Router based DNS MITM Attack

So... apparently there is a india specific router (the little modem that you use to access the internet on ADSL connections) based dns man in the middle attack on.

I am affected (or infected) and from searching around several people in india are reporting the same symptoms. Just wondering if any one else here is having the same problem.

From what i understand This should only affect you only if your modem is set up as an always on connection, that is you turn on your modem and browse. If you have to open a dialer to connect you should be safe.

Whats basically happening is that popular sites are redirecting to a page that tries to sell you web hosting. for me it was microsoft.com (and bing search) others have reported yahoo, indiatimes, linkedin, etc.

http://blog.escanav.com/2012/01/12/d...s-mitm-attack/

I guess if you have the name of the virus (or whatever similar) in question, people might be able to comment on it. I've been digging around for you some, but find nothing immediate on it. But would really need to know its name(s). The description as such, also in that blog article, is too vague to find results on it.

I guess as usual, the advice would be to make sure you have all the latest updates installed for your Operating System and virus scanner and spyware scanner and firewall software and such (and set all these to run automatically or at least to give you an automatic notification, so they'll always be pulling in their latest updates immediately), now run in-depth scans and just start weeding it out, revert to those companies' websites for any latest news on it.

Inasmuch as this thing would then be reported to address your router's NAT/DHCP resolving, I'm not sure however if any such measures would really address that. That is to say I'm quite sure such measures won't affect your router as such. It has long struck me as a possible vulnerability. Though I think a common router (as in of the simple modem variety) should be well-protected against this, unless you start messing around with it yourself. As in opening so forwarding ports to allow for torrent'ing or so. (That's where this NAT business comes into play.)

I guess in such cases, you'd just need to get yourself informed as to how to handle all that stuff, so how to adequately configure and protect your router. I also think many e.g. torrent users (or online multi-player games, etc. File sharing, which is what torrents are anyway, cute multi-platform and multi-media functions and whatnot. The infamous Windows "file and printer sharing" or what's that function, indeed) don't realize they are effectively turning their home machine into a server. Opening all sorts of vulnerabilities.

I'd strongly advice to dedicate a separate machine to this only. Then secure and preferably encrypt it as best as you can. And don't run anything else on it, nor store any other data, etc. However, if the vulnerability now lies with your router and you plug them all into the same one, of course this won't help much. (Though the machine itself would be harder to crack.)

Bottom line I guess, if you can't adequately secure all that, don't do it. And running a little home server not knowing what you're doing is really inviting trouble. Guess where all these worldwide zombie networks come from. Coupled with badly- or non-secured always-on networks or connections, indeed.

If I make it sound like I am some geek who knows what he's talking about btw, I really am not, and can't advice much further and may well have put half the above wrong. But basically, bang your machine into shape, and don't push it to beyond what you can't reasonably manage. Then of course you may always still run into something, but now hopefully whatever you have should be able to reasonably clean it up again.

Stupid thing is of course the way much modern technology rather invites you to do all this, without ever alerting you to the risks.

Heck, the latest version of my reputed but free (they of course have a paid version) software firewall by default sets half of your programs to have server rights. I guess in case you should ever find that "handy," and it won't give you so many "alerts." Well, that is in fact what I have it for, and I have no plans to ever turn this box into a server, thank you very much. It really is just crazy, and especially coming from this field. But so anyway, even all that "security" software you use, have a good look at its settings and again bang it well into shape, to whatever extent you understand it (can never hurt to occasionally look at it again, as you may now understand more of it), they can normally be set to be far more restrictive. If not, look for another one, or a paid one that will offer more options.

As an afterthought to that btw, if the problem does lie with your router, and if it has to do with its NAT settings or port forwarding that you've been configuring yourself, my first advice would be to restore it to its factory settings. This can usually be done internally, addressing your router's configuration screen; or if you're forgotten the password for it or so (good idea to change it from its default upon installation, since these are publicly known. Usually 1234 or so. Routers I know will demand you change it before proceeding with their installation, anyway), many may not offer an obvious physical button for this, but there'll usually be a tiny hole somewhere with a reset symbol or so to that effect. Insert a pin in here and hold for twenty seconds or so, while the router is on, and it will reset.

(How do you know? All the lights will go off, now after a while one by one go on again, as if when you'd taken the power off -- the latter however will not cause it to reset. As indeed of course just using the on/off button won't; I know many routers that won't allow you to switch them off anymore anyway, save for pulling the plug out. Stupid, but oh well. Did you know a majority of house fires in the west these days break out because of short-circuiting due to all these electronics we have on stand-by, and indeed can't even be switched off if you wanted to? Or what not having all that might save in electricity waste and costs? It's arguably not much, per gadget, but it does add up amazingly, now not to mention per so many households per country.)

The password too will now be the default one again of course, so you can again address it through your computer screen. --> If you now still don't know the default password, look it up here, for pretty much any router in existence: http://portforward.com/. Also much info there on the intricacies of port forwarding, as the title might suggest.

You'll now lose any of that port-forwarding functionality you introduced and any other settings you may have goofed around with, but at least is should be reasonably secured again. You can now start looking into it from scratch, if you insist.

Another thing is some routers include the infamous UPnP technology (Universal Plug and Play), if I'm not getting my terms mixed up and talking out of my behind. (It's the same technology that allows much of your external hardware to be automatically detected and installed and run.) In any case, in router terms this would be meant to automatically allow designated programs to have the appropriate ports forwarded, i.e., opened, i.e., gain server rights.

Can't say this ever worked for me on any of my routers anyway, but anyway it is notoriously unsafe. (As any hack and now of course the program affected can gain server rights. It's an obvious giant loophole.) Switch this off, if it's on (it ought to be off by default). Again, if you want to open that stuff, you should have the knowledge to do it manually, and none of these gadgets or programs should invite to do otherwise (though indeed sadly they often will, or put it right open for you anyway).

This UPnP btw should be OK for indeed easy program installation of your choice (say from a DVD or download that you asked for, and such. Plugging in a camera or MP player, etc.), however for network connectivity and so let's say inside a router it obviously opens up undesirable vulnerabilties.

TheJag, have you found other reports on this issue, and if so, can you give the links?

I find only the source you gave on it really (itself an internet security outfit, and not one I've ever heard of before), or I'm using the wrong search strings.

Just gave the article another good look. Hm, yes, well. I'd start by giving your machine a thorough check whether it isn't infected; your symptoms need not be related to the article's description.

If it would be due to that, looks like your machine wouldn't be infected at all, but indeed your router would have been compromised. (If so, I don't quite understand their mitigation suggestions: They say changing your router's password won't help, but still suggest to change it? What they describe would indeed seem to boil down to users leaving their router passwords set to default, and this being exploited. Then they suggest to manually assign the DNS server IP address; but the exploit they describe is that once in, presumably through this password exploit, the thing will reset the DNS server to its own, and change the password. I may be a layman, but you'd think if it can't break your own password, it can't get in, and if it can, it could change any DNS server address to its own. And unless of course something else in your router is answering where it shouldn't. Then finally they mention changing or applying some Firefox add-on; are you on Firefox? Would all those affected be? Or would it then indicate a Firefox bug rather? But then what indeed does Firefox have to do with your router?)

I frankly find the whole description a little murky, but then I'm no whizkid. It does have you wonder if they haven't misinterpreted something themselves, or are crying wolf. If it is what it is, it would seem to have pretty serious implications. So why isn't this all over the security community? This report is two days old. Checking some of the usual resources earlier (The Register, various established security companies), I've seen nothing on it. Moreover, I don't even find any cross-links to that article. But, well, maybe I really am using the wrong search strings.

But surely other viruses or similar could commonly cause you false redirects, so it really doesn't need to be related. Microsoft.com or Bing they never mention. As usual, I'd start at the simplest end, so just check if your machine isn't infected with a common virus or trojan or malware whatever. Oh, and don't put your machine online more than necessary while you're at it, right

http://www.ipillion.com/ip/212.113.36.83

it can not be a malware on the pc as the problem persisted after a clean install of windows.

Hm, yes (but thanks for the link). Hardly anything technically conclusive 11 reports in two days, eh. A search on that IP address minus Ipillion again throws up very little. Though to redirect you to such a site would be very common behavior for some malware.

Not sure if that's a sure-fire method of cleaning up one's system. (In fact, I don't think so.) Maybe if you formatted it while you're at it (will make you lose everything you ever had on it, of course. Then still, I've found you need to pretty persistent to safely and adequately truly wipe a Windows box, and Windows itself isn't exactly open to this.) What do others think of this?

Either way, before reinstalling one's OS in such events (or indeed reformatting!), I'd always first seek to just clean it up by the regular and good means at your disposal. Such drastic steps had better be left as a final recourse. And then just a reinstall is no less work, no.

I do sympathize, btw. This stuff is terribly annoying. Just trying to think along, and it might (hopefully...) indeed help any other affected users. Waiting for some real geeks to step in really, they should know much more about this than I do.

Have you thought of borrowing a router somewhere that works for you (or buying second-hand, whatever), safely installing, using randomized 12-digit password,* and seeing if the problem persists?

* Try Gibson's password generator: https://www.grc.com/passwords.htm. Yes, the problem now is you need to store these somewhere, of course, which is inherently unsafe. Ah, computers...

Or have you tried yet indeed taking your router offline, now resetting your router to its factory settings, now changing the password and checking its DNS settings (should obviously be neither 109.74.196.50 nor 212.113.36.83, and going by that article you gave, as well the second link. Not sure what there'll be now that you have reset it and are offline, btw, maybe it will have to be allotted a new one only once you do go back online), now going online again and see if that resolved it?

And besides a Windows reinstallation, have you in fact fired some good and updated virus and spyware scanners at your machine? That should really be your first step.

what i looked at was the different ip ranges in the responses in the page..

122.163.27.82 - delhi

59.95.7.188 - pune

59.183.129.195 - mumbai

and me and another in chennai... all of the report the same ip address showing up...

I was able to resolve the problem by changing the dns server address on my system, if it were a malware then just a dns server update would not have helped. I need the isp username and password before i reset my router to fix its settings so am holding off on that until i can call them...

The clean install was indeed the format reinstall every thing type... us folks that worked with microsoft (atleast our center and the ms tech leads that worked with us) call the kind of install that is done without formatting the partition / disk a dirty install....

Mach... did you read Jag's link?

I never heard of this until this moment, but it sounds ridiculously easy. The vast majority of home modem/routers are left just as they come, and even the ones that are bought and configured by their owners are probably left with the default password (user admin, password password ... whoa! who'd'a guessed it!)

1. (not about this risk, but about all risks) change that password. Then turn off all the thinks like admin/telnet/etc/ access from the WAN. I also turn off the stuff that allows my ISP to do remote changes/support/updates etc. If they want access to my modem they can ask first!

Now, about this risk...

2. Do not use DHCP.

That means, on your PC's network->TCP/IP properties untick the box that says something like "obtain a network address automatically*" and do your own configuration, part of which will be specifying one or two DNS servers.

I never have used DHCP. Just a personal preference, but now I have a good reason

3. Well, I don't think there is a "3"

4. (a kind of PS). You can even turn off the DHCP server on your router if it is not used. Actually, I have one Logitech Squeezebox that must get an IP, etc, by DHCP, so I can't. You must not turn off the DHCP client feature on the WAN (phone line) side of the router: it *must* be able to get its IP address, at least, by DHCP.


*Just looked: WinXP separates getting IP address and getting DNS automatically. You can do one without the other. You can specify your DNS servers but still get the IP.

I know nothing of later Windows versons.

what i cant figure is how they got into our router/modem. the password on it is our airtel account number... even i cant remember that one...

<Deleted, misunderstood, between How do we get into our router, or How did they get into our router.>

The password which is your airtel number is usually the pppoe password.

The password which gives access to your router is the admin password, which is usually the default unless you have changed it, as I mention above.

I'm not using my Airtel Beetel modem just now, I'm using my own Netgear, so I can't check it out ... but there is another thing which I forget the name of, which "turned up" after some Airtel-initiated upgrade, and allows remote access/setup/etc, also as mentioned above. It's probably hackable, because ...most things are!

So... you know the login and password for most ADSL modems in the world. You know what happens when you type your modem's internal address into your browser? You get its admin page and a password prompt. How about trying its external (WAN) address? You know the ranges that are going to be in use, your own currently allotted IP address will give you the clue to dozens of others nearby ... so change that password, and make it a secure one! And make sure that web, telnet, etc access are turned off.

There have even been instances of people entering 192.168.1.1 and, on BSNL's network getting someone else's router! Don't ask me how this is even conceivable!

I came across this very issue on a friends win7 system where some specific websites like linkedin/microsoft were redirected to 212.113.36.83/.

There were issues updating 'Microsoft Security Essentials' as well. I changed over the DNS to Google DNS for now & the above issues were sorted out.

I'm sure there's more to be done to resolve this.

Or, Non-of-the-Above. I have not seen any mention in most security lists of any unusual activity in the past week in India. However, on any given Sunday, 7-10% of the PeeCees are 0wned paWned. More in some countries, less in another.

Unsafe networking is more unsafe than unsafe sex. However, unsafe sex can kill eventually. Unsafe networking at worst, can clean your bank account if you do banking online.



[Friends dont let friend do windoze ]

Use winshark to see what'e happening.

the link i posted in the first post details exactly whats happening. reset your router/modem and change the default password with one of your choosing and turn off wan side features which can in anyway make the modem vulnerable to attack...

this is not something that is usually done. its not raising alarm because there is no malicious intent or payload in the site that it redirects to... yet. that can soon change.

Edited: using winshark to tshoot this problem wont work because it doesnt lie in your network. its happening on the WWW outthere... if any network monitoring tool on our pc actually gets to sniff past the first dslam then one should really ditch that isp.. though as nick said that apparently happens on bsnl's network

that said the groundwork could have been done way before. there are 2 parts to this whole scenario.

1. Routers/CPE Modems were hacked into (not very difficult considering hardly anyone changes default passwords) and a 3rd party DNS entry was made instead of the usual obtain automatically...

2. The DNS server entries for most common email/search/misc (i say misc because linkedin is also on the list) used in india are redirected to the offending ip 212.113.36.83


step 1 could have been accomplished long back. Possible that this has been done in other regions. but the ipillion link shows reports only from indian addresses. maybe other regions will see them being pointed to a different ip on the same server in the same data center.

step 2 could have been only just been triggered recently.

the way to get this noticed will be to report them to the isp's in question. but i find the usual isp cs reps in india so utterly brain dead i shudder at the thought of calling them up...

Essentially most PC/Mac/Linux/Prop-OS based tools help in looking at to-fro traffic between your LAN and the World. Sometimes, one is surprised at amount of cruft that seems to call-home periodically