Stories
Slash Boxes
Comments

SoylentNews is people

New Worm Attacking Linksys Routers

posted by robind on Friday February 14 2014, @01:39AM   Printer-friendly
from the entry-level dept.

AudioGuy writes:

"Researchers say they have uncovered an ongoing attack that infects home and small-office wireless routers from Linksys with self-replicating malware, most likely by exploiting a code-execution vulnerability in the device firmware.

The worm works by injecting vulnerable devices with a URL-encoded shell script that carries out the same seek-and-hijack behavior. The exploit may also change some routers' domain name system server to 8.8.8.8 or 8.8.4.4, which are IP addresses used by Google's DNS service. Compromised routers remain infected until they are rebooted. Once the devices are restarted, they appear to return to their normal state. People who are wondering if their device is infected should check for heavy outbound scanning on port 80 and 8080, and inbound connection attempts to miscellaneous ports below 1024.

This blog post at Sans contains more technical details including a way to test if you have a vulnerable device."

 
This discussion has been archived. No new comments can be posted.
New Worm Attacking Linksys Routers | Log In/Create an Account | Top | 10 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 1) by cculpepper on Friday February 14 2014, @06:41PM

    by cculpepper (46) on Friday February 14 2014, @06:41PM (#90)

    Wonder why it changes the to DNS to Google's DNS server? Maybe to improve performance so people are less likely to throw away infected/ susceptable routers?

  • (Score: 1) by mrbluze on Friday February 14 2014, @08:17PM

    by mrbluze (49) on Friday February 14 2014, @08:17PM (#95) Journal

    Wonder why it changes the to DNS to Google's DNS server? Maybe to improve performance so people are less likely to throw away infected/ susceptable routers?

    Or maybe Google's DNS server is more forgiving.

    --
    Do it yourself, 'cause no one else will do it yourself.

  • (Score: 1) by toygeek on Saturday February 15 2014, @12:23AM

    by toygeek (28) on Saturday February 15 2014, @12:23AM (#127) Homepage
    Many ISP's use DNS to block known bots. Perhaps Google is less diligent in this manner? I do not know if that is the case and I'm too lazy to look it up.
    --
    There is no Sig. Okay, maybe a short one. http://miscdotgeek.com