Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


403 posts

Ultimate Geek
+1 received by user: 119


Topic # 150869 6-Aug-2014 11:47
Send private message

Hi Team

Have a strange event occurring at random with my Laptop, specifically when visiting youtube/Facebook and Google.
The redirect is showing "Flash Player Out Of Date" then into Flash Player Pro upgrade.  I know this is fake, but my question is, where is this coming from. My laptop is showing as clean with MBam, ADAware and TrendMicro Corporate (Paid Version)

I notice that the DNS in my router is changed, I am running a TP LInk TD-W8901G router with updated firmware and I suspect that this is still vulnerable to attack.
Assuming the attack is driven from my PC, what is likely to cause it and still evade detection?
If it is coming from the outside due to the router being vulnerable, other than replacing the router, what sort of options do I have?

Have been searching the interwebs on this and have not been able to identify a specific root cause, just a lot of hail Mary fixes.

Create new topic
2503 posts

Uber Geek
+1 received by user: 928

Subscriber

  Reply # 1103168 6-Aug-2014 11:53
Send private message

You say the DNS in your router is changed...what is it changed to?




Windows 7 x64 // i5-3570K // 16GB DDR3-1600 // GTX660Ti 2GB // Samsung 830 120GB SSD // OCZ Agility4 120GB SSD // Samsung U28D590D @ 3840x2160 & Asus PB278Q @ 2560x1440
Samsung Galaxy S5 SM-G900I w/Spark

Bee

593 posts

Ultimate Geek
+1 received by user: 109


  Reply # 1103181 6-Aug-2014 11:58
Send private message

Almost certainly Malware.

Uncle Google says "a possible rootkit that MBAM wont show."





403 posts

Ultimate Geek
+1 received by user: 119


  Reply # 1103201 6-Aug-2014 12:17
Send private message

Inphinity: You say the DNS in your router is changed...what is it changed to?


Was set to auto on setup, it is then changed to a manual entry that is not associated with anything I use, know about.

 

xpd

Chief Trash Bandit
8764 posts

Uber Geek
+1 received by user: 1277

Mod Emeritus
Trusted
Lifetime subscriber

  Reply # 1103204 6-Aug-2014 12:23
Send private message

Care to post the DNS entry ? Someone might recognize it.




XPD / Gavin / DemiseNZ

 

For Free Games, Geekiness and Reviews, visit :

 

Home Of The Overrated Raccoons

 

Battlenet : XPD#11535    Origin/Steam/Epic/Uplay : xpdnz

 

Sea of Thieves Down Under


BDFL - Memuneh
60605 posts

Uber Geek
+1 received by user: 11541

Administrator
Trusted
Geekzone
Lifetime subscriber

876 posts

Ultimate Geek
+1 received by user: 572

Trusted

  Reply # 1103472 6-Aug-2014 16:44
One person supports this post
Send private message

Sounds like your Modem was hit by an attack, Have seen a few customers with TP-Link modems getting hit with the over the past week.
Check here: http://forum.tp-link.com/showthread.php?75547-DNS-Redirect-Issue & http://arstechnica.com/security/2014/03/hackers-hijack-300000-plus-wireless-routers-make-malicious-changes/


Download the latest firmware file from TP-Link.
Factory reset your modem with it to ensure they haven't modified the firmware which would change the dns back even after a reset.
Lock down your modem, Change Default logins, Lock down access to the web panel to Lan users only, Don't leave ports open that aren't needed.



1531 posts

Uber Geek
+1 received by user: 379


  Reply # 1103740 7-Aug-2014 00:36
Send private message

saw this on someone's work machine.  turns out it happened when they were visiting somewhere and it even continued to display the fake page on other networks as the machine had cached the dns entry.  be sure to run ipconfig /flushdns

also, all iterations of ESET will block that page from even opening (which is what alerted me to it in the first place)

569 posts

Ultimate Geek
+1 received by user: 35

Subscriber

  Reply # 1103803 7-Aug-2014 08:57
Send private message

Also try checking your proxy settings in your browser. Ive seen a few that setup proxies lately.  



403 posts

Ultimate Geek
+1 received by user: 119


  Reply # 1105287 9-Aug-2014 10:26
Send private message

I have the latest firmware that TP offer, but as the router is EOL I suspect it's not the patched version.
Proxys are fine and i am running changed passwords but that's no good if the bugs already I ....

Have read up on the TP issue and it's exactly what's happening. Might have to reinstall and swap out the router
It astounds me that it's out there and no one can scan for it though if it root driven to start with?


11 posts

Geek
Inactive user


  Reply # 1105979 10-Aug-2014 17:52
Send private message

Bee: Almost certainly Malware.

Uncle Google says "a possible rootkit that MBAM wont show."




yep you've got a bug.

6182 posts

Uber Geek
+1 received by user: 243

Trusted
Subscriber

  Reply # 1105989 10-Aug-2014 18:19
One person supports this post
Send private message

Hi, I had a customer with this issue recently, updating the firmware to the lattest did not fix the issue, in the end I put a mikrotik in problem solved, issue was on Voda HFC, they kept closing the connection as a result.

Sad really as TP-Link was always a favourite of mine that always seemed to provide good value, clearly this is a big issue and not addressed.

Cyril

107 posts

Master Geek
+1 received by user: 2


  Reply # 1131311 18-Sep-2014 11:45
Send private message

It sounds like a TDSS Rootkit,  the TDSS rootkit hides inside of the Master Boot Record making it hard to detect by most antimalware/antivirus programs.
Malwarebytes has a reputation for being quite bad at finding rootkits, I'm not 100% sure about Trend Micro though.

The tools I'd recommend which should do the job, considering I doubt you have a rootkit released in the last 12 hours or not discovered yet,  Hitman Pro should do the trick.  It uses the Kaspersky, bitdefender and I think Emsisoft Engines.  It isn't free but you can get a 30day free trial.

If you want freeware Kaspersky TDSS Killer and or Kaspersky Rescue Disk are probably your best bet. 

1455 posts

Uber Geek
+1 received by user: 324


  Reply # 1131411 18-Sep-2014 13:42
Send private message

hsvhel: Hi Team


I notice that the DNS in my router is changed, I am running a TP LInk TD-W8901G router with updated firmware and I suspect that this is still vulnerable to attack.
.


- change the DNS in the router to 8.8.8.8
- check the DNS on the PC (ipconfig /all)
- reset/default IE, in control panel,internet
run tdsskiller ( as above)
check the IE, FireFox etc shortcuts, they can be changed by malware. there should be nothing after "C:\Program Files\Internet Explorer\iexplore.exe"
change the admin password on your modem , or actually put one in :-)
disable remote (WAN) admin access on the modem


**** No av can detect every infection *****
There are malware/viruses/rootkits that cant be detected by ANYTHING. Ive seen it.
The AV Software companies will allways be a few steps behind, they need to wait till particular malware is known about so they can write sigs to detect it.
If its a DNS hack on the router, then the AV scanners wont pick it up as it isnt really malware on the PC (not yet)


1455 posts

Uber Geek
+1 received by user: 324


  Reply # 1131431 18-Sep-2014 13:55
Send private message

cyril7:
Sad really as TP-Link was always a favourite of mine that always seemed to provide good value, clearly this is a big issue and not addressed.

Cyril


May be a workaround here, for future reference.
Not that you'd want to risk leaving a customer with an insure modem/router though
http://rootatnasro.wordpress.com/2014/01/11/how-i-saved-your-a-from-the-zynos-rom-0-attack-full-disclosure/


"Now ! how do you prevent attackers from downloading your rom-0 configuration file and manipulating your router ? This is pretty simple if you think about it ..
You just have to forward port 80 on the router to and unused IP address on your network :"


Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

N4L helping TAKA Trust bridge the digital divide for Lower Hutt students
Posted 18-Jun-2018 13:08


Winners Announced for 2018 CIO Awards
Posted 18-Jun-2018 13:03


Logitech Rally sets new standard for USB-connected video conference cameras
Posted 18-Jun-2018 09:27


Russell Stanners steps down as Vodafone NZ CEO
Posted 12-Jun-2018 09:13


Intergen recognised as 2018 Microsoft Country Partner of the Year for New Zealand
Posted 12-Jun-2018 08:00


Finalists Announced For Microsoft NZ Partner Awards
Posted 6-Jun-2018 15:12


Vocus Group and Vodafone announce joint venture to accelerate fibre innovation
Posted 5-Jun-2018 10:52


Kogan.com to launch Kogan Mobile in New Zealand
Posted 4-Jun-2018 14:34


Enable doubles fibre broadband speeds for its most popular wholesale service in Christchurch
Posted 2-Jun-2018 20:07


All or Nothing: New Zealand All Blacks arrives on Amazon Prime Video
Posted 2-Jun-2018 16:21


Innovation Grant, High Tech Awards and new USA office for Kiwi tech company SwipedOn
Posted 1-Jun-2018 20:54


Commerce Commission warns Apple for misleading consumers about their rights
Posted 30-May-2018 13:15


IBM leads Call for Code to use cloud, data, AI, blockchain for natural disaster relief
Posted 25-May-2018 14:12


New FUJIFILM X-T100 aims to do better job than smartphones
Posted 24-May-2018 20:17


Stuff takes 100% ownership of Stuff Fibre
Posted 24-May-2018 19:41



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.