2
Some weeks ago I started having problems with my internet connection, it was extremely slow and suddently some websites (specifically gmail, facebook, youtube and twitter) started failing to connect, while the rest connect normally. Some days after, those same websites started showing me a message in portuguese: "Nova atualização disponível" whenever I tried to connect and a .exe file started downloading ("internet_update.exe" or something like that).
That's when I freaked out! It was definitely a virus or something like that, but it was really weird because I never had a problem like that (I run Linux). So I turned on my old PC (running Windows XP) and it turned out it had the same problem! the same message was showed whenever I tried to connect one of those specific websites, while the rest loaded without problems. Even in my Android smarthphone the same message was showed.
So it was obvious that the problem was not in a particular machine but in the router itself. So I started googling and I found some information, unfortunately I only found some in spanish, so I will make you a short summary:
It is a new banking trojan developed specifically to infect and collect information from Brasilian banks. Apparently now it has expanded to Argentina and Peru.
So how does it work? It spreads through social networks (videos, links, ...) and then it "takes control" of your internet connection by changing the values of your DNSs. More specifically, it changes the Primary DNS to one of this IPs: 108.170.13.38, 66.7.216.122 or 63.143.43.154 and the Secondary DNS to 8.8.8.8, this secondary DNS is actually the Google Public DNS, and it is configured this way so that your internet connection continue working properly and the user does not notice anything.
The important part here is that because no download or install has been made in your machine, no antivirus will notice any change. After your DNSs have been changed, the trojan controls every single website you connect to and this way they steal your bank information.
So after reading about this I accesed to my router and I restored my Primary and Secondary DNSs to their proper values, but one day after I had the same problem again.
This is actually a 50% warning post - 50% help me! post.
So, here comes the question: Is there any possible way to prevent my DNSs of being changed?
PS: Sorry if this is not where this question should be, but I'm kinda desperate, can you redirect me to the correct website?
juliomalegria
Posted 2012-06-06T15:36:58.170
Reputation: 181
1That sounds like an XSS vulnerability in the router – SLaks – 2012-06-06T15:38:39.617
1A (temporary) workaround would be to configure DNS manually for each machine connected to that router. For the router itself, you should try to 1) upgrade the router's firmware or 2) install open-source firmware (e.g. DD-WRT, OpenWrt or Tomato), if supported on your router – user49740 – 2012-06-06T19:32:48.320
@SLaks what would be the solution for that kind of vulnerability? – juliomalegria – 2012-06-06T19:59:38.873
@user49740 I've changed my DNSs locally but the problem remains. I will try to upgrade the router. – juliomalegria – 2012-06-06T20:00:54.270
What type is your router? If it's a FritzBox or something like that, disconnect it from the internet, reset it to factory default, change the access rights and then connect it to the internet again. – ott-- – 2012-06-06T20:07:26.087