Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsMicrosoft WindowsBrowser Redirect
hsvhel

1273 posts

Uber Geek
+1 received by user: 596

ID Verified

#150869 6-Aug-2014 11:47
Send private message

Hi Team

Have a strange event occurring at random with my Laptop, specifically when visiting youtube/Facebook and Google.
The redirect is showing "Flash Player Out Of Date" then into Flash Player Pro upgrade.  I know this is fake, but my question is, where is this coming from. My laptop is showing as clean with MBam, ADAware and TrendMicro Corporate (Paid Version)

I notice that the DNS in my router is changed, I am running a TP LInk TD-W8901G router with updated firmware and I suspect that this is still vulnerable to attack.
Assuming the attack is driven from my PC, what is likely to cause it and still evade detection?
If it is coming from the outside due to the router being vulnerable, other than replacing the router, what sort of options do I have?

Have been searching the interwebs on this and have not been able to identify a specific root cause, just a lot of hail Mary fixes.




Referral Link Quic

 

Free Setup use R502152EQH6OK on check out

 

 

Create new topic
Inphinity
2780 posts

Uber Geek
+1 received by user: 1184


  #1103168 6-Aug-2014 11:53
Send private message

You say the DNS in your router is changed...what is it changed to?



Bee

Bee
741 posts

Ultimate Geek
+1 received by user: 189


  #1103181 6-Aug-2014 11:58
Send private message

Almost certainly Malware.

Uncle Google says "a possible rootkit that MBAM wont show."




Doing your best is much more important than being the best.

hsvhel

1273 posts

Uber Geek
+1 received by user: 596

ID Verified

  #1103201 6-Aug-2014 12:17
Send private message

Inphinity: You say the DNS in your router is changed...what is it changed to?


Was set to auto on setup, it is then changed to a manual entry that is not associated with anything I use, know about.

 




Referral Link Quic

 

Free Setup use R502152EQH6OK on check out

 

 



xpd

xpd
Geek of Coastguard
14115 posts

Uber Geek
+1 received by user: 4574

Retired Mod
ID Verified
Trusted
Lifetime subscriber

  #1103204 6-Aug-2014 12:23
Send private message

Care to post the DNS entry ? Someone might recognize it.




XPD / Gavin

 

LinkTree

 

 

 

freitasm
BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #1103444 6-Aug-2014 16:17
Send private message

If it is a rootkit then your way out is a full reinstall from clean discs.




Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies 

 

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

 

Andib
1395 posts

Uber Geek
+1 received by user: 974

ID Verified
Trusted

  #1103472 6-Aug-2014 16:44
Send private message

Sounds like your Modem was hit by an attack, Have seen a few customers with TP-Link modems getting hit with the over the past week.
Check here: http://forum.tp-link.com/showthread.php?75547-DNS-Redirect-Issue & http://arstechnica.com/security/2014/03/hackers-hijack-300000-plus-wireless-routers-make-malicious-changes/


Download the latest firmware file from TP-Link.
Factory reset your modem with it to ensure they haven't modified the firmware which would change the dns back even after a reset.
Lock down your modem, Change Default logins, Lock down access to the web panel to Lan users only, Don't leave ports open that aren't needed.




<# 
       .DISCLAIMER
       Anything I post is my own and not the views of my past/present/future employer.
#>

 
 
 
 

Stream your favourite shows now on Apple TV (affiliate link).
MadEngineer
4591 posts

Uber Geek
+1 received by user: 2570

Trusted

  #1103740 7-Aug-2014 00:36
Send private message

saw this on someone's work machine.  turns out it happened when they were visiting somewhere and it even continued to display the fake page on other networks as the machine had cached the dns entry.  be sure to run ipconfig /flushdns

also, all iterations of ESET will block that page from even opening (which is what alerted me to it in the first place)




You're not on Atlantis anymore, Duncan Idaho.

askelon
942 posts

Ultimate Geek
+1 received by user: 233

ID Verified

  #1103803 7-Aug-2014 08:57
Send private message

Also try checking your proxy settings in your browser. Ive seen a few that setup proxies lately.  

hsvhel

1273 posts

Uber Geek
+1 received by user: 596

ID Verified

  #1105287 9-Aug-2014 10:26
Send private message

I have the latest firmware that TP offer, but as the router is EOL I suspect it's not the patched version.
Proxys are fine and i am running changed passwords but that's no good if the bugs already I ....

Have read up on the TP issue and it's exactly what's happening. Might have to reinstall and swap out the router
It astounds me that it's out there and no one can scan for it though if it root driven to start with?




Referral Link Quic

 

Free Setup use R502152EQH6OK on check out

 

 

manly100
11 posts

Geek
Inactive user


  #1105979 10-Aug-2014 17:52
Send private message

Bee: Almost certainly Malware.

Uncle Google says "a possible rootkit that MBAM wont show."




yep you've got a bug.

cyril7
9073 posts

Uber Geek
+1 received by user: 2499

ID Verified
Trusted
Subscriber

  #1105989 10-Aug-2014 18:19
Send private message

Hi, I had a customer with this issue recently, updating the firmware to the lattest did not fix the issue, in the end I put a mikrotik in problem solved, issue was on Voda HFC, they kept closing the connection as a result.

Sad really as TP-Link was always a favourite of mine that always seemed to provide good value, clearly this is a big issue and not addressed.

Cyril

 
 
 
 

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.
CyberN3rds
107 posts

Master Geek
+1 received by user: 2


  #1131311 18-Sep-2014 11:45
Send private message

It sounds like a TDSS Rootkit,  the TDSS rootkit hides inside of the Master Boot Record making it hard to detect by most antimalware/antivirus programs.
Malwarebytes has a reputation for being quite bad at finding rootkits, I'm not 100% sure about Trend Micro though.

The tools I'd recommend which should do the job, considering I doubt you have a rootkit released in the last 12 hours or not discovered yet,  Hitman Pro should do the trick.  It uses the Kaspersky, bitdefender and I think Emsisoft Engines.  It isn't free but you can get a 30day free trial.

If you want freeware Kaspersky TDSS Killer and or Kaspersky Rescue Disk are probably your best bet. 




The Beast: Asus P9X79LE | Intel core i7 3820 | Seagate Barracuda 2TB | Toshiba Laptop Drive 450GB | Samsung 840 EVO SSD 120GB | Cooler Master CM Storm Enforcer Case | Cooler Master Hyper 212 EVO CPU cooler | Asus Direct CU GTX 650 (upgrading soon) | Silverstone Strider Plus 600w 80+ Silver Power Supply | 16GB Adata Premier Pro 1600mhz | Windows 7 Home Premium 64bit | Logitech MK520 Keyboard & Mouse Combo | ViewSonic VA2248M-LED Monitor |

1101
3141 posts

Uber Geek
+1 received by user: 1143


  #1131411 18-Sep-2014 13:42
Send private message

hsvhel: Hi Team


I notice that the DNS in my router is changed, I am running a TP LInk TD-W8901G router with updated firmware and I suspect that this is still vulnerable to attack.
.


- change the DNS in the router to 8.8.8.8
- check the DNS on the PC (ipconfig /all)
- reset/default IE, in control panel,internet
run tdsskiller ( as above)
check the IE, FireFox etc shortcuts, they can be changed by malware. there should be nothing after "C:\Program Files\Internet Explorer\iexplore.exe"
change the admin password on your modem , or actually put one in :-)
disable remote (WAN) admin access on the modem


**** No av can detect every infection *****
There are malware/viruses/rootkits that cant be detected by ANYTHING. Ive seen it.
The AV Software companies will allways be a few steps behind, they need to wait till particular malware is known about so they can write sigs to detect it.
If its a DNS hack on the router, then the AV scanners wont pick it up as it isnt really malware on the PC (not yet)

1101
3141 posts

Uber Geek
+1 received by user: 1143


  #1131431 18-Sep-2014 13:55
Send private message

cyril7:
Sad really as TP-Link was always a favourite of mine that always seemed to provide good value, clearly this is a big issue and not addressed.

Cyril


May be a workaround here, for future reference.
Not that you'd want to risk leaving a customer with an insure modem/router though
http://rootatnasro.wordpress.com/2014/01/11/how-i-saved-your-a-from-the-zynos-rom-0-attack-full-disclosure/


"Now ! how do you prevent attackers from downloading your rom-0 configuration file and manipulating your router ? This is pretty simple if you think about it ..
You just have to forward port 80 on the router to and unused IP address on your network :"

Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright