Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


404 posts

Ultimate Geek
+1 received by user: 119


Topic # 150869 6-Aug-2014 11:47
Send private message

Hi Team

Have a strange event occurring at random with my Laptop, specifically when visiting youtube/Facebook and Google.
The redirect is showing "Flash Player Out Of Date" then into Flash Player Pro upgrade.  I know this is fake, but my question is, where is this coming from. My laptop is showing as clean with MBam, ADAware and TrendMicro Corporate (Paid Version)

I notice that the DNS in my router is changed, I am running a TP LInk TD-W8901G router with updated firmware and I suspect that this is still vulnerable to attack.
Assuming the attack is driven from my PC, what is likely to cause it and still evade detection?
If it is coming from the outside due to the router being vulnerable, other than replacing the router, what sort of options do I have?

Have been searching the interwebs on this and have not been able to identify a specific root cause, just a lot of hail Mary fixes.

Create new topic
2504 posts

Uber Geek
+1 received by user: 932

Subscriber

  Reply # 1103168 6-Aug-2014 11:53
Send private message

You say the DNS in your router is changed...what is it changed to?




Windows 7 x64 // i5-3570K // 16GB DDR3-1600 // GTX660Ti 2GB // Samsung 830 120GB SSD // OCZ Agility4 120GB SSD // Samsung U28D590D @ 3840x2160 & Asus PB278Q @ 2560x1440
Samsung Galaxy S5 SM-G900I w/Spark

Bee

593 posts

Ultimate Geek
+1 received by user: 109


  Reply # 1103181 6-Aug-2014 11:58
Send private message

Almost certainly Malware.

Uncle Google says "a possible rootkit that MBAM wont show."





404 posts

Ultimate Geek
+1 received by user: 119


  Reply # 1103201 6-Aug-2014 12:17
Send private message

Inphinity: You say the DNS in your router is changed...what is it changed to?


Was set to auto on setup, it is then changed to a manual entry that is not associated with anything I use, know about.

 

xpd

Chief Trash Bandit
8794 posts

Uber Geek
+1 received by user: 1283

Mod Emeritus
Trusted
Lifetime subscriber

  Reply # 1103204 6-Aug-2014 12:23
Send private message

Care to post the DNS entry ? Someone might recognize it.




XPD / Gavin / DemiseNZ

 

For Free Games, Geekiness and Reviews, visit :

 

Home Of The Overrated Raccoons

 

Battlenet : XPD#11535    Origin/Steam/Epic/Uplay : xpdnz


BDFL - Memuneh
60788 posts

Uber Geek
+1 received by user: 11667

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 1103444 6-Aug-2014 16:17
Send private message
884 posts

Ultimate Geek
+1 received by user: 575

Trusted

  Reply # 1103472 6-Aug-2014 16:44
One person supports this post
Send private message

Sounds like your Modem was hit by an attack, Have seen a few customers with TP-Link modems getting hit with the over the past week.
Check here: http://forum.tp-link.com/showthread.php?75547-DNS-Redirect-Issue & http://arstechnica.com/security/2014/03/hackers-hijack-300000-plus-wireless-routers-make-malicious-changes/


Download the latest firmware file from TP-Link.
Factory reset your modem with it to ensure they haven't modified the firmware which would change the dns back even after a reset.
Lock down your modem, Change Default logins, Lock down access to the web panel to Lan users only, Don't leave ports open that aren't needed.



1543 posts

Uber Geek
+1 received by user: 381


  Reply # 1103740 7-Aug-2014 00:36
Send private message

saw this on someone's work machine.  turns out it happened when they were visiting somewhere and it even continued to display the fake page on other networks as the machine had cached the dns entry.  be sure to run ipconfig /flushdns

also, all iterations of ESET will block that page from even opening (which is what alerted me to it in the first place)

570 posts

Ultimate Geek
+1 received by user: 35

Subscriber

  Reply # 1103803 7-Aug-2014 08:57
Send private message

Also try checking your proxy settings in your browser. Ive seen a few that setup proxies lately.  



404 posts

Ultimate Geek
+1 received by user: 119


  Reply # 1105287 9-Aug-2014 10:26
Send private message

I have the latest firmware that TP offer, but as the router is EOL I suspect it's not the patched version.
Proxys are fine and i am running changed passwords but that's no good if the bugs already I ....

Have read up on the TP issue and it's exactly what's happening. Might have to reinstall and swap out the router
It astounds me that it's out there and no one can scan for it though if it root driven to start with?


11 posts

Geek
Inactive user


  Reply # 1105979 10-Aug-2014 17:52
Send private message

Bee: Almost certainly Malware.

Uncle Google says "a possible rootkit that MBAM wont show."




yep you've got a bug.

6193 posts

Uber Geek
+1 received by user: 251

Trusted
Subscriber

  Reply # 1105989 10-Aug-2014 18:19
One person supports this post
Send private message

Hi, I had a customer with this issue recently, updating the firmware to the lattest did not fix the issue, in the end I put a mikrotik in problem solved, issue was on Voda HFC, they kept closing the connection as a result.

Sad really as TP-Link was always a favourite of mine that always seemed to provide good value, clearly this is a big issue and not addressed.

Cyril

107 posts

Master Geek
+1 received by user: 2


  Reply # 1131311 18-Sep-2014 11:45
Send private message

It sounds like a TDSS Rootkit,  the TDSS rootkit hides inside of the Master Boot Record making it hard to detect by most antimalware/antivirus programs.
Malwarebytes has a reputation for being quite bad at finding rootkits, I'm not 100% sure about Trend Micro though.

The tools I'd recommend which should do the job, considering I doubt you have a rootkit released in the last 12 hours or not discovered yet,  Hitman Pro should do the trick.  It uses the Kaspersky, bitdefender and I think Emsisoft Engines.  It isn't free but you can get a 30day free trial.

If you want freeware Kaspersky TDSS Killer and or Kaspersky Rescue Disk are probably your best bet. 

1466 posts

Uber Geek
+1 received by user: 335


  Reply # 1131411 18-Sep-2014 13:42
Send private message

hsvhel: Hi Team


I notice that the DNS in my router is changed, I am running a TP LInk TD-W8901G router with updated firmware and I suspect that this is still vulnerable to attack.
.


- change the DNS in the router to 8.8.8.8
- check the DNS on the PC (ipconfig /all)
- reset/default IE, in control panel,internet
run tdsskiller ( as above)
check the IE, FireFox etc shortcuts, they can be changed by malware. there should be nothing after "C:\Program Files\Internet Explorer\iexplore.exe"
change the admin password on your modem , or actually put one in :-)
disable remote (WAN) admin access on the modem


**** No av can detect every infection *****
There are malware/viruses/rootkits that cant be detected by ANYTHING. Ive seen it.
The AV Software companies will allways be a few steps behind, they need to wait till particular malware is known about so they can write sigs to detect it.
If its a DNS hack on the router, then the AV scanners wont pick it up as it isnt really malware on the PC (not yet)


1466 posts

Uber Geek
+1 received by user: 335


  Reply # 1131431 18-Sep-2014 13:55
Send private message

cyril7:
Sad really as TP-Link was always a favourite of mine that always seemed to provide good value, clearly this is a big issue and not addressed.

Cyril


May be a workaround here, for future reference.
Not that you'd want to risk leaving a customer with an insure modem/router though
http://rootatnasro.wordpress.com/2014/01/11/how-i-saved-your-a-from-the-zynos-rom-0-attack-full-disclosure/


"Now ! how do you prevent attackers from downloading your rom-0 configuration file and manipulating your router ? This is pretty simple if you think about it ..
You just have to forward port 80 on the router to and unused IP address on your network :"


Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Microsoft Dynamics 365 Business Central launches
Posted 10-Jul-2018 10:40


Spark completes first milestone in voice platform upgrade
Posted 10-Jul-2018 09:36


Microsoft ices heated developers
Posted 6-Jul-2018 20:16


PB Technologies charged for its extended warranties and warned for bait advertising
Posted 3-Jul-2018 15:45


Almost 20,000 people claim credits from Spark
Posted 29-Jun-2018 10:40


Cove sells NZ's first insurance policy via chatbot
Posted 25-Jun-2018 10:04


N4L helping TAKA Trust bridge the digital divide for Lower Hutt students
Posted 18-Jun-2018 13:08


Winners Announced for 2018 CIO Awards
Posted 18-Jun-2018 13:03


Logitech Rally sets new standard for USB-connected video conference cameras
Posted 18-Jun-2018 09:27


Russell Stanners steps down as Vodafone NZ CEO
Posted 12-Jun-2018 09:13


Intergen recognised as 2018 Microsoft Country Partner of the Year for New Zealand
Posted 12-Jun-2018 08:00


Finalists Announced For Microsoft NZ Partner Awards
Posted 6-Jun-2018 15:12


Vocus Group and Vodafone announce joint venture to accelerate fibre innovation
Posted 5-Jun-2018 10:52


Kogan.com to launch Kogan Mobile in New Zealand
Posted 4-Jun-2018 14:34


Enable doubles fibre broadband speeds for its most popular wholesale service in Christchurch
Posted 2-Jun-2018 20:07



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.