4
At the office I noticed malware symptoms on one of the computers. I tried cleaning it and found nothing. Then I noticed I got the same behavior on my phone and the other computer: occasional links would redirect to malware download pages.
I changed my phone to cellular data and the behavior went away. I figured it must be the router or cable modem. I power cycled them and checked for a proxy or any other strange settings. I didn't see any, and it worked normally for a while, only to return again later.
What am I missing? Where else could the malware be coming from?
The router password is non-default and relatively complex. DNS and factory reset are good ideas. I'll try that. It is the same ISP I use at home, and I dont see the behavior at home. – Jim McKeeth – 2014-12-20T16:23:39.857
1If you’re positive the password wasn’t compromised, the router might well have at least one security hole. – Daniel B – 2014-12-20T16:26:34.977
2@JimMcKeeth If you save the password, or even just type it while malware is active, that's a possibility. Some routers also have vulnerabilities allowing their web configuration utilities to be accessed by remote hosts without a password - you can check if your model has a known vuln. These are all somewhat unlikely, but certainly possible. – Bob – 2014-12-20T16:27:12.303
Just found this, which seems like a candidate http://arstechnica.com/security/2014/12/12-million-home-and-business-routers-vulnerable-to-critical-hijacking-hack/
– Jim McKeeth – 2014-12-20T16:46:11.963From the cite: "Check Point has uncovered no evidence the vulnerability has been actively exploited..." Seems highly unlikely, and far more likely that the infection (if it is one) spread by open shares or other inadequate security between devices. Also, was Java recently updated? Check to see if the Ask toolbar was installed with a Java update. I have the sad feeling that your office computers have no security software installed, so you could have been hacked in a thousand ways (with the router being by far the least likely.) – Debra – 2014-12-21T16:55:30.850
By the way, if you really want to believe the router is compromised: save the configuration to a file on a computer, reset the router to default, reload the firmware, and then restore the configuration. That would wipe out any code change. – Debra – 2014-12-21T16:57:49.270
@Debra I recommend not doing this. It will restore any malicious configuration changes, like DNS servers. Even worse, it absolutely won’t do anything about the flash ROM contents. – Daniel B – 2014-12-21T20:04:22.053
DNS server information is completely visible in the router setup; it's easy enough to check, esp. as most get the DNS settings from the ISP. And you seem to completely miss the point about the firmware; the whole idea in reloading is that any changes to the firmware will be wiped out by doing so. I'm not sure why you believe that changes to the firmware could somehow survive reloading the firmware. As for the "factory reset" you suggest - it's near-useless if you really believe the firmware was exploited. – Debra – 2014-12-23T00:52:42.727