Could there be a virus in the router? How to check your router for viruses and clean it: our tips
In light of the increasing number of cases of DNS substitution by malware on Internet users’ devices, the question of the security of Wi-Fi routers arises. How to check your router for viruses? How to remove a virus from a router? The question is complex and simple at the same time. There is a solution!
The virus itself cannot record itself on most modern routers due to the small space in the memory of the router itself, but it can zombify the router to participate in a botnet. As a rule, this is a botnet for attacking various servers, or for redirecting and analyzing the flow of information leaving you on the Internet.
Your passwords and personal correspondence could fall into the hands of attackers!
This needs to be fixed as quickly as possible.
- Resetting the router
- Router firmware
- Resetting
Resetting the router
You can reset the router settings by pressing the reset button. Typically this button is located on the back of the router, where the LAN ports are. Usually the button is recessed into a hole to avoid accidental pressing, so you have to use a toothpick. This will delete the router settings changed by the virus and install the factory settings in their place. I must warn you that if you do not know how to configure a router, then reset its settings for you not worth it!
Router firmware
Sometimes the virus "floods" modified firmware to the router. To remove virus firmware from the router, you can flash the router again.
Connect the computer to the router with a LAN cable. A LAN cable is included with any router. Or via Wi-Fi if a cable connection is not possible. It's better to connect with a cable! The wireless connection is considered unstable and is not suitable for updating the router firmware.
After we have connected to the router, open the browser (Chrome, Opera, Mozilla, IE) and enter the address of the ASUS router into the address bar, for Asus it is 192.168.1.1, on the page that opens you will need to enter your login and password to enter the router settings. Login: admin, Password: admin. If the login and password do not match, then ask the person who set up the router for you, perhaps he changed them.
Download the firmware from the manufacturer's website and select the firmware on the disk using the router settings page. For the vast majority of routers, the firmware steps are the same.
In light of the increasing number of cases of DNS substitution by malware on Internet users’ devices, the question of the security of Wi-Fi routers arises. How to check your router for viruses? How to remove a virus from a router? The question is complex and simple at the same time. There is a solution!
The virus itself cannot record itself on most modern routers due to the small space in the memory of the router itself, but it can zombify the router to participate in a botnet. As a rule, this is a botnet for attacking various servers, or for redirecting and analyzing the flow of information leaving you on the Internet.
Your passwords and personal correspondence could fall into the hands of attackers!
This needs to be fixed as quickly as possible.
- Resetting the router
- Router firmware
- Resetting
Resetting the router
You can reset the router settings by pressing the reset button. Typically this button is located on the back of the router, where the LAN ports are. Usually the button is recessed into a hole to avoid accidental pressing, so you have to use a toothpick. This will delete the router settings changed by the virus and install the factory settings in their place. I must warn you that if you do not know how to configure a router, then reset its settings for you not worth it!
Router firmware
Sometimes the virus "floods" modified firmware to the router. To remove virus firmware from the router, you can flash the router again.
Connect the computer to the router with a LAN cable. A LAN cable is included with any router. Or via Wi-Fi if a cable connection is not possible. It's better to connect with a cable! The wireless connection is considered unstable and is not suitable for updating the router firmware.
After we have connected to the router, open the browser (Chrome, Opera, Mozilla, IE) and enter the address of the ASUS router into the address bar, for Asus it is 192.168.1.1, on the page that opens you will need to enter your login and password to enter the router settings. Login: admin, Password: admin. If the login and password do not match, then ask the person who set up the router for you, perhaps he changed them.
Download the firmware from the manufacturer's website and select the firmware on the disk using the router settings page. For the vast majority of routers, the firmware steps are the same.
Your router is one of the weakest links in your security and researchers have proven it once again.
Sixty security flaws were found in 22 router models around the world, mostly those provided by Internet service providers. These vulnerabilities could allow hackers to hack devices, change passwords, and install and execute malicious scripts that change DNS servers. This way, hackers can redirect you to malicious sites or download malicious code onto your computer when you visit official web pages.
The vulnerabilities also allow hackers to read and write information on USB storage devices connected to a compromised router.
The study describes how attackers can gain access to PCs - namely, through a backdoor with a universal password that is used by technical provider staff to remotely assist customers over the phone. This second access with administrator rights is hidden from the router owner by default.
What router models were tested?
The researchers tested the following models: Amper Xavi 7968, 7968+ and ASL-26555; Astoria ARV7510; Belkin F5D7632-4; cLinksys WRT54GL; Comtrend WAP-5813n, CT-5365, AR-5387un and 536+; D-Link DSL-2750B and DIR-600; Huawei HG553 and HG556a; ; Netgear CG3100D; Observa Telecom AW4062, RTA01N, Home Station BHS-RTA and VH4032N; Sagem LiveBox Pro 2 SP and Fast 1201 and Zyxel P 660HW-B1A.
Since the researchers are from Madrid, the main target of their research was routers that are provided by Spanish Internet providers, but Linksys, D-Link and Belkin are widely used in Russia and other countries.
How can you protect your router?
All Avast antiviruses have a built-in Home Network Security (HNS) feature that scans for poorly configured Wi-Fi networks, indicating weak or default Wi-Fi passwords, vulnerabilities in the router, hacked Internet connections, and enabled but not protected IPv6 protocol . This feature also shows a list of devices connected to the network, which will help you control that only devices you know are connected to your network. Avast is the only information security company that offers the ability to protect this area.
How to scan your home router with Home Network Security?
Open the Avast user interface, click the Scan button from the left menu, then select Network Threat Scanning.
Avast will scan your router and provide a report on the threats found. In most cases, if a threat is detected that requires your attention, Avast will direct you to the router manufacturer's website.
Dear readers. In order to save your time. Let's talk about the main thing straight away. ALL of the following helps in the presence of Trojans or viruses on the computer for 5-7 days. During this period, scans are sent from the Internet, but AFTER the hack there is a suspicious silence - there are no scans - the infected router no longer allows them into the PC, it accepts commands and executes them. This affects the Internet speed - it drops.
If your router is already infected, then theft of FTP, email and other passwords will happen in the near future.
Already in 2009 someone DroneBL informed the world about the (beginning?) epidemic of viruses that infect routers. His news appeared after an attack on the site; the administrators of this site revealed that this was a fundamentally new type among Ddos attacks. The attack was carried out by infected routers. So now, the “family” of zombie computers has gained a new addition - zombie routers. A botnet network was discovered that consisted of infected home routers! They called this network “psyb0t”. This is how the router virus epidemic officially began.
Hacking occurs by scanning the router ports and seizing control over it. Unfortunately, there are articles on the Internet about how this or that router model is the easiest to hack. But it is there that you can find out how to protect yourself from this disaster. After establishing control over the router, spying on the contents of passing traffic began. Password theft. Joining the general malicious activity of botnet networks on the world Internet. Scanning the ports of your home PC, but I’ll go into more detail here. The author was able to track down that having a network connection to a hacked router leads to such problems. When you reinstall the firewall, viruses appear out of nowhere in the system. When trying to install Debian or Ubuntu while simultaneously downloading updates during the installation process, these systems did not install correctly. Namely
- It is impossible to launch the installed Firestarter - the administrative function is launched and that’s it. i.e., something is launched with admin privileges, but what is unknown. Firestarter just won't start.
- If there is an Internet connection, Deadbeef does NOT start; when you turn off the router, it immediately turns on.
- Some applications that require admin privileges are launched without asking for a password, others do not start at all.
- Since writing this article, these points have become less pronounced. That is, there will be problems, but they will LOOK different.
Re-installation ON THE SAME computer, FROM THE SAME installation disk, with the router OFF, was successful. The system (tested on Ubuntu) worked like clockwork. This is not surprising, since routers running the Linux Mipsel operating system were the first to be vulnerable. Of course, the harm that comes from a zombie router is “more varied” than I noticed and described here, but what we are currently rich in, that’s what we share...
The installed Windows (with the infected router disabled) “survived”, but Agnitum Outpost Firewall Pro detected port scans from the very first minutes after installation. Those. The router is attacking the port(s).
Rice. Scanning my ports from the Internet and finally from the infected router.
As you can see in the figure, on 04/27/2017 at 23:51:16 the scan took place from the zombie router. Before this, there were scans from Kaspersky Security Network - 130.117.190.207 (the firewall doesn’t “like” them, but this is the norm when Kaspersky is installed) and it’s unclear where. And on 04/27/12 the router settings were reset to factory settings (Huawei HG530). Since then, they originate only from Kaspersky Security Network - 130.117.190.207 and ARP_UNWANTED_REPLY - the author has enabled ARP filtering. Therefore, the router’s attempts to once again “talk” to the PC (this is normal activity of the router - but now Agnitum passes only those ARP responses that come in response to a request from my PC), as well as attempts by some individuals to intercept traffic using a fake ARP response are blocked by the firewall. If someone intercepts my traffic in this way and passes it through their computer, then I will be in the role of an office employee using the Internet, while the system administrator of this enterprise sees all my actions, drawing up a detailed report for the boss. How many letters were written (to whom, about what), how many chatted on ICQ. Of course, email passwords, etc. They can also steal it.
The result is that from the moment I reset my router and did what I describe below, there are no attacks from the Internet. The "Gunner" has been eliminated, the router is clean and does ONLY what it was designed for. But the Trojan on the PC must also be removed, otherwise it will lead hackers to your IP.
Those who make network equipment do not offer security measures. The instructions for routers contain a description of how to enter the login and password for accessing the provider, but there is no word that the default admin password cannot be left in the router! In addition, routers necessarily have remote control elements, which are often turned on. Manufacturers of antivirus software are silent. The question inevitably arises: who benefits from this?
Routes of infection.
It's better to see it once. For this reason, I offer a GIF animation with a schematic analysis of the situation. If it is not visible, then Adblock or something similar is interfering - turn it off on this page.
There are two of them. The first is via WAN, aka the Internet. Those. hackers find your IP, for example, when you download or distribute files using the torrent protocol (more on this at the end of the article) and by scanning your IP they find weak spots in the router’s security. But this is less common. How to close these gates we read further in this article.
Or, there is a Trojan on our PC. And so he leads hackers to our dynamic (!) IP. Knowing this address, they are already methodically hacking the router. We read about Trojans in the second route of infection.
The second is via LAN, that is, from your PC. If there is a Trojan on your PC, then hackers will be able to guess the password to the router directly from your PC. Therefore, this password must be changed sometimes. But what about the fact that an infected computer will try to hack the router from a side that is not protected? First, you need to understand that a clean router with an infected PC will not last long. Regular brute force (password guessing) will break it in a week, or even faster. So, if you have to clean your router often, it’s time to think about completely cleaning it from viruses.
And now the moment. Where does the virus/Trojan come from on the PC? I list the main reasons and solutions in brackets. The options are:
1 - initially cracked Windows was installed (use blank installation disks);
2 - clean Windows was cracked after installation (either endure and reinstall it monthly or buy Windows);
3 - cracked software (use free programs or buy paid ones);
4 - you have a virus in your personal files (run all personal files through cleaning, as I described in cleaning the system from viruses);
5 - the system is infected already during use via a flash drive, the Internet, who knows how (protection - we study the Internet in a safe way, about flash drives, I’ll keep silent about the last point).
Separately, I note that having discovered the router’s IP, hackers begin to scan it in order to find access to the encrypted password and then seize control using the stolen password. So, do not leave the router turned on if you do not need Internet access right now.
BUT!!! Even if you boot using a virtual machine, they will start to crash your router. Disabling it and re-enabling it during the process will help here, and the MAIN THING after finishing downloading the torrent is that after restarting the provider will give the router a new dynamic IP and hackers will only have to guess what address you are on now. And your router too... Of course, you won’t be left with the distributions - after the download is complete, you should immediately turn off the torrent downloader program, and AFTER that, turn off and turn on the router.
And generally speaking
DO NOT KEEP THE ROUTER TURNED ON UNLESS YOU NEED! Don’t let petty hackers access your property again... Don’t forget to clean your router every time the Internet connection speed drops unreasonably. Caution won't hurt...
That's it. Now you can take the factory instructions for your router and specify the login and password issued by your Internet provider. This is usually done on the WAN settings tab. Now you won’t be able to control your router via the Internet. At least for now.
This may seem strange to you, but there are viruses that infect not computers, laptops, or mobile devices, but routers.
Why do this? Then, although your router does not store any valuable information, access to this device will allow you to change the DNS server settings. This, in turn, will allow scammers to forward some of your requests to fake sites, where you will enter sensitive information useful to the scammers. Many router models are susceptible to infection; it makes no sense to give a list, since it can be constantly updated. For your safety, I recommend with recommendations that will allow you to avoid infection.
How does the virus work?
Your computer becomes infected with a virus called Win32.Sector. That, in turn, downloads Trojan.Rbrute from a special server, which searches the network for routers and tries to gain access to the configuration. After gaining access, he changes the current DNS addresses registered in the router to his own. Then, all devices connected to the router end up on the page from which Win32.Sector is downloaded.
- The “Internet” icon is lit, but you can’t get to most sites or the wrong sites load that you wanted to open
- Strange websites open spontaneously
- The computer cannot obtain an IP address from your network (it is assigned an address like 169.254.xxx.xxx of the Microsoft subnet)
How to remove Trojan.Rbrute virus from a router?
- First, you need to reset your router to factory settings. To do this, press the “Reset” button on the back panel of the router and wait 10 seconds until the router blinks all the indicators and reboots.
2. Go to the admin panel of the router and change the standard password for access to the admin panel to your own, preferably a more complex one.
3. We configure the router again, check whether the Internet is working properly.
4. From the official website of the router manufacturer, download the latest firmware for your model and flash it. Most likely, in the latest firmware version, the holes through which attackers gained access to the router settings are closed.
5. After this, we check the computer for malware to exclude the possibility that WinSector or Trojan.Rbrute remained on the computer’s hard drive. You can do this using free tools from the article.
I hope my article helped you =)