Graphic depicting binary data escaping through a keyhole.
Cybercrime | News

DNS Hijacks: Routers

Posted: December 16, 2015 by Pieter Arntz

Our Support department has noticed a significant increase in the number of people that have had their DNS settings hijacked. Not only on their computers, but on their routers as well. For some background information on DNS hijacks, please read “DNS Hijacks: What to Look For”.

How does it work?

In a typical home setup, we have:

  • A modem provided by your Internet Service Provider (ISP) which is your connection to the outside world.
  • A router that distributes the internet connection across all the devices (often wireless).
  • The devices like your laptop, phones, tablets and IoT (internet of Things) devices such as TV’s, temperature sensors and security cameras.

Note 1: Sometimes the modem provided by your ISP also functions as a router.

When one of the devices (in this case, a Windows machine like a laptop) gets infected, the malware connects to the router and tries a few default login credentials to log in on the router. If it succeeds, it then tries to change the settings for the DNS servers on the router. At this moment, this particular hijacker attempts to change them to the IP address of their own server.

How can I prevent it?

To prevent the malware from logging in on your router you should at least alter its default password. Here you can find a list that was compiled with the default credentials for most routers. One word of warning: make sure you are changing the login password of the router and not the wireless network name (SSID) or you will have to re-connect all your devices to the newly named connection. Changing the password does not affect any of the other devices. You only need it when you want to make changes to your router’s settings.

sitecom

The first step is to find out how to log in to your router. The method outlined here should work in most cases. If it does not, you may want to have a look at the Help/Support pages of your router manufacturer or your ISP, if they have provided the router.

Use the (Windows key + R ) key combination to open the “Run” dialog and type cmd in the  “Run” box and click “OK”. If necessary click on cmd(.exe) in the resulting list. This will open the Command Prompt. In the Command prompt type ipconfig and use the “Enter” key to execute the command.

In the results, find the IP address listed behind “Default Gateway” for the connection you’re interested in.

Gateway

In this example the IP you are looking for is 192.168.0.1

Next, type the IP in your browser address bar, if necessary preceded by http://

Following our example, surf to http://192.168.0.1

As a result you should be presented with a login screen. If the default login is not shown there and you don’t know it, use this list to find yours. Or if that doesn’t work, and your router is provided by your ISP, contact them instead. Sometimes they ship the routers with predefined settings. If so, they usually have some information about those settings on their Support/Help pages.

Note 2: Most routers have a web browser-accessible administrator page that you can log in to in order to access the router’s configuration settings, but sometimes this can’t be done wireless, in which case you will need to make a cabled connection.

How do I clear this mess?

If you are confronted with this problem, you have probably been looking forward to this part. But to access your routers’ settings menu you will have to be able to log in, so that part is relevant even if you don’t want to change your password.

Once you are logged in look for the DNS settings or look at the appropriate guide for your router using one of the links posted in the section below. If you can’t find or don’t like the DNS servers provided by your ISP, you can find alternatives here.

One of the options listed there is OpenDNS, who happen to offer instructions for many routers.  Again, if your router is not listed there or in the list below, setuprouter.com is a good source of information. If you can’t figure out how to change the DNS settings on your router or you need internet access during the change, it is good to know that the DNS settings of the end devices overrule the settings in the router. You can find excellent instructions on how to do that for many devices on How-To Geek.

And then there is the cache. If all your troubles so far seem to turn out unrewarded, don’t give up yet. You will probably have to clear your cache(s). First and always necessary to clear is the Windows/IE cache.

To accomplish this, use the combination of (Windows key + R) > type cmd in the Run box > right-click on cmd.exe and choose “Run as Administrator”. In the resulting command prompt, type ipconfig /flushdns and press Enter. Note the space between ipconfig and /flushdns.

Other browsers usually only use a very short-term cache, but I have listed some options to use in cases a simple close and re-start of the browser is not enough.

  • Chrome: open a tab and put chrome://net-internals/#dns in the address bar. Then click the “Clear host cache” button that you see there.
  • Opera: open a tab and put browser://net-internals/#dns in the address bar. Then click the “Clear host cache” button that you see there.
  • Firefox: has no built in method as far as I know, but there is an add-on called DNS-Flusher that supposedly does the trick.

Also, some routers (NetGear and D-Link models among others) have the option to cache DNS themselves. I have been unable to find one where resetting the router and leaving it off for at least 30 seconds did not clear the cache, but feel free to correct me.

And if all else fails, you can always try the full power cycle:

  1. Turn off your computer.
  2. Turn off your modem and router (if you have one), then wait for about 15 seconds.
  3. Plug in your modem, then wait for 1-2 minutes.
  4. Plug in your router (if you have one), then wait for 1-2 minutes.
  5. Turn on your computer.

List of links with user-guides for the most popular routers:

More can be found here: http://setuprouter.com

Note 3: Despite the text written on the site above the list saying it’s about routers, you will find many ISP’s listed there as well.

Recommendations

After you have altered your password and your DNS servers, there are some more security measures you should check if you have them in place:

  • Wireless security. Don’t let anyone access your network. WPA2 is recommended, but anything is better than nothing, even WEP.
  • Disable WPS. If you ever need it only use it to connect the device at that time and then disable it again.
  • Keep the firmware of your router updated. Most routers have a setting to update automatically.

Resources:

Pieter Arntz

RELATED ARTICLES

week in security
News

A week in security (April 8 – April 14)

April 15, 2024 - A list of topics we covered in the week of April 8 to April 14 of 2024

CONTINUE READING 0 Comments
change social security number
News

How to change your Social Security Number

April 12, 2024 - Wondering whether changing your SSN is an option. Read here what you need to qualify for a new SSN and what you need to get one.

CONTINUE READING 0 Comments
mercenary spyware alert
News | Privacy

Apple warns people of mercenary attacks via threat notification system

April 11, 2024 - Apple has sent alerts to people in 92 nations to say it's detected that they may have been a victim of a mercenary attack.

CONTINUE READING 0 Comments
A 13-year-old girl is using her smartphone in the dark room. The content she is browsing projects in front of her.
Cybercrime | Personal

How to protect yourself from online harassment

April 10, 2024 - Don't wait for an online harassment campaign to unfairly target you or a loved one. Take these proactive steps today to stay safe.

CONTINUE READING 0 Comments
Introducing the Digital Footprint Portal
Cybercrime

Introducing the Digital Footprint Portal

April 10, 2024 - Find out what sensitive data of yours is exposed online today with our new, free Digital Footprint Portal.

CONTINUE READING 0 Comments

ABOUT THE AUTHOR

Pieter Arntz

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

Contributors icon

Contributors

Threat Center icon

Threat Center

Podcasts icon

Podcast

Glossary icon

Glossary

Scams icon

Scams