Checking the router for viruses. Avast writes that the router is vulnerable, infected, or configured incorrectly

Dear readers. In order to save your time. Let's talk about the main thing straight away. ALL of the following helps in the presence of Trojans or viruses on the computer for 5-7 days. During this period, scans are sent from the Internet, but AFTER the hack there is a suspicious silence - there are no scans - the infected router no longer allows them into the PC, it accepts commands and executes them. This affects the Internet speed - it drops.

If your router is already infected, then theft of FTP, email and other passwords will happen in the near future.

Already in 2009 someone DroneBL informed the world about the (beginning?) epidemic of viruses that infect routers. His news appeared after an attack on the site, the administrators of this site revealed that this is fundamental the new kind among Ddos attacks. The attack was carried out by infected routers. So now, the “family” of zombie computers has gained a new addition - zombie routers. A botnet network was discovered that consisted of infected home routers! They called this network “psyb0t”. This is how the router virus epidemic officially began.

Hacking occurs by scanning the router ports and seizing control over it. Unfortunately, there are articles on the Internet about how this or that router model is the easiest to hack. But it is there that you can find out how to protect yourself from this disaster. After establishing control over the router, spying on the contents of passing traffic began. Password theft. Joining the general malicious activity of botnet networks on the world Internet. Scanning ports on your home PC, but I’ll go into more detail here. The author managed to track that the presence network connection to a hacked router leads to such problems. When you reinstall the firewall, viruses appear out of nowhere in the system. When trying to install Debian or Ubuntu while simultaneously downloading updates during the installation process, these systems did not install correctly. Namely

1. It is impossible to launch the installed Firestarter - the administrative function is launched and that’s it. i.e., something is launched with admin privileges, but what is unknown. Firestarter just won't start.
2. If there is an Internet connection, Deadbeef does NOT start; when you turn off the router, it immediately turns on.
3. Some applications that require admin privileges are launched without asking for a password, others do not start at all.
4. Since writing this article, these points have become less pronounced. That is, there will be problems, but they will LOOK different.

Re-installation ON THE SAME computer, FROM THE SAME installation disk, with the router OFF, occurred successfully. The system (tested on Ubuntu) worked like clockwork. This is not surprising, because routers with operating system Linux Mipsel. Of course, the harm that comes from a zombie router is “more varied” than I noticed and described here, but than this moment We're rich, let's share it...

The installed Windows (with the infected router disabled) “survived”, but Agnitum Outpost Firewall Pro detected port scans from the very first minutes after installation. Those. The router is attacking the port(s).

Rice. Scanning my ports from the Internet and finally from the infected router.

As you can see in the figure, on 04/27/2017 at 23:51:16 the scanning took place from the zombie router. Before this there were scans from Kaspersky Security Network - 130.117.190.207 (the firewall doesn’t “like” them, but this is the norm when Kaspersky is installed) and it’s unclear where. And on 04/27/12 the router settings were reset to factory settings (Huawei HG530). Since then, they originate only from Kaspersky Security Network - 130.117.190.207 and ARP_UNWANTED_REPLY - the author has enabled ARP filtering. Therefore, the router’s attempts to once again “talk” to the PC (this is normal activity of the router - but now Agnitum passes only those ARP responses that come in response to a request from my PC), as well as attempts by some individuals to intercept traffic using a fake ARP response are blocked by the firewall. If someone intercepts my traffic in this way and passes it through their computer, then I will be in the role of an office employee using the Internet, while the system administrator of this enterprise sees all my actions, drawing up a detailed report for the boss. How many letters were written (to whom, about what), how many chatted on ICQ. Of course, email passwords, etc. They can also steal it.

The result is that from the moment I reset my router and did what I describe below, there are no attacks from the Internet. The "Gunner" has been eliminated, the router is clean and does ONLY what it was designed for. But the Trojan on the PC must also be removed, otherwise it will lead hackers to your IP.

Those who make network equipment do not offer security measures. The instructions for routers contain a description of how to enter the login and password for accessing the provider, but there is no word that the default admin password cannot be left in the router! In addition, routers necessarily have elements remote control, which are often included. Manufacturers of antivirus software are silent. The question inevitably arises: who benefits from this?

Routes of infection.

It's better to see it once. For this reason, I offer a GIF animation with a schematic analysis of the situation. If it is not visible, then Adblock or something similar is interfering - turn it off on this page.

There are two of them. The first is via WAN, aka the Internet. Those. hackers find your IP, for example, when you download or distribute files using the torrent protocol (more on this at the end of the article) and by scanning your IP they find weak spots in the router’s security. But this is less common. How to close these gates we read further in this article.

Or, there is a Trojan on our PC. And so he leads hackers to our dynamic (!) IP. Knowing this address, they are already methodically hacking the router. We read about Trojans in the second route of infection.

The second is via LAN, that is, from your PC. If there is a Trojan on your PC, then hackers will be able to guess the password to the router directly from your PC. Therefore, this password must be changed sometimes. But what about the fact that an infected computer will try to hack the router from a side that is not protected? First, you need to understand that a clean router with an infected PC will not last long. Regular brute force (password guessing) will break it in a week, or even faster. So, if you have to clean your router often, it’s time to think about completely cleaning it from viruses.

And now the moment. Where does the virus/Trojan come from on the PC? I list the main reasons and solutions in brackets. The options are:

1 - initially cracked Windows was installed (use blank installation disks);

2 - clean Windows was cracked after installation (either endure and reinstall it monthly or buy Windows);

3 - cracked software (use free programs or buy a paid one);

4 - you have a virus in your personal files (run all personal files through cleaning, as I described in cleaning the system from viruses);

5 - the system is infected already during use via a flash drive, the Internet, who knows how (protection - we study the Internet in a safe way, about flash drives, I’ll keep silent about the last point).

Separately, I note that having discovered the router’s IP, hackers begin to scan it in order to find access to the encrypted password and then seize control using the stolen password. So, do not leave the router turned on if you do not need Internet access right now.

BUT!!! Even if loaded using virtual machine, they will start hammering your router. Disabling it and re-enabling it during the process will help here, and the MAIN THING after finishing downloading the torrent is that after restarting the provider will give the router a new dynamic IP and hackers will only have to guess what address you are on now. And your router too... Of course, you won’t be left with the distributions - after the download is complete, you should immediately turn off the torrent downloader program, and AFTER that, turn off and turn on the router.

And generally speaking

DO NOT KEEP THE ROUTER TURNED ON UNLESS YOU NEED! Don’t let petty hackers access your property again... Don’t forget to clean your router every time the Internet connection speed drops unreasonably. Caution won't hurt...

That's it. Now you can take the factory instructions for your router and specify the login and password issued by your Internet provider. This is usually done on the WAN settings tab. Now you won’t be able to control your router via the Internet. At least for now.

In light of the increasing number of cases of DNS substitution by malware on Internet users’ devices, a security issue arises Wi-Fi routers. How to check your router for viruses? How to remove a virus from a router? The question is complex and simple at the same time. There is a solution!

The virus itself cannot record itself on most modern routers due to the small space in the memory of the router itself, but it can zombify the router to participate in a botnet. As a rule, this is a botnet for attacking various servers, or for redirecting and analyzing the flow of information leaving you on the Internet.

Your passwords and personal correspondence could fall into the hands of attackers!

This needs to be fixed as quickly as possible.

• Resetting the router
• Router firmware
• Resetting

Resetting the router

You can reset the router settings by pressing the reset button. Usually this button is located on the back of the router, where the LAN ports are. Usually the button is recessed into a hole to avoid accidental pressing, so you have to use a toothpick. This will delete the router settings changed by the virus and install the factory settings in their place. I must warn you that if you do not know how to configure a router, then reset its settings for you not worth it!

Router firmware

Sometimes the virus "floods" modified firmware to the router. To remove virus firmware from the router, you can flash the router again.

Connect the computer to the router with a LAN cable. A LAN cable is included with any router. Or via Wi-Fi if a cable connection is not possible. It's better to connect with a cable! Wireless connection is considered unstable and is not suitable for flashing router firmware.

After we have connected to the router, open the browser (Chrome, Opera, Mozilla, IE) and enter address bar address ASUS router, for Asus it is 192.168.1.1, on the page that opens you will need to enter your login and password to enter the router settings. Login: admin, Password: admin. If the login and password do not match, then ask the person who set up the router for you, perhaps he changed them.

Download the firmware from the manufacturer's website and select the firmware on the disk using the router settings page. For the vast majority of routers, the firmware steps are the same.

VPNFilter is a threat that affects a wide variety of router and network attached storage (NAS) models. VPNFilter can collect confidential information and interact with network traffic, and also disrupt the operation of the router. This malware calmly survives the router reboot.

Symantec offers free online tool to perform a quick check of the router for VPNFilter infection.

Important information

The online tool checks whether your device has been compromised by a VPNFilter component known as the ssler plugin. If your router is not infected with the ssler plugin, it may still be compromised by other threats or VPNFilter components.

If you are concerned or suspect that your router is infected with VPNFilter, you should follow the recommendations below.

What to do if infected

If you are concerned that your router is infected with VPNFilter, we recommend following these steps:

1. Reset your router to restore factory settings. Save your router configuration first, as you will need to reconfigure it afterwards.
2. Turn off and restart your router. Please note that simply restarting your router without first performing a factory reset will not remove VPNFilter.
3. Change the administrator password for your router to a more secure one. If possible, disconnect your router from the Internet while performing this step.
4. Install Latest updates and firmware for your router.

To protect yourself from the Trojan.Rbrute Trojan that attacks TP-link modems/routers, you need to do several things: simple conditions. The virus spreads by brute-force scanning of IP addresses in the nth range, after which password guessing begins using the brute force method. Almost all popular models are susceptible to attack Tp-link routers. Making its way into the device settings, the Trojan changes DNS addresses provider to the attackers' addresses.

Your router is infected if:

When trying to log out any site, be it remont-sro.ru or the Gmail.com service, a fake download site opens Google Chrome or other suspicious resources. Initially, the redirect only worked for user requests containing the words Facebook or Google, but now the Trojan responds to any of them. The indication on the modem remains the same, “Internet” lights up steadily, the computer shows that the connection is complete, authorization has been completed, but the Internet itself does not work, it only redirects to advertising and/or fake download pages

Point 1. Reset. Reconfiguring the modem
The instructions were prepared by Maria Korchagina, a specialist at the GTP TsOO

If you cannot access the modem settings via 192.168.1.1, then try doing it via the address 192.168.42.1

On this page the settings are indicated only for Internet service. To set up IP-TV and WI-FI, download the full manuals

Russian version - http://yadi.sk/d/JC6l6FPVRbU9P

English version - http://yadi.sk/d/j6Ly7bA4RbU8r

1. To properly reset the settings on the modem, hold down the button with a needle/paste/toothpick Reset in a small recess. Hold for 5 to 15 seconds until the indication on the device disappears. The lights should go out just like after a normal router reboot.

2. To configure, the modem should be connected with a cable to any LAN port; do not configure via a Wi-Fi connection.

3. Login via Internet browser Explorer to the router interface, at: 192.168.1.1. A dialog box will open. In the “Username” and “Password” fields, enter admin/admin respectively. Will open start page router (see below)

On this page you will see what settings already exist:

4. Before you start setting up the router, you need to delete all previously created settings; to do this, go to the section “Interface settings” -> “Internet”, select “Virtual channel” - PVC0, at the bottom of the page click the “delete” button. We do this with everyone virtual channel(there are only 8 of them).

As a result, this is what should happen (go to the section again "State"):

5. Now go to the section "Interface settings", then select a subsection "Internet"(see screenshot below). We specify the parameters as in the screenshot below (user and password: rtk), then save all the parameters by clicking the “Save” button.
This completes the setup for PPPoE mode.

Point 2. Changing the router login password

To change your password, go to the section "Device Operation", then "Administration", where the password for logging into the router is actually changed (come up with complex password) (see screenshot below). Then press the button "Save"

Clause 2.5 List of passwords that are not recommended for entering the router

111111
12345
123456
12345678
abc123
admin
Administrator
password
qwerty
root
tadpassword
trustno1
consumer
dragon
gizmodo
iqrquksm
letmein

The virus already “knows” all these passwords and guessing the password will take 1 second. The password should not only consist of numbers or letters. Special characters (hashes, asterisks, percentages, quotation marks) and letters of different case (uppercase and lowercase) MUST be present. The larger and more varied the password, the longer it will take to “brute” it (if at all).