Posted: Fri Jun 03, 2022 6:27 Post subject: [FALSE POSITIVE] DNSChanger malware on my router?
Router: Netgear R7000P
Firmware: r48996
I noticed an extra password I never saved for my router in my password manager (d6nw5v1x2pc7st9m). I googled the password and it took me to this blog which says they had the same password appear in a password manager for their router one day. They say the following:
• Rightardia reported earlier that both the Linksys and Netgear routers can be infected with malware that is called DNSChanger and is supposedly a variant of Zlob malware
• it affects DD-WRT routers
• it is possible that hackers have developed a technique to piggy back of of existing passwords with a secondary password.
• This malware MO suggests the router malware is used to create a botnet.
Every time I reset my router the browser asks if I want to save the password, if I agree it saves the bogus password from above. I have followed their instructions for clearing the malware without any luck. I deleted the saved password as they recommend and changed my routers IP address. They say to disable web GUI management and set the router to HTTPS only but I can’t access my router then. What I also tried that they don’t mention is resetting the router and putting in my settings again. That seemed to stop my computer from asking to save the password on reset but my phone still asks to save the bogus password. I’ve run malware removal across all devices and haven’t found anything.
Any help in removing the malware would be greatly appreciated.
Joined: 16 Nov 2015 Posts: 6411 Location: UK, London, just across the river..
Posted: Fri Jun 03, 2022 7:09 Post subject:
when i access my router GUI
-do not use any browser extensions
-use pale-moon (non chrome based browser) to access router only
-do not save passwords in browser, save them to txt file
-use browser in private mode
-use long and complex password 20 symbols
-i do have firewall restrictions to permit only known users to users to access GUI (via iptables rules)
-use only https to access GUI you have to accept the self signed certificate and click on proceed (its safe)
reset the router, unplug the WAN cable, set password and all those from above...than plug back the WAN cable and reboot and proceed with the rest of the settings...
in all my DDWRT use ive never had any trojans, viruses or DNSchangers ...but yes they do exist in the wild..
in general DDWRT OS system is read only and cannot be infected...so the infection comes from somewhere else....very likely browser as DNS via browser level overrides the router DNS so, very likely you have infected browser...
to repeat... in general DDWRT is read only system and the only writable place is its temp directory that is build when router boots...and is used for its operation, so whatever comes it comes from a anywhere else and it goes there and on reboot its reset...but its not an easy to get to there if you have a decent password...
last thing its not bad to update to the last build 49049 (but new is coming today as 49059 was pulled out) and reset and rebuild you settings manually...the way i suggested above.. _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
when i access my router GUI
-do not use any browser extensions
-use pale-moon (non chrome based browser) to access router only
-do not save passwords in browser, save them to txt file
-use browser in private mode
-use long and complex password 20 symbols
-i do have firewall restrictions to permit only known users to users to access GUI (via iptables rules)
-use only https to access GUI you have to accept the self signed certificate and click on proceed (its safe)
reset the router, unplug the WAN cable, set password and all those from above...than plug back the WAN cable and reboot and proceed with the rest of the settings...
in all my DDWRT use ive never had any trojans, viruses or DNSchangers ...but yes they do exist in the wild..
in general DDWRT OS system is read only and cannot be infected...so the infection comes from somewhere else....very likely browser as DNS via browser level overrides the router DNS so, very likely you have infected browser...
to repeat... in general DDWRT is read only system and the only writable place is its temp directory that is build when router boots...and is used for its operation, so whatever comes it comes from a anywhere else and it goes there and on reboot its reset...but its not an easy to get to there if you have a decent password...
last thing its not bad to update to the last build 49049 (but new is coming today as 49059 was pulled out) and reset and rebuild you settings manually...the way i suggested above..
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Fri Jun 03, 2022 9:38 Post subject:
So marking this as solved.... Nice False positive.
For future reference, know that only the very latest DD-WRT builds include known exploit patches, for instance the build you are running has a security flaw in one of its components, OpenSSL to be exact.
Current DD-WRT builds patch kernels. libraries and other components for known security issues, but that doesn't mean there are no unknown exploits unpatched. And Since DD-WRT uses many 3rd party libraries and components that are maintained by separate developers, its unrealistic to maintain every aspect of a large project, but considerable efforts are made by Brainslayer to update all relevant areas asap.
While I appreciate some random blog post may in part be blaming DD-WRT, I think its a unreasonable claim and dismisses user culpability and has unreasonable expectations of any userland anything.
An to end this as I mean to go on, there is NO firmware or Software or Hardware or Operative system that is exploit free, Everything done by people can be equally undone (not necessarily easily undone but undone it can be).
SO good luck with believing unicorns exist.
But was fun to read, this FALSE positive report. Goes to show, you weren't paying attention to what the Router was telling you.
By the way, Stock firmwares for the most part (some do most dont), dont warn you that you must setup a secure password and change defaults. So change both default WEB UI user and passwords to uncommon ones, never Admin or variant user names, and long ass passwords, mine is 41 random character long and changed regularly.
So you know stock firmwares for many main brands have had one serious unpatched exploit recently that allowed permanent and persistent malware to be installed into router, and no reset would get rid of it (only solution if affected is to buy a new router). DD-WRT was unaffected.
This is the default value that is displayed in the fields with asterisks.
So do not worry, has nothing to do with malware.
Chrome also spits out a message every time I restart the router.
"insecure password"
But congratulations, your first post in the forum and then immediately bullshite
this is indeed a placeholder. if this value is set, no password will be saved and it shows a nice amount of asterisk stars in the input field instead of a empty one. the reason for going this is that its masking the real password. so the real password will never be shown in the html code. this is also impossible for another reason. the passwords are only stored as seeded hash. same for the username. there is no cleartext password saved within the router.
in addition. if you never set a password, you cannot login into the router with telnet or ssh. it boots up and once you connect to the gui you are forced to set your own password. you cannot even configure the router without setting a own password. if you set a weak one. okay your choice. i do not prevent this _________________ "So you tried to use the computer and it started smoking? Sounds like a Mac to me.." - Louis Rossmann https://www.youtube.com/watch?v=eL_5YDRWqGE&t=60s