How To Check Your Router For Malware

The security of the routers that users buy is almost non-existent. Attackers take advantage of low-quality routers and attack vulnerable devices.

See how you can check if your router has been compromised.

Buying a home router is a lot like buying an Android smartphone. Manufacturers produce a large number of different devices and do not update their software, leaving them open to attack.

How your router can be compromised

Attackers often try to change the configuration of DNS servers on your router by adding malicious DNS servers.

So when you try to connect to a site - for example, your bank - the malicious DNS server takes you to a phishing site. The address may say nbg.gr, but you will be on a phishing site.

The malicious DNS server does not necessarily answer all the queries. It may not respond to most requests or redirect them to your ISP's default DNS server. Slow DNS requests are a sign that you may have been hacked.

You may notice that a phishing site does not have HTTPS encryption, but there are many who will not notice. SSL-stripping attacks can also remove encryption when transferring data.

They can "catch" requests for Google Analytics or other scripts from almost any website and redirect them to a server through another script that serves ads or whatever. If you see pornographic ads on a page that is not as familiar as iguru, it is almost certain that something is on your router, or on your computer itself.

Many attacks use request forgery attacks (CSRF). An attacker adds malicious JavaScript to a web page and JavaScript attempts to load the router admin page and change the settings. As JavaScript is running from a device within your local network, the code can access the UI of your router settings that is only available on your network.

Some routers may have the Remote Management UI enabled along with default usernames and passwords. There are bots that scan automatically for these routers.

How to check it

The only indication that a router has been compromised is if its DNS server has changed. Open your router's web UI to check the DNS server configuration.

This page exists under a local IP, and to find it you need to search the internet, or in the user manual. Enter the name of the manufacturer and model of the router you are using on the internet and search for the login URL.

Log in with your router username and password (usually on a sticker on the bottom of the router. Look for a “DNS” setting. You will usually find it on the WAN or Internet connection settings screen. Automatic ", ok - it gets the IP from your ISP. If it is set to" Manual "and there are custom DNS servers, it may be a problem if you do not have them installed.

No problem if you have set up your router to use alternate DNS servers - for example 8.8.8.8 and 8.8.4.4 for Google DNS, 208.67.222.222 and 208.67.220.220 for OpenDNS and 1.1.1.1 for Cloudflare.

However, if there are DNS servers that you do not recognize, it means that some malware has changed the router settings to use its own DNS servers. If in doubt, search the web for these IPS and see if they are safe or not. Something like "0.0.0.0" is good and often means that the field is empty and the router automatically receives a DNS server.

Help, there is a malicious DNS server!

If you find a malicious DNS server, you can disable it and tell your router to use the DNS server from your ISP or bypass the above legitimate DNS server addresses.

You may want to delete all your router settings and reset them to factory defaults. Then use the settings below to protect your router from impending attacks.

Your router settings

You can definitely set up your router against these attacks, but if the router has security vulnerabilities that have not been fixed by the manufacturer, there is nothing you can do about it.

• Install firmware updates (firmware): Make sure the latest firmware for your router is installed. Enable automatic software updates if your router has the setting. Unfortunately, most do not.
• Disable remote access: Disable remote access to admin pages.
• Change the password: Change the password so that attackers can not enter with the default.
• Disable UPnP: UPnP was and is particularly vulnerable. Even if UPnP is not vulnerable on your router, malware running somewhere on your local network can use UPnP to change the DNS server. This is how UPnP works - it trusts all requests coming from your local network.

DNSSEC is supposed to provide additional security, but it is not yet available. In the real world, every client trusts the configured DNS server. The malicious DNS server could claim that a DNS record does not have DNSSEC information and that the IP address being transmitted is real.