Tough little [not a] malware infection

Here at the shop we’ve been working with a customer recently who has been plagued with redirects.  Several of his computers had malware of various types, which we removed.  The problem was that he still had redirects when he got his computers back.  We’d sit and search for 15 or 20 minutes here at the shop (they were Google search redirects) and never see the first redirect, but he’d get them at his place.

At first we thought we were running into a type of malware that we hadn’t seen before and that none of our tools were detecting, but the longer we worked the surer we were that the computers were totally clean.  After fruitless hours of running scans which turned up nothing we came to the realization that we were up against something a little stranger than a piece of malware, and the idea that we couldn’t duplicate the redirects here at the shop kept cropping up in our discussions.  One of the other guys here at the shop had the idea that the bug might only rear it’s ugly head on certain ISP’s networks, but we called the customer back and found that they were using the same ISP as us.  He was on to something though…the common denominator was his network.

Then I remembered.

Not too long ago I’d read online that a lot of the older Linksys routers were vulnerable to remote attacks in which settings could be maliciously altered without the user’s knowledge.  I immediately called the customer and, sure enough, they were using an older Linksys router.

This morning I went to the customer’s place of business and tested the theory.  There in his router was the whole problem…static DNS entries that most certainly did NOT point to his ISP’s DNS servers.  Either by remote attack  or through a malware infection already installed on a PC in his network, someone had hijacked his DNS entries and kept his PC’s redirecting and getting infected.

I didn’t know all the details of the vulnerability, so I replaced the router completely.  It was a WRT54G v2, so it was really old anyway.

So, now we no longer have to pull out our hair and our customer can get back to business as usual.  Crazy days.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: