Network News

X My Profile
View More Activity

Malware Silently Alters Wireless Router Settings

A new Trojan horse masquerading as a video "codec" required to view content on certain Web sites tries to change key settings on the victim's Internet router so that all of the victim's Web traffic is routed through servers controlled by the attackers.

According to researchers contacted by Security Fix, recent versions of the ubiquitous "Zlob" Trojan (also known as DNSChanger) will check to see if the victim uses a wireless or wired hardware router. If so, it tries to guess the password needed to administer the router by consulting a built-in list of default router username/password combinations. If successful, the malware alters the victim's domain name system (DNS) records so that all future traffic passes through the attacker's network first. DNS can be thought of as the Internet's phone book, translating human-friendly names like into numeric addresses that are easier for networking equipment to handle.


While researchers have long warned that threats against hardware routers could one day be incorporated into malicious software, this appears to be the first time this behavior has been spotted in malware released into the wild.

The type of functionality incorporated into this version of the Zlob Trojan is extremely concerning for a number of reasons. First, Zlob is among the most common type of Trojan downloaded onto Windows machines. According to Microsoft, the company's malicious software removal tool zapped some 14.3 million instances of Zlob-related malware from customer machines in the second half of 2007.

The other, more important reason this shift is scary is that a Windows user with a machine infected with a Zlob/DNSChanger variant may succeed in cleaning the malware off an infected computer completely, but still leave the network compromised. Few regular PC users (or even PC technicians) think to look to the router settings, provided the customer's Internet connection is functioning fine.

Philip Sloss, a software engineer for, said he first observed the activity while examining a Zlob variant distributed on May 22. The DNS hijack occurs, he said, during the installer program, so by the time the user sees the fake codec installer screen, the malware has already attempted to change DNS settings on the victim's router.

I reached out to researchers at Sunbelt Software to check Sloss's data, and Sunbelt was able to confirm that the malware successfully changed the DNS settings on a Linksys router (model BEFSX41), pulled straight out of the factory box (with the default username and password). Another test showed that the Zlob variant successfully changed the DNS settings on a Buffalo router running the DD-WRT open source firmware.

Sunbelt also found that if there are multiple machines using the same router, all of the systems connected to that router will have their traffic hijacked.

"This is definitely something we have not seen before," said Eric Sites, chief technology officer at Sunbelt. Sites said his team is testing the new Zlob variants against multiple routers to see how they fare against the malware. "It was only a matter of time before someone started using this attack."

Sloss said he captured traffic showing the Zlob variant trying to reconfigure different routers by requesting the local Web page for the various "setup wizards" that ship with the devices. Some of the requests he noticed are listed below, with my own research noted next to them:

"/index.asp" (still checking, but I believe this is used on DD-WRT and some Linksys routers);
"/dlink/hwiz.html" (D-Link routers);
"wizard.htm" (appears to be used by several different router manufacturers, including Linksys).
"/home.asp" (no idea)

Relatively few people ever change the default username and password on their wireless routers. I see this often, even among people who have locked down their wireless routers with encryption and all kinds of other security settings: When I confront them about why they haven't changed the default credentials used to administer the router settings, their rationale is that, 'Well, why should I change it? An attacker would need to already have a valid connection on my network in order to reach the router administration page, so what's the difference?'

Obviously, an attack like this illustrates the folly of that reasoning.

What's more, the various components dropped onto victim PCs by this malware are fairly ill-detected by most anti-virus tools out there today. A scan of these three files at -- which checks submitted files against 31 different anti-virus engines -- indicates that only 11 of the anti-virus products currently detect any of them as malicious.

Specific, manufacturer-based video tutorials on how to secure your wireless router are available at this link here. First and foremost, router users should pick strong router administration passwords, choosing usernames and passwords that are not easily guessed or found in the dictionary. Also, avoid using the username as your password (in any event, try to avoid picking a username and password combo included in the list of those this malware tries).

If your machine has been infected by one of these Zlob/DNSchanger Trojans, and your router settings have been altered, I would strongly recommend that you reset the router to its default configuration. Usually, this can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds). If you don't know your router's default password, you can look it up at this link here.

It's important to note, however, that if there are other Zlob-infected machines using the same router, they will need to be cleared of the trojan before resetting the router. Otherwise,the malware will simply go back and change the router's DNS settings a few minutes after the reboot, said Sunbelt's Sites.

Bear in mind that you will need to reconfigure any security settings you had in place prior to the reset. Check out this site here for video tutorials on how to properly configure your router's encryption and security settings. In addition, you may also need to consult with your Internet service provider to find out which DNS servers your network should be using.

Updated, 11:47 p.m. ET: Corrected Site's title, and added in the second paragraph a link that lists all of the usernames and passwords this malware tries against each router administration page it finds.

By Brian Krebs  |  June 11, 2008; 5:54 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft, Apple Issue Security Updates
Next: Opera 9.5 Offers Anti-Malware Protection


Other than changing a router's default password, also be sure to keep it patched with the latest firmware obtained from the manufacturer.

Personally, I refuse to use a wireless router as I can't readily control where the signal can go and who may be able to sniff it and attempt to hack into it. At least with a wired unit (firewall and router), they would have to physically connect to it or attempt to infect my systems with something first, which isn't going to happen very easily since I use defense in depth strategies on each computer and the network in general. Regardless though, it is still wise to remain vigilant.

Posted by: TJ | June 11, 2008 7:31 PM | Report abuse

so, does this affect macs, osx, linux or only windoze?

Posted by: | June 11, 2008 7:52 PM | Report abuse

Besides a non-admin (limited user) account and AV software, another effective defense against these types of malware is a blocking hosts file:

They also have a related blog that covers a lot of these types of malware tricks using codecs.

Posted by: Tim | June 11, 2008 8:00 PM | Report abuse

What DNS setting does it change it to? What are we looking for on the DNS setting to tell if it's been hijacked?

Posted by: Mark | June 11, 2008 8:09 PM | Report abuse

I was researching this a few weeks ago and unless you have a very different form of router patcher DNSChanger the info here is very wrong .

The version I tested got into a router through a wireless connection with both a non-standard username and password combined with access denied to all non hard wired connections . It gets in through upnp in the router so the advice here will do nothing if upnp is left on . I just did a search on this page and upnp is not even mentioned , a little more research would not have hurt you guys .

Posted by: nosirrah | June 11, 2008 8:15 PM | Report abuse

Posted by: TJ | June 11, 2008 8:20 PM | Report abuse

One way to check the DNS setting in your router is going to
I put the DNS from my router and it came back with my ISP.

Posted by: Mark | June 11, 2008 9:03 PM | Report abuse

@Sprint: If the router's DNS settings are compromised, then the traffic flowing to and from all systems behind that router -- be they Mac, Windows or Linux boxes -- will also be compromised. That is, unless the individual machines have their own DNS servers hard-coded in, which isn't likely.

@Mark: I don't have the exact IPs handy, but they both start with 85, so 85.x.x.x, e.g.

Posted by: Bk | June 11, 2008 9:13 PM | Report abuse

I use a Soekris 5501 running Linux as my router. The only administrative access is through its serial port. I need Windows for work, so those machines are on their own subnet with no internet access. I use sneakernet for software updates on them. Our Mac user accounts have no administrative access so we can't install anything. We do all administration from a special account used only for that purpose.

Posted by: Fran Taylor | June 11, 2008 9:54 PM | Report abuse


On the routers used to test this a Linksys model BEFSX41. UPNP is disabled by default on this model and other Linksys models because it is not a secure protocol.

The ethernet captures of a machine infected with this malware show no UPNP.

So the advice of the Brian's article is correct.

Eric Sites, CTO
Sunbelt Software

Posted by: Eric Sites | June 11, 2008 11:23 PM | Report abuse

@nosirrah -- this attack appears to work just fine with universal plug and play (UPnP) turned off. The attack works best against routers that are straight out of the box factory settings; at least on the three routers I mention in the piece (linksys plain, linksys custom firmware, and Buffalo custom firmware) UPnP was NOT enabled, and yet the attack worked by guessing/bruting the username/password.

Also, the Sunbelt people are still going through that massive amounts of traffic this thing generates, but so far no UPnP packets to speak of.

Posted by: Bk | June 11, 2008 11:29 PM | Report abuse

@nosirrah -- Also, we just added a link in the second paragraph that shows more than 700 passwords this malware tries against each router administration page it finds. It appears to be just brute-forcing the password.

Here's the list:

Posted by: Bk | June 11, 2008 11:49 PM | Report abuse

@Mark -- I finally got the IPs that the malware enters into a hijacked router's DNS settings: and

If you see those IPs, or something close to it, there's a good chance your machine/router belongs to someone else.

Posted by: Bk | June 11, 2008 11:56 PM | Report abuse

DNSChanger has two platforms: Windows and Mac; and as far as I understand this feature exist in Windows(win32 file) as of the moment. The latest Mac DNSChanger doesn't suggest this behavior.

Posted by: Meths | June 12, 2008 2:14 AM | Report abuse

Eric and Brian have nicely supplemented the original post here, just wanted to note a couple of other things:

First, the DNS server IP addresses can vary, probably with the specific copy of the malware. If you see DNS settings on your router that start with, that's likely bad.

Second, non-admin accounts (a.k.a. limited user accounts) only protect the operating system and won't prevent the router from being compromised. In other words, the malware doesn't need administrator-level privileges on Windows to change the *router* settings -- all it needs is the router credentials.

Philip Sloss

Posted by: Philip Sloss | June 12, 2008 7:14 AM | Report abuse

Does this threat also apply to wired routers? If not, should default pswds be changed anyway?

Posted by: Bartolo | June 12, 2008 8:17 AM | Report abuse


2nd sentence in the story:

According to researchers contacted by Security Fix, recent versions of the ubiquitous "Zlob" Trojan (also known as DNSChanger) will check to see if the victim uses a wireless or WIRED hardware router

Posted by: RTFA | June 12, 2008 8:20 AM | Report abuse

All I'm saying is that the malware that hit my test box got through router security set up so that from my computer I cant even get to a router log on screen so passwords are irrelevant against it . I have started asking around and have had a few friends where upnp was on so it is not 100% the default to have it off . Strong user/pass + upnp off would prevent both forms of router hijack . I was not implying that the info here about passwords was incorrect , just not as complete as it could be given that two identical outcome but different cause DNS hijacks are in the wild at the same time .

IMO mentioning defence that would prevent BOTH DNSChanger router hijacks (attacks that from what I can tell coincided time wise and were likely from the same clowns) would be a good idea .

Another thing and likely just a nitpick is that Zlob and DNSChanger are two completely different codecs and infections . The 5 most common codecs (from my research) are Zlob , VAC , IEDefender , DNSChanger and ISecurity . For me Zlob (currently) install 2 progrms folder folders (trojans and rogue) , 1 %SYSDIR% dll (downloader for rogue) and one %SYSDIR% folder that contains the trojan BHO . DNSChanger codec installs DNS hijacks and sometimes Rootkit.DNSChanger in %SYSDIR% . If I were to lump multiple families into one group , codec malware would describe them better then calling them all zlob . Even codec malware is not completely correct though because multiple exploit born infections will download and install these without any user interaction at all so a fake codec does not factor in . If it were not for DNSChanger you could collectively call the group FakeAlert because all the rest generate fake security warning and advertise/install rogue security software .

Posted by: nosirrah | June 12, 2008 9:18 AM | Report abuse

I am seeing UDP d-port 53 request to d-ip in way to much traffic to that block to be all legit DNS servers. assume same for the other block.


Posted by: lagrandefoote | June 12, 2008 9:27 AM | Report abuse

The confusion between Zlob(s) and DNSChanger is that they use the same vector: Fake Codecs, and they are from the same Gang. Looking at servers hosting the fake sites, the trojan.downloaders and the droppers you can see the link.
They look radically different: DNS.Changer is silent. No fake alerts, no popups, no rogues. The others are promoting rogues softwares.
DNS.Changer come alone, but some of the others are downloading other infections so rogues can detect real malware on the system.

Posted by: S!Ri | June 12, 2008 9:39 AM | Report abuse

Yes this threat is to any router - wired or wireless. Some are more at risk than others (maybe certain ones are targeted more if they're notorious for a default admin password & has a browser-based admin console). Just like Windows vs Linux, there are tons of certain brands, so attackers also may focus on the larger attack base.

Original Question:

Does this threat also apply to wired routers? If not, should default pswds be changed anyway?
Posted by: Bartolo | June 12, 2008 8:17 AM

Posted by: @Bartolo - | June 12, 2008 10:02 AM | Report abuse

Yes, let's all switch to routers based on Windows 3.1.

How about Apple routers?

It's not enough to show that the Zlob variant successfully changed the DNS settings on a Buffalo router running the DD-WRT open source firmware. You also have to contribute a fix to the open source firmware.

Posted by: Singing Senator | June 12, 2008 10:13 AM | Report abuse

Does this threat also apply to wired routers? If not, should default pswds be changed anyway?

Default Password should/must always been changed.

Posted by: S!Ri | June 12, 2008 10:13 AM | Report abuse

FYI for BK, I've confirmed that DD-WRT uses index.asp page for setup, and that it has UPnP enabled by default.

Posted by: Will | June 12, 2008 10:31 AM | Report abuse

What can we do with an old wireless router, just throw it out? If the new ones are no good, then waht?

Posted by: Jack, Burke | June 12, 2008 11:49 AM | Report abuse

@Jack: What can we do with an old wireless router, just throw it out? If the new ones are no good, then waht?

I don't think the point is that if you have old equipment you're vulnerable. It's that if you aren't CHANGING THE DEFAULT ADMIN PASSWORD to console into the router and configure it, then you may be vulnerable. The malware probably attempts to enumerate and identify your router, and then sends pre-determined default passwords to try logging into it.


Posted by: My humble answers | June 12, 2008 12:54 PM | Report abuse

How does Microsoft know how many copies of anything are deleted by its software.

It it calling home ?
Is this worth an article ?

Posted by: huh? | June 12, 2008 1:44 PM | Report abuse

What intrigues me is how there are not many people who have heard of or tried some of the newest security tools designed to prevent such networking attacks; all newbie's running or setting up a home network should use Network Magic.

Pure Networks, the creator of Network Magic and the newly released Speed Meter Pro, their software utility is designed specifically to help prevent such attacks from happening. Pure Networks has even created a free wireless network security scan to help ease the hassle of manually checking each security setting on your computer and home network. You can find the network security scanner here:

As we all know, there are A LOT of necessary settings that everyone must have to properly ensure a safe and secure networking environment.

The Network Magic health and security feature continuously scans your network, alerts you to any security issues and in many cases helps you fix the issue. As mentioned in the above article, the security of your network is only as strong as its weakest link - the best way to identify and eliminate your "weakest links" is with Network Magic.

Hopefully this helps!

Posted by: Derek | June 12, 2008 1:53 PM | Report abuse

The headline for this story "Malware Silently Alters Wireless Router Settings" is inaccurate. The word "Wireless" should be deleted.

Posted by: KD | June 12, 2008 2:43 PM | Report abuse

Ok, how do I find out if the router sending out the open wifi signal I may borrow while at lunch is compromised. Mine router at home is protected, but how am I to know if I borrow my cousin's neighbor's signal or the insurance company's signal while in Nashua.

Posted by: Peter B | June 12, 2008 8:05 PM | Report abuse

what I'd like to know is why is this post considered to be new ? Such DNSChanger was already seen in 2007...

Posted by: Cedric Pernet | June 13, 2008 4:29 AM | Report abuse

The difference here is, as I see it, is that THIS DNS changer goes after your router instead of creating a static network setting (DNS) in your computer. This lets it affect all machines on the network that get their DNS dynamically, not just one PC at a time.

Posted by: TheGhostInYourMachine | June 13, 2008 8:16 AM | Report abuse

I always try to convince people concerned with PC security that a firewall should monitor outgoing traffic as critically as incoming traffic. The less programs on your PC are allowed to access the internet the better. And if it comes to multimedia, you better first download music or video to your hardrive if possible. With streaming media, you should know the codec pack you installed is to be trusted. In fact, you should never trust new software or plugins right away!

Posted by: Frank Hoogerbeets | June 13, 2008 9:47 AM | Report abuse

Good discussions - and hi to some old friends.

@ Eric - the article credits Sunbelt with, "It's important to note, however, that if there are other Zlob-infected machines using the same router, they will need to be cleared of the trojan before resetting the router."

Ummm, this would not be the best procedure. If there are other Zlob-infected machines, turn them off! Get them off the network! Pull their plug! Then with the disinfected machine, reconfigure the router - without the other infected machines interfering.

Posted by: Bill_Bright (AKA:Digerati) | June 13, 2008 10:33 AM | Report abuse

For more on changing the password on a router see my blog posting
Defending your router, and your identity, with a password change

@Frank: A firewall will not help in this case

@Peter: One way to find out of a borrowed router (WiFi or wired) is compromised is to look at the DNS servers it assigned to your computer. In Windows XP, Vista and 2000, an "ipconfig /all" command will show you the DNS servers being used. However, determining good DNS servers from bad ones may not be practical. An earlier comment from Philip Sloss said that the bad DNS server IP addresses can vary.

So, an excellent defense against this type of attack is not to let the router assign you DNS servers, but instead, to pick your own. I suggest OpenDNS. For more on this see my blog posting
OpenDNS provides added safety for free

Posted by: Michael Horowitz | June 13, 2008 11:31 AM | Report abuse

I wonder why manufacturers can't use the hardware serial number as the default password. It could be automated during the manufacture process.

Posted by: IT Guy | June 13, 2008 12:05 PM | Report abuse

Interesting. Would hard coding OpenDNS values avoid the issue?

I'm on a Linux laptop, so I don't have the issue of actually getting the trojan (I stick to software in the repositories or compile my own if I trust the source) but using a router that's been compromised is possible of course.

If hard coding is an option
edit this file

just add the ip addresses to the line that says "prepend domain-name-servers"

Posted by: Fran | June 13, 2008 12:30 PM | Report abuse

One way to avoid needing to trust the router's DNS settings that works especially well on Linux is to simply run your own instance of BIND on each computer.

Since BIND does DNS resolves starting from the root, it doesn't matter if the router's DNS settings are altered to point to bad DNS servers--they won't be used.

I first started doing this because I wanted a minimum of hassle when moving between two networks, one of which uses DHCP, the other uses a static configuration (Win98SE ICS on a dial-up Internet link--the DNS servers the ISP gives occasionally change). The only way to make DNS work easily on both was to run BIND on localhost.

Another issue here is that quite a few authentication bypass vulnerabilities have been found in various routers, so even if Universal Plug 'n Pray is turned off and a secure password set, it may still be possible to alter the router configuration.

Posted by: Out there | June 13, 2008 12:34 PM | Report abuse

@IT Guy: Good idea about varying the default password. I ran across one router that does that, from Cradlepoint. Its default password is the last few characters of the MAC address.

@Fran: Yes, hard coding DNS servers in your operating system would avoid this problem because then you are not using DNS servers from the router. Brian said as much is a comment, see above on June 11th at 9:13PM.

Posted by: Michael Horowitz | June 13, 2008 1:23 PM | Report abuse

@ IT Guy: Correct, I feel that vendors are helping malware writers "hey there, our router's default password is password, don't forget to tell your worm"

I've compiled a "countermeasures against DNSChanger" list here on my blog

Posted by: Aa'ed Alqarta | June 13, 2008 2:47 PM | Report abuse

We published some more information on how DNSChanger on our blog as well:

Posted by: Secure Computing | June 13, 2008 5:49 PM | Report abuse

For DNS, I use OpenDNS. For routing, I have been using Untangle.......


Posted by: DOUGman | June 14, 2008 1:17 AM | Report abuse


You're just increasing your attack surface area by adding BIND. BIND's security track record isn't stellar.

The simple fix it; change the default password to a strong unique password. If possible, change admin user name as well. This should be the case with ANY device.

I'm also for disabling uPNP; while it may inconvenience novice users, it's just too much of a security risk to have floating around there. As with uPNP, mDNS is another one of those "zero-config" protocols that's ripe for abuse.

Remember, most of these routers run some form of Linux. What if the trojan used a GRE tunnel to funnel the traffic instead of DNS? Alternatively, wrote an IPTABLES rule to redirect all traffic to the attacker's host. You would still appear to go to your normal "safe" DNS server, it might even serve up real DNS responses from that server, but everything (or just what the attacker wants) could be tunneled from your network over a GRE tunnel to a man-in-the-middle. A smart attacker would keep the redirects to a bare minimum to not create suspicion, say just pick off financial or banking websites. A local DNS server would not help in this case.

Singing Senator:

As far as DD-WRT having a vulnerability, the author is not claiming that DD-WRT contains a vulnerability, he is stating that if you don't change the default password it is vulnerable. I think his point was, even a third party firmware is being targeted.

As far as DD-WRT, one of the nice features on there is the ability to assign the "Cisco Button" to "do something". One could write a script to possibly turn remote management (GUI/Telnet/SSH/uPNP even) on/off when that button is pressed. How many times a day does one have to administer their router? It would be more difficult for a trojan to hijack a router when there is no administrative interface to attack. Heck, even changing the default ports for GUI/Telnet/SSH could be enough to slow it down (security through obscurity). :)

Posted by: wmchurch | June 15, 2008 11:56 AM | Report abuse

@Michael Horowitz

Thanks so much for the info on how to check the DNS servers of my laptop(s). Not everyone who reads Krebs is as knowledgeable as the rest of you people, and I greatly appreciate it. Maybe Krebs will read this and think to include information like this in warning articles.

Posted by: Peter | June 16, 2008 9:27 AM | Report abuse

I like the idea of the default password being the serial number, although I think doing that would require the serial number be easier to find; for some devices, it would also need to be easier to read.

Running ones own DNS works, so long as one is up to the task. That having been said, given its lackluster security history, BIND has too much market share (that is, it has exploits, generally at least once a year. Since nigh everyone uses it, these exploits are targeted moderately heavily - at least, I'm assuming that's what's probing my box at port 53, since I don't run a public DNS server and I am aware of no NS records pointing to my box.) I think it would be better to point people to djbdns or another relatively obscure DNS server - it may not be as well reviewed, and it may not be as well documented, but it's probably not as likely to be exploited immediately after a new exploit is found. djbdns has the advantage of having an excellent security record, as far as I am aware, although the disadvantage of having been written by someone with a poor standards-compliance record (I'm not a DNS person, so I can't say how well djbdns complies with DNS standards) and very slow on adopting new features.

Posted by: Ed | June 23, 2008 12:42 PM | Report abuse

I think this is an important story and would benefit from other NowPublic contributors working on it. I've flagged it as News Wanted and invite others in relevant locations to look for more evidence.
cheap viagra,buy viagra
Buy levitra
Buy cialis, cialis online

Posted by: peter | June 25, 2008 6:27 AM | Report abuse

Which video Codec is it? I coudln't find the name of this codec (or program with this malware). The thing is, I use often various codecs for video conversion of my artworks, and I fear now, I could download that codec one day.

Posted by: Rob | June 26, 2008 4:06 AM | Report abuse

Bk said:
"If the router's DNS settings are compromised, then the traffic flowing to and from all systems behind that router -- be they Mac, Windows or Linux boxes -- will also be compromised. That is, unless the individual machines have their own DNS servers hard-coded in, which isn't likely."

What, you don't have DNS settings in your computer? My /etc/resolv.conf is full of OpenDNS IPs.

Posted by: Mackenzie | June 26, 2008 3:13 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company