_10924_i13445851_il345.exe" malware file. There are no viruses, rootkits, or malware on my PC. This affects their PoS (Point of Sale) system, tablets, iPhones. Also, it's not a DNS hijack, as the URL from the HTTP doesn't change. It's a MitM attack (Man in the Middle) where x number of HTTP GETs work fine and then every few hundred the router returns it's own HTML. The requestor doesn't know the difference.

The router he has is a V1000W Wireless N VDSL Modem Router. I'm suspecting the "Moon" virus but I'm not sure, as this isn't a Linksys. The firmware is ancient from 2009 and that's the latest one I can find.

Before you reply:

  • I'm technical, but the public is often not. Comments like "run openwrt" are certainly valid for a techie, but I'd like to know something more populist:
    • Can this router (and others like it) be fixed? Or is this bricked? Can I flash it with the original firmware to restore?
    • Remote management isn't enabled. What port did the attack happen on?
    • How can I confirm it has it (all signs point to it) with some curl command?
  • What routers have this? What is the source?
  • What can a regular Jane/Joe do about this if they have Frontier/FIOs/CenturyLink, etc?

Thoughts?

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by ORCS Web
Friday, 29 May 2015 23:36:10 UTC
Scott,

I am just going to take a stab at one of your sub questions at this time: "Remote management isn't enabled. What port did the attack happen on?"

Remote management didn't have to be enabled for someone INSIDE the sandwich shop to access the router. However, with a wireless access point set up purposefully for "public" access, the router should be configured to not allow access to the management interface over wireless (only wired LAN access). I am not entirely sure if all routers support that configuration.

For a regular Jane/Joe, this is less likely to happen; the attacker would have had to be on the local wireless network. With a weak WEP/WPA password, it's certainly possible though.

I would think the answer to "can this be fixed" will require thorough documentation from the manufacturer or support, or some try-and-error with firmware flashing. I suspect it's possible the router may not re-flash with the same version of the firmware that it already has.

If the firmware is from 2009, I won't ask how old the router is. Perhaps it's a wise business decision for the sandwich shop to purchase a new one with better security (in the interest of protecting its customers).

HTH,

Sven.
Friday, 29 May 2015 23:38:45 UTC
I haved some similar situation with a Liksys DSL router. I just made the factory reset AND changed the password after. Since then it is working smooth. A fast Google search for your model I found the manual that shows that average Joe can made the factory reset to original settings.
Fidel Orozco
Friday, 29 May 2015 23:54:01 UTC
Up here in Canada Telus had an issue with the same brand, but different model where the firmware allowed a backdoor password for techs to use to get access. Using this password also opened up a much more robust admin set of features. I am guessing this is how they got access to it, I seem to recall a way to remove the backdoor password from the system. Not sure about what provider the sandwich shop got this device from but possible the backdoor is still there.
WilliamH
Saturday, 30 May 2015 00:40:39 UTC
It's a MitM attack (Man in the Middle) where x number of HTTP GETs work fine and then every few hundred the router returns it's own HTML


Detecting it...

If the above statement holds true, somebody could make simple web page that will make a hundred or so ajax requests and inspects the result, once the result doesn't match what was expected then you can look a little closer and maybe confirm the infection(?).

Dealing with it...

If I found that my device had the infection, I would try the factory reset button, and test again after that. If the issue persisted after that and it's a leased modem/router then I would just get it replaced by the ISP or whatnot. If it's privately owned and I weren't technical enough to re-flash it myself, or recruit a "guy" (say maybe a Microsoft Software Engineer that frequents my sandwich shop) then I feel like there is no other option that to replace the device. :'(

Possible Source...

I bet the source of the issue came from a bad guest that joined the LAN. Probably a horrendously infected machine that threw everything it could at whatever gateway it found on the current network.
Brandon Kepke
Saturday, 30 May 2015 01:35:54 UTC
If the router is in fact leased/owned by the ISP, I would say call and have them send out a technician to take care of it. Depending on the ISP and their contract, you could end up violating the Terms of Service by attempting to fix it yourself.

If the router is owned by the sandwich shop, I would echo Fidel and Brandon's advice to trigger a factory reset. Though if the latest firmware is from 2009, it's only a matter of time until it gets infected again. It would probably be wise to look into getting a replacement.
Saturday, 30 May 2015 02:00:32 UTC
Excellent point that the attack likely came from the inside.
Scott Hanselman
Saturday, 30 May 2015 04:44:52 UTC
I an with Sven about the attack most likely originating from the internal interface of the router and most likely the wireless rather than the LAN, however it may not have been a customer and may have been an "external", war-driving style attack.

Just because Remote Admin is not enabled now, does not mean that it was always disabled. However it should be disabled on the wireless interface, but given the age of the device this may not be possible in the firmware, although honestly most have been capable of this for years.

Given the location, use and age of the device I would hesitate a guess that the router had WEP or No encryption in use.

As a matter of investigation I would see if the router has SSH access (most are based on some sort if *nix distro so therefore do) and you may be able to see in there what has happened, 5 or 10 minutes of poking around may find it.

For resolution for immediate fix I would try to fix the router with a re-flash and see what happens, otherwise replace it with a loan one (I normally keep a couple of older ones handy).

Short term I would investigate two approaches;

Many newer routers such as a couple of Netgear's I have installed over the past few months have had a guest network capability that I believe is meant to isolate clients from each other, I would look further into that and see if it does do what it claims.

My second and preferred approach although more costly would secure things to a greater point, which would be consisting of a real router that either understands VLAN'S, or a Layer 3 switch (only needs a couple of ports as its essentially going to be a router, this option is sometimes cheaper than a good router).

I would firstly segregate all data from the shop onto its own VLAN, and Guests on to another with no routing between the two, and all administrative functions blocked via ACL from the guest side. I would then depending on clients requirements (does the store need access to their VLAN on the wireless) use either two WAP's one on each VLAN to pump out two SSID's (with the private one being hidden of course, provided all equipment can support it, some older industrial equipment cannot, and can only use WEP, which of course provides its own issues and changes he spec a little), and turn wireless client isolation on, on the guest network. This way guests devices cannot communicate directly between each other to minimize the chance of any issues one one device affecting others.

Otherwise I would use only the one WAP for the guest network, again with Wireless Client Isolation on, or use something along the lines of an Aerohive unit where I can trunk both VLAN's to the device and then dump the users on the appropriate VLAN using either multiple SSID's or user based routing rules that they have the capability of implementing.

Might sound like a bit of overkill, and probably is, but it minimizes the chance of things infecting and interacting with one another whilst still providing a workable solution that is within many budgets, perhaps not what you (or they) would be looking for suggestion wise but certainly much more secure and future proof
Saturday, 30 May 2015 04:59:23 UTC
Are you suggesting that it is not a DNS hijack on the fact that URL stays same but the redirects are arbitrary?

I have seen a router DNS hijack where a common URL (such as Google Analytics/GA) js would be hijacked by pointing to a rogue server. Here the rogue server would sometimes serve the regular GA script while other times a malicious script which would redirect/iframe to malware/ads.

Abhay S
Saturday, 30 May 2015 07:02:11 UTC
Next time you're at the sandwich shop, could you record the requests/responses with Fiddler or the like? It would be interesting to see the html the router is injecting and night help to identify the exploit.
Abe J
Saturday, 30 May 2015 07:21:21 UTC
I have seen the same kind of attack like Abhay's one, in my case it was the YouTube page that was trying to update Flash Player in my Chrome :-). Check the DNS settings of the router.

Some routers have buggy firmware, that allows resetting admin password (like described here). Replacing router to some new model is best option.

Wacek
Saturday, 30 May 2015 07:57:09 UTC
Look at http://arstechnica.com/security/2014/01/backdoor-in-wireless-dsl-routers-lets-attacker-reset-router-get-admin/

Check if Port 32764 is open.
Thomas
Saturday, 30 May 2015 11:10:16 UTC
I know you said DD-WRT is out of the question, because it's not helpful to the general public, but I'd actually like to disagree. If somebody wanted to have a birthday party for their kid, and didn't have a lot of money, I'd tell them to make the cake themselves, to save money on the exorbitant price that places charge for pre-made cakes. I'm not even talking from scratch, but simply a Betty Crocker box of cake with a can of icing.

I think this is about the same difficulty as installing DD-WRT on a supported router. If you can get into the router to update the firmware, installing a different firmware from DD-WRT isn't really much harder. It really isn't more difficult than following a few simple instructions like one would do for making a cake or assembling some IKEA furniture. If they do end up bricking the router, they have to buy a new one, but the router is at least 6 years old and having decent firmware on the box is probably the only thing that will stop this from happening again in a couple weeks.

Also, this is a business venture. They have a responsibility to their customers. If they are going to offer free Wi-Fi, they should make sure they are doing it well, or not do it at all. If people come in and want to use the Wi-Fi, it should be reasonably secure and reliable. If you don't have the know how or money to get it done right, just run your shop without it. If you think that customers are not going to come if you don't have Wi-Fi, then pay a professional to get the job done right.

Do a cost-benefit analysis of having a good reliable service Wi-Fi vs. having no Wi-Fi vs. having service that is insecure and unreliable. Most likely no Wi-Fi would come out ahead of having bad Wi-Fi.
Saturday, 30 May 2015 13:21:30 UTC
This happened to me a while back - I had my router setup to use google's public DNS server, which had been compromised. Every time I went to youtube.com, it asked me to update to a bogus flash version. Because it was the DNS, the url looked legit.
Paul
Saturday, 30 May 2015 14:10:41 UTC
Interesting exercise for us, but less so for the business owner.

I owned a gaming center with WiFi, 45 stations and public wired lan ports for 13 years. I've seen stranger things.

Toss the device, get something modern and go back to making great coffee for Scotts.
bill
Saturday, 30 May 2015 14:16:11 UTC
I've seen this before and it is a dhcp dns hijack. Changing the local dns to a safe server like google's circumvents the problem until you can reconfigure your router.
dani
Saturday, 30 May 2015 15:06:09 UTC
I think the problem is largely the disposable router business model. These devices are so cheap that the manufacturer doesn't intend to support them on an ongoing basis. Solutions:

- buy new wifi routers periodically

- buy mid-market SOHO brands with good history of updates that are substantially more expensive than entry level but affordable like Apple AirPort Extreme, Ruckus Xclaim, Ubiquiti UniFi, or Cisco Meraki marques. Some of these are more business-ey than others.

- more homebrew techie solutions like custom firmware from open source projects.

Essentially the solutions are buy into disposable model and do regular replacements, buy into an ecosystem with sustainable pricing, buy into a DIY FOSS solution.
Saturday, 30 May 2015 15:08:03 UTC
Another way would be if an attacker on wifi has extended the wireless network and acts as a bridge between the original and the malicious access point. Using arp poisoning he should be able to make some clients think he is the gateway for the network and intercept traffic, generating specific responses for certain http requests (I doubt https, because that would require trusting a cert from your sandwich shop access point to work).

An easy way to check for rogue access point signals is using inSSIDer tool,it used to be freeware http://www.techspot.com/downloads/5936-inssider.html but the new one is $19,99(originally from http://www.metageek.com/products/inssider/)

Good luck on figuring this out, not the easiest of thing to troubleshoot. Easiest way to recover would be setting up a new access point following Justin's advise ^^.



Carlo kuip
Saturday, 30 May 2015 15:20:53 UTC
hi,
need a help
i've been thinking about building a converter in c or c++ but i don't know how to start it and i'm beginner and which language is to use?
lovepreet multani
Saturday, 30 May 2015 17:22:27 UTC
An IoT world of devices sounds great but imagine the following customer service phone call:

"My washing machine is mechanically sound and only 4 years old, what do you mean you can't repair it?"

"I'm sorry madam but your IoT-enabled GTX-1501 product with revision A firmware cannot be repaired. We have arbitrarily decided that your product is end-of-life and do not support firmware updates anymore. Thanks to our unreasonably short product life-cycle policy though we do have a shiny new GTX-1502 with revision B firmware that will solve your problem."

This notion of ending support for embedded firmware updates for products needs to be addressed for a sane IoT world to work. My Dad had a washing machine for over 10 years with 1 mechanical repair required before it completely failed. How is that kind of kitchen appliance product longevity compatible with the kind of unreasonably short life-cycles of firmware-reliant, Internet-connected products susceptible to malware?

At the least we should see all IoT-enabled product manufacturers adopting an extensible firmware interface, such as UEFI, from the outset, allowing the delivery of unified firmware releases across all products regardless of age. Inflexible and highly customised firmware solutions will not cut it when you consider firmware updating is likely a completely alien concept to consumers in the kitchen appliance market.

Darren Evans
Saturday, 30 May 2015 23:15:42 UTC
To echo Dani's comment, this sounds like a compromised DNS configuration.

The manual for the Actiontec V1000H suggests two places this could be compromised in the router's config.

1. DNS server published by the router's DHCP server. This is usually the same as the router's own IP address. If IPCONFIG /ALL shows that the DNS server and the Default Gateway are different, then the DNS server listed needs checking.

2. More subtly, the remote DNS server configured on the router's WAN page may be hard-coded to a malicious server. It's harder to detect this from a connected PC, unless you have access to the router's configuration.

In both cases, if you configure your PC's network settings to use Google's 8.8.8.8 DNS server instead of allowing it to be configured dynamically, the problem should go away. If it doesn't, then it's a different issue.

Scott, just to mention it: at first, when I read "update your flash", I immediately thought the issue was an old router that had been programmed to helpfully check for remote firmware updates periodically from time-to-time, and to periodically redirect HTTP connections to a firmware update page if a new release was available, similar to the way captive portals prompt for user agreement to T&Cs on some free Wi-Fi points. If the domain name hosting the firmware page had expired, and been captured by pirates, it could do whatever it liked.

(A few years ago, Linksys's DMA Media Center Extender ran into problems of this sort, when Cisco accidentally removed an update server it was relying on; pretty much all US DMA owners found themselves with a bricked device unless they disconnected from the Internet before booting it up.)

Anyway, having read the V1000H manual, there doesn't seem to be any captive portal option so it's almost certainly a red herring.

There is apparently the option to download custom Java code to extend the firmware capabilities, but I'm guessing that's a lot more trouble than your average malicious hacker is likely to go to.
Sunday, 31 May 2015 14:37:03 UTC
Actiontec Routers are vulnerable to some exploits... please have a look at:
http://routersecurity.org/bugs.php

There are even Exploit Kits in the wild now to automatically attack dozens of router models through internet browsers from the inside...
http://malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html
Torsten
Sunday, 31 May 2015 19:56:05 UTC
I was also facing this issue..even a lot of my readers at Gadget SuperSite reported this.
Monday, 01 June 2015 00:57:52 UTC
I'm surprised no one has mentioned these yet... I guess Carlo might be hinting at the problem possibly being something like this:

http://hakshop.myshopify.com/collections/wifi-pineapple-kits
Monday, 01 June 2015 15:07:37 UTC
I didn't have chance to read previous comments, I'm sure someone have thought of similar possibilities, depends on the router type/capabilities, it might be a firmware issue, or worse than that it might be something behind the router, ISP vulnerability, or if it's public wifi, there might be an ARP/DNS and packet injection involved.
Samer
Monday, 01 June 2015 16:43:21 UTC
I just would like to weight in on something that was already said. I would just spend time and effort in doing it right with a better router. The investigation is exciting for knowing what happened but the best solution might be cheaper and more robust with an updated hardware and a planned approach.
Andre Velloso
Monday, 01 June 2015 17:56:26 UTC
I'd be surprised if this was done from the inside -- these types of things are done for profit, and the "yield" of each infected router is probably not high enough to justify physically driving around, picking up the wifi hotspots, identifying the router, matching it to the explit, etc. Remote exploit, delivered by mass-scanning the IP ranges seems much more probable, especially if the attacker knows that a particular ISP has a substantial number of vulnerable devices deployed to customers.

In terms of dealing with the issue -- I completely agree with Brian Reiter. Security on the internet does not come for free these days... You have to spend either time or money, or both. For this particular coffee shop getting new hardware from the ISP seems like the best solution (since theirs is a modem/router combo).
max
Tuesday, 02 June 2015 02:01:31 UTC
I believe someone with an infected laptop/device is connected to this network. It will occasionally take over the DHCP and issue IP address with a fake DNS entry that redirects you to the malware web site. That is the reason why most of the time the router is good until such person come into the shop and connected his/her laptop/device.
JC
Wednesday, 03 June 2015 19:30:36 UTC
Wish I had the beginning of an understanding how an achiever like you, who gets so much done on so many fronts, and has a wife and kids, has the time to play with a $100 router. Yeah, it's fun and rewarding, but how the h do you have the time?
PM
Thursday, 04 June 2015 08:52:51 UTC
See also this list of more than 60 undisclosed vulnerabilities affect 22 SOHO routers. http://seclists.org/fulldisclosure/2015/May/129
Clemens Schotte
Thursday, 04 June 2015 10:59:59 UTC
Just want to say thank you thank you for getting windows live writer up and running again . I am a fellow blogger all though not a pro blogger but I am a nature photographer and do depend on Live Writer to do my posts . Thanks again .
Country Gal
Thursday, 04 June 2015 12:09:22 UTC
Does the Router have an USB-Port? If so, it may suffer from the NetUSB bug. Have a look at https://www.grc.com/sn/sn-509.pdf and this tweet by Michael Horowitz https://twitter.com/defensivecomput/status/601444947124826112
Marcel
Friday, 05 June 2015 18:13:38 UTC
I had this problem too. In case someone is looking for a quick solution, this worked for me:
https://forums.malwarebytes.org/index.php?/topic/66992-the-famous-redirect-virus/
Valente
Wednesday, 10 June 2015 08:53:29 UTC
What a information of un-ambiguity and preserveness of valuable knowledge
about unexpected feelings.
Wednesday, 10 June 2015 11:20:56 UTC
It might not require remote management to be on. I've seen hacks that can take over a router when a user behind the router visits an infected website. IE joe blow at Mel's diner connects to the wifi and visits evil bot net dot com (possibly redirected from dirty porn site dot net). Ebn dot com sends a malformed reply packet that first goes through the router before returning to the user. The bad packet forces the router to open a streaming http connection and execute the data that is now being downloaded. Which is how the router possibly got infected.

It also possibly was an unwittingly infected user who accessed the wifi with an infected computer that determined what was running and tried standard default passwords. (That's why many new wifi access points have randomized management passwords printed on the side of the device). Once it was in it then flashed the device with the virus.

There are many vectors for attack of public wifi which is why I use my phone as a hotspot. Two things I don't use in public are restrooms and wifi.
Michael Brown
Monday, 15 June 2015 08:30:36 UTC
Theirs an additional question, what can Jane/Joe public who use the coffee shop do about it?

in which case I'd suggest using a VPN/tor which as it's encrypted will make html injection hard and, since most VPN (and tor) pipe their DNS query's through them immune to DNS poisoning (not the issue here I know but it is an issue sometimes)
scott herbert
Monday, 06 July 2015 09:52:50 UTC
Thanks a lot for this info.

thenewgeeknation
Saturday, 18 July 2015 10:10:22 UTC
I also think that The bad packet forces the router to open a streaming http connection and execute the data that is now being downloaded. And that is the reason why most of the time the router is good until such person come into the shop and connected my pc. So I immediately thought the issue was an old router that had been programmed to helpfully check for remote firmware updates.
Comments are closed.

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.