Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




301 posts

Ultimate Geek
+1 received by user: 91


Topic # 150869 6-Aug-2014 11:47
Send private message

Hi Team

Have a strange event occurring at random with my Laptop, specifically when visiting youtube/Facebook and Google.
The redirect is showing "Flash Player Out Of Date" then into Flash Player Pro upgrade.  I know this is fake, but my question is, where is this coming from. My laptop is showing as clean with MBam, ADAware and TrendMicro Corporate (Paid Version)

I notice that the DNS in my router is changed, I am running a TP LInk TD-W8901G router with updated firmware and I suspect that this is still vulnerable to attack.
Assuming the attack is driven from my PC, what is likely to cause it and still evade detection?
If it is coming from the outside due to the router being vulnerable, other than replacing the router, what sort of options do I have?

Have been searching the interwebs on this and have not been able to identify a specific root cause, just a lot of hail Mary fixes.

Create new topic
2497 posts

Uber Geek
+1 received by user: 927

Subscriber

  Reply # 1103168 6-Aug-2014 11:53
Send private message

You say the DNS in your router is changed...what is it changed to?




Windows 7 x64 // i5-3570K // 16GB DDR3-1600 // GTX660Ti 2GB // Samsung 830 120GB SSD // OCZ Agility4 120GB SSD // Samsung U28D590D @ 3840x2160 & Asus PB278Q @ 2560x1440
Samsung Galaxy S5 SM-G900I w/Spark

Bee

591 posts

Ultimate Geek
+1 received by user: 109


  Reply # 1103181 6-Aug-2014 11:58
Send private message

Almost certainly Malware.

Uncle Google says "a possible rootkit that MBAM wont show."



 
 
 
 




301 posts

Ultimate Geek
+1 received by user: 91


  Reply # 1103201 6-Aug-2014 12:17
Send private message

Inphinity: You say the DNS in your router is changed...what is it changed to?


Was set to auto on setup, it is then changed to a manual entry that is not associated with anything I use, know about.

 

xpd

The Overrated Raccoons
8433 posts

Uber Geek
+1 received by user: 1144

Mod Emeritus
Trusted
Lifetime subscriber

  Reply # 1103204 6-Aug-2014 12:23
Send private message

Care to post the DNS entry ? Someone might recognize it.




XPD / Gavin / DemiseNZ

 

For Free Games, Geekiness and Reviews, visit :

 

Home Of The Overrated Raccoons

 

 


BDFL - Memuneh
59387 posts

Uber Geek
+1 received by user: 10599

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 1103444 6-Aug-2014 16:17
Send private message

If it is a rootkit then your way out is a full reinstall from clean discs.





824 posts

Ultimate Geek
+1 received by user: 543

Trusted

  Reply # 1103472 6-Aug-2014 16:44
One person supports this post
Send private message

Sounds like your Modem was hit by an attack, Have seen a few customers with TP-Link modems getting hit with the over the past week.
Check here: http://forum.tp-link.com/showthread.php?75547-DNS-Redirect-Issue & http://arstechnica.com/security/2014/03/hackers-hijack-300000-plus-wireless-routers-make-malicious-changes/


Download the latest firmware file from TP-Link.
Factory reset your modem with it to ensure they haven't modified the firmware which would change the dns back even after a reset.
Lock down your modem, Change Default logins, Lock down access to the web panel to Lan users only, Don't leave ports open that aren't needed.



1480 posts

Uber Geek
+1 received by user: 360


  Reply # 1103740 7-Aug-2014 00:36
Send private message

saw this on someone's work machine.  turns out it happened when they were visiting somewhere and it even continued to display the fake page on other networks as the machine had cached the dns entry.  be sure to run ipconfig /flushdns

also, all iterations of ESET will block that page from even opening (which is what alerted me to it in the first place)

527 posts

Ultimate Geek
+1 received by user: 31

Subscriber

  Reply # 1103803 7-Aug-2014 08:57
Send private message

Also try checking your proxy settings in your browser. Ive seen a few that setup proxies lately.  



301 posts

Ultimate Geek
+1 received by user: 91


  Reply # 1105287 9-Aug-2014 10:26
Send private message

I have the latest firmware that TP offer, but as the router is EOL I suspect it's not the patched version.
Proxys are fine and i am running changed passwords but that's no good if the bugs already I ....

Have read up on the TP issue and it's exactly what's happening. Might have to reinstall and swap out the router
It astounds me that it's out there and no one can scan for it though if it root driven to start with?


11 posts

Geek
Inactive user


  Reply # 1105979 10-Aug-2014 17:52
Send private message

Bee: Almost certainly Malware.

Uncle Google says "a possible rootkit that MBAM wont show."




yep you've got a bug.

6060 posts

Uber Geek
+1 received by user: 177

Trusted
Subscriber

  Reply # 1105989 10-Aug-2014 18:19
One person supports this post
Send private message

Hi, I had a customer with this issue recently, updating the firmware to the lattest did not fix the issue, in the end I put a mikrotik in problem solved, issue was on Voda HFC, they kept closing the connection as a result.

Sad really as TP-Link was always a favourite of mine that always seemed to provide good value, clearly this is a big issue and not addressed.

Cyril

107 posts

Master Geek
+1 received by user: 2


  Reply # 1131311 18-Sep-2014 11:45
Send private message

It sounds like a TDSS Rootkit,  the TDSS rootkit hides inside of the Master Boot Record making it hard to detect by most antimalware/antivirus programs.
Malwarebytes has a reputation for being quite bad at finding rootkits, I'm not 100% sure about Trend Micro though.

The tools I'd recommend which should do the job, considering I doubt you have a rootkit released in the last 12 hours or not discovered yet,  Hitman Pro should do the trick.  It uses the Kaspersky, bitdefender and I think Emsisoft Engines.  It isn't free but you can get a 30day free trial.

If you want freeware Kaspersky TDSS Killer and or Kaspersky Rescue Disk are probably your best bet. 

1268 posts

Uber Geek
+1 received by user: 263


  Reply # 1131411 18-Sep-2014 13:42
Send private message

hsvhel: Hi Team


I notice that the DNS in my router is changed, I am running a TP LInk TD-W8901G router with updated firmware and I suspect that this is still vulnerable to attack.
.


- change the DNS in the router to 8.8.8.8
- check the DNS on the PC (ipconfig /all)
- reset/default IE, in control panel,internet
run tdsskiller ( as above)
check the IE, FireFox etc shortcuts, they can be changed by malware. there should be nothing after "C:\Program Files\Internet Explorer\iexplore.exe"
change the admin password on your modem , or actually put one in :-)
disable remote (WAN) admin access on the modem


**** No av can detect every infection *****
There are malware/viruses/rootkits that cant be detected by ANYTHING. Ive seen it.
The AV Software companies will allways be a few steps behind, they need to wait till particular malware is known about so they can write sigs to detect it.
If its a DNS hack on the router, then the AV scanners wont pick it up as it isnt really malware on the PC (not yet)


1268 posts

Uber Geek
+1 received by user: 263


  Reply # 1131431 18-Sep-2014 13:55
Send private message

cyril7:
Sad really as TP-Link was always a favourite of mine that always seemed to provide good value, clearly this is a big issue and not addressed.

Cyril


May be a workaround here, for future reference.
Not that you'd want to risk leaving a customer with an insure modem/router though
http://rootatnasro.wordpress.com/2014/01/11/how-i-saved-your-a-from-the-zynos-rom-0-attack-full-disclosure/


"Now ! how do you prevent attackers from downloading your rom-0 configuration file and manipulating your router ? This is pretty simple if you think about it ..
You just have to forward port 80 on the router to and unused IP address on your network :"


Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Less news in Facebook News Feed revamp
Posted 15-Jan-2018 13:15


Australian Government contract awarded to Datacom Connect
Posted 11-Jan-2018 08:37


Why New Zealand needs a chief technology officer
Posted 6-Jan-2018 13:59


Amazon release Silk Browser and Firefox for Fire TV
Posted 21-Dec-2017 13:42


New Chief Technology Officer role created
Posted 19-Dec-2017 22:18


All I want for Christmas is a new EV
Posted 19-Dec-2017 19:54


How clever is this: AI will create 2.3 million jobs by 2020
Posted 19-Dec-2017 19:52


NOW to deploy SD-WAN to regional councils
Posted 19-Dec-2017 19:46


Mobile market competition issues ComCom should watch
Posted 18-Dec-2017 10:52


New Zealand government to create digital advisory group
Posted 16-Dec-2017 08:47


Australia datum changes means whole country moving 1.8 metres north-east
Posted 16-Dec-2017 08:39


UAV Traffic Management Trial launching today in New Zealand
Posted 12-Dec-2017 16:06


UFB connections pass 460,000
Posted 11-Dec-2017 11:26


The Warehouse Group to adopt IBM Cloud to support digital transformation
Posted 11-Dec-2017 11:22


Dimension Data peeks into digital business 2018
Posted 11-Dec-2017 10:55



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.