Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can malware in a VM infect a router?


  • Please log in to reply
6 replies to this topic

#1 ransomwolf

ransomwolf

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Europe
  • Local time:07:13 AM

Posted 20 May 2015 - 03:59 PM

I like infecting my VM with all sorts of malware samples I can get, and then have fun cleaning it.

 

I didn't even know routers could get infected until a week ago or so, when I read some people here apparently had theirs infected. I mean, I guess I knew it was possible, but is it common? I googled it and apparently what these most of these infections do is changing the DNS. That doesn't seem like a huge problem.

 

And can it happen if you run the malware in a VMWARE virtual machine, rather than the host?

 

Just curious here. Contrary to my VMs, my host machine has no sign of infection :)

 

 



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,594 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:13 AM

Posted 20 May 2015 - 04:26 PM

Hi ransomwolf :)

DNS Hijacking can be quite persistent on a router. I've faced a couple of cases where it happened, and the only solution was to totally reset the router and reconfigure it. It happens often as well with old router/modem models, since there's exploits for them everywhere on the Internet (if I Google my old model/router name and "exploit", I get tons of 0-days that works against it, I tested them myself and a friend living in the US did and managed to get in my router as well). Also, it's possible for a malware inside a VM to infect a modem/router I would say. As long as it can access the Default Gateway, it can infect it. One way to counter that is to give your host computer a static IP address, and define that IP address in the modem/router's config page as the only IP address that can manage it. There's this setting on pretty much every modem/routers, even old ones.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,266 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:13 AM

Posted 20 May 2015 - 04:28 PM

If you infect a Virtual Machine (VM) for the purposes of testing, be aware that not all malware will work in that environment by intention. Malware writers have been able to create malicious files which can detect if it is running in a VM. When detected as such, the malware is able to change its behavior by not running any malicious code which can infect the operating system. This is a deliberate technique to make analysis/detection more difficult for security researchers who use VMs to study infections in order to understand the attack methodology used and develop disinfection solutions. So just because you test a program in a VM and it does not behave maliciously...that does not necessarily mean it is not malicious.

 

Routers can be compromised if they have a weak or default password which attackers can easily guess or break using a dictionary attack or brute force attack. Malware which can modify routers are rare and may require the router to be a specific make, model and firmware revision. The most common was the DNSChanger Trojan which compromised the router's weak default password using brute-force attacks. The Trojan then changed the router's DNS table to malicious DNS servers...redirecting Domain Name resolutions to unsolicited, illegal and malicious sites the attacker wanted victims to access.

 

...Some DNS changer Trojans can alter routers' DNS settings via brute-force attacks. As a result, all systems connected to the "infected" router also become infected. Some DNS changer Trojans can also be used to set up rogue Dynamic Host Configuration Protocol (DHCP) servers on certain networks, which can have the same effect.

How DNS Changer Trojans Direct Users to Threats
Millions Of Home Routers Vulnerable To Web Hack
Malware Silently Alters Wireless Router Settings

Some routers have known vulnerabilities which can be exploited to open them up to attacks without needing to know the proper password. There have been various reports of vulnerabilities and attacks against hardware devices such as routers and data storage. For example, Ars Technica reported that ASUS routers and any storage devices attached to them may be exposed to anyone online without the need of login credentials if users have taken advantage of remote access features built into the routers. Linksys routers have been reported to be vulnerable to a simple exploit that could give an attacker remote access to the router.

Related Resources


 


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:13 AM

Posted 20 May 2015 - 04:45 PM

And can it happen if you run the malware in a VMWARE virtual machine, rather than the host?

 


 

 

Yes, for malware that tries to compromise other devices (routers, but also PCs) it makes no difference if it executes in a VM or on a physical machine.

Except of course like quietman7 said, for malware that changes its behavior when executed inside a VM.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 ransomwolf

ransomwolf
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Europe
  • Local time:07:13 AM

Posted 21 May 2015 - 03:10 PM

Hi ransomwolf :)

DNS Hijacking can be quite persistent on a router. I've faced a couple of cases where it happened, and the only solution was to totally reset the router and reconfigure it. It happens often as well with old router/modem models, since there's exploits for them everywhere on the Internet (if I Google my old model/router name and "exploit", I get tons of 0-days that works against it, I tested them myself and a friend living in the US did and managed to get in my router as well). Also, it's possible for a malware inside a VM to infect a modem/router I would say. As long as it can access the Default Gateway, it can infect it. One way to counter that is to give your host computer a static IP address, and define that IP address in the modem/router's config page as the only IP address that can manage it. There's this setting on pretty much every modem/routers, even old ones.

 

I didn't understand what you meant by "define the IP as the only IP address that can manage it". Can you explain? :/

 

If you infect a Virtual Machine (VM) for the purposes of testing, be aware that not all malware will work in that environment by intention. Malware writers have been able to create malicious files which can detect if it is running in a VM. When detected as such, the malware is able to change its behavior by not running any malicious code which can infect the operating system. This is a deliberate technique to make analysis/detection more difficult for security researchers who use VMs to study infections in order to understand the attack methodology used and develop disinfection solutions. So just because you test a program in a VM and it does not behave maliciously...that does not necessarily mean it is not malicious.

 

Routers can be compromised if they have a weak or default password which attackers can easily guess or break using a dictionary attack or brute force attack. Malware which can modify routers are rare and may require the router to be a specific make, model and firmware revision. The most common was the DNSChanger Trojan which compromised the router's weak default password using brute-force attacks. The Trojan then changed the router's DNS table to malicious DNS servers...redirecting Domain Name resolutions to unsolicited, illegal and malicious sites the attacker wanted victims to access.

 

...Some DNS changer Trojans can alter routers' DNS settings via brute-force attacks. As a result, all systems connected to the "infected" router also become infected. Some DNS changer Trojans can also be used to set up rogue Dynamic Host Configuration Protocol (DHCP) servers on certain networks, which can have the same effect.

How DNS Changer Trojans Direct Users to Threats
Millions Of Home Routers Vulnerable To Web Hack
Malware Silently Alters Wireless Router Settings

Some routers have known vulnerabilities which can be exploited to open them up to attacks without needing to know the proper password. There have been various reports of vulnerabilities and attacks against hardware devices such as routers and data storage. For example, Ars Technica reported that ASUS routers and any storage devices attached to them may be exposed to anyone online without the need of login credentials if users have taken advantage of remote access features built into the routers. Linksys routers have been reported to be vulnerable to a simple exploit that could give an attacker remote access to the router.

Related Resources


 

 

Elaborated reply, nice! The Symantec article pdf was interesting to read. ~20% of samples detecting VMs is... I don't know. Makes a lot of sense that malware wants to avoid VMs, but 20% is a weird percentage. Seems a bit low. I mean, while I get that many more people are using VMs for reasons other than malware analysis than ever before, it's still nothing compared to how many people use non-virtual machines. But eh, but maybe the "is it running on VM?" checks are rather easy for reversers to bypass.

-----

 

Thanks @Aura, @quietman7 and @Didier Stevens  for replying! :D



#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,594 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:13 AM

Posted 21 May 2015 - 04:55 PM

No problem ransomwolf, our pleasure :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,266 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:13 AM

Posted 21 May 2015 - 05:13 PM

You're welcome on behalf of the Bleeping Computer community.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users