Bits from Bill

Technology thoughts leaking from the brain of "Bill Pytlovany"

Tuesday, June 17, 2008

Malware Attacking Your Router

WinPatrol was one of the first to detect malware based on “behavior” of program and continues to follow that model. One behavior we’ve seen a lot of lately is very scary.

Instead of installing malware that continues to run like a key logger or trojan, malicious programs are increasingly attacking the network router which is common with any internet connected home and/or office. An unwanted program can quickly make a change to your router settings that will immediately open all your computers to the world. The bad guys won’t have to install a key logger, they’ll be able to record every byte that goes across your network. It’s happening now to thousands of routers which are still using their default name and password.

Do you know if the password has been changed since your router was purchased?
Do you know how to access your router to change the password?

I’ve run across a number of users who follow all the recommendations to configure their networks for WEP or WPA2 encryption but they never bother to change their default name/password. They’ll even take the time to rename their default SSID but still don’t change the name/password from the factory setting.


It probably won’t surprise you that the factory passwords don’t change much and are widely available. The WinPatrol research group dissected some recent malware threats and could see the routers they were attacking.

  • Linksys, uses the name and password, “admin”. Older units use a blank user name.
  • Belkin, uses blank password for default access
  • Netgear, user name is “admin” and the default password is “password”. Big improvement over their old default “1234”
  • ActionTec, Some unit don't even require an admin login. New devices use "admin" and "password". (updated)
You get the idea. The program recently submitted to our research team had a list of 28 different routers complete with address, name and password clear for anyone to read with the proper tools.

As a security professional I’m reading more and more about vulnerabilities being found in wireless and non-wireless routers. There’s only so much we all can do but the first thing should be to change the default password.


If you don’t know how to access your router, just use your favorite search engine and type in your router name and “change default password”.


Labels: , , , ,

Share on Facebook


8 Comments:

Anonymous Anonymous said...

Very topical for me Bill, having only during the last 2-3 weeks changed my "wired" connection to a "wireless" connection, so thanks for that while I work my way through this new experience. And building my knowledge in this area.

However, to add to your comments.

After also reading a Security Bulletin in my recent Magazine purchase, it too makes reference to wireless networks being the latest Security Threat and takes the modem password protection one step further, to say that "any" net-savvy user will be able to crack "WEP protection" level passwords within seconds with freely available software. It goes on to suggest upgrading to hardware that uses "WPA/WPA2 password protection" as early as possible to overcome this latest threat.....

2:51 AM  
Anonymous Anonymous said...

Good Advice to give but please keep all facts correct. You said Actiontec does not require a default password.Sorry..iT Does !

2:51 PM  
Anonymous Anonymous said...

ActionTec does require a password. Please get your facts correct!

3:02 PM  
Blogger Bill Pytlovany said...

Yes most ActionTec devices probably require name and/or password but it appears some ActionTec devices don't. I'm going on the data found in the malware we researched which apparently is able to access some ActionTac devices without verification.

I didn't list each device because it wasn't the point of my post but that information is available at http://www.routerpasswords.com/.

Glad you brought it up. I really wouldn't want to dis all ActionTec products.

3:13 PM  
Anonymous Anonymous said...

Interesting information.
How does one go about changing passwords to the router?

2:20 AM  
Anonymous Anonymous said...

If you have an Actiontec gateway you go to http://192.168.1.1/ and you get the login page. User name and password defaults are "admin" and "password".

If a tech has opened the Actiontec Control Panel he will probably change the password to "password1" -- hardly a brain burner for some evil "person" to figure out.

4:53 PM  
Anonymous Anonymous said...

Solution from Search-and-destroy.
I spent a lot of time searching for a good scanner at an affordable price. I tired many different ones before I found Search-and-destroy Antispyware but when I tired it I was very happy with the results. I would recommend the antispyware solution from Search-and-destroyto anyone searching for a great scan that works just as well as Norton and many of the others that you would pay more for. Visit http://www.Search-and-destroy.com/antispyware.html to find out more and to give this scan a try just like I did. I’m sure you will love it as much as I do.

7:10 AM  
Anonymous Anonymous said...

Bill, You are being spammed yourself by a supposed user of anantispyware product putting out free adverts for the product

11:53 AM  

Post a Comment

Create a Link

<< Home