Threat Level: green Handler on Duty: Russ McRee

SANS ISC: Malware targets home networks - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Malware targets home networks

Malware researchers at Trend Micro have analyzed a malware that connects to the home routers and scan the home network then send the gathered information to C&C before deleting it self .

TROJ_VICEPASS.A pretends to be an Adobe Flash update, once its run it will attempt to connect to the home router admin council using a predefined list of user names and passwords. If it’s succeed, the malware will scan the network for connected devices.

The malware scans for devices using HTTP, with a target IP range of 192.168.[0-6].0-192.168.[0-6].11, this IP range is hard-coded

Once the scans is finish it will encode the result using Base64 and encrypt it using a self-made encryption method. The encrypted result will be sent to a C&C server via HTTP protocol.

After sending the results to the Command and Control server (C&C) , it will delete itself from the victim’s computer. It uses the following command to do so:

  • exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del “%s”

Such type of malware infection can be avoided using a very basic security techniques such as downloading updated and software from a trusted sources only and changing the default password of your equipment’s.  

Basil

60 Posts
ISC Handler
Update: Microsoft recommended that I disable certificate pinning as a work around to the problem that was causing IE 11 to stop working. So far, this seems to be a viable work around.
James

2 Posts
The news media claims "Off-brand modems and routers from your internet provider may be compromised" but never mentions the brands of these products. While I change everything from the default settings, my TP-Link routers have not been issued upgrades since their manufacturing date. I checked their website yesterday and there wasn't any updates available. The old BBS days were safer :)
Glenn

17 Posts
Stupid hardcoded range... My home network uses 10.0.0.0/24 so it would completely miss everything there.
Per

11 Posts

Sign Up for Free or Log In to start participating in the conversation!