|| posted on 28-6-2008 at 03:36
|I hate codecs, aside from being a security threat they slow down the PC. But thankfully i found a media player that requires no codecs and plays
almost any file, the videoLAN player. Highly recommend it.
are you also a member of PCHF?? cause I remember you helping me out once with a spyware issue.
|| posted on 21-6-2008 at 20:26
|Pancake you truly deserve 1000 first class pancake for your long laborious article
|| posted on 21-6-2008 at 00:28
|Yes they are recomending changing passwords and some are going back to reset to makers default setting.There has been no work done on a uniform fix
but I sure it wont be log...in the mean time keep away from codecs.
|| posted on 20-6-2008 at 12:52
|Thank you Pancake, you may have resolved a problem that I am now experiencing, time will tell as the infected box is currently non-compis mentis!
|| posted on 20-6-2008 at 07:26
Would it make sense to change the passwords we already have?
|| posted on 20-6-2008 at 04:22
|Thank you, Pancake.
Can you tell us of a free anti-virus program or anti-virus scan that is usually effective for this type of virus?
|| posted on 20-6-2008 at 04:16
|A new Trojan horse masquerading as a video "codec" required to view content on certain Web sites tries to change key settings on the victim's
Internet router so that all of the victim's Web traffic is routed through servers controlled by the attackers.
According to researchers contacted by Security Fix, recent versions of the ubiquitous "Zlob" Trojan (also known as DNSChanger) will check to see if
the victim uses a wireless or wired hardware router. If so, it tries to guess the password needed to administer the router by consulting a built-in
list of default router username/password combinations. If successful, the malware alters the victim's domain name system (DNS) records so that all
future traffic passes through the attacker's network first. DNS can be thought of as the Internet's phone book, translating human-friendly names
like example.com into numeric addresses that are easier for networking equipment to handle.
While researchers have long warned that threats against hardware routers could one day be incorporated into malicious software, this appears to be the
first time this behavior has been spotted in malware released into the wild.
The type of functionality incorporated into this version of the Zlob Trojan is extremely concerning for a number of reasons. First, Zlob is among the
most common type of Trojan downloaded onto Windows machines. According to Microsoft, the company's malicious software removal tool zapped some 14.3
million instances of Zlob-related malware from customer machines in the second half of 2007.
The other, more important reason this shift is scary is that a Windows user with a machine infected with a Zlob/DNSChanger variant may succeed in
cleaning the malware off an infected computer completely, but still leave the network compromised. Few regular PC users (or even PC technicians) think
to look to the router settings, provided the customer's Internet connection is functioning fine.
Philip Sloss, a software engineer for myNetwatchman.com, said he first observed the activity while examining a Zlob variant distributed on May 22. The
DNS hijack occurs, he said, during the installer program, so by the time the user sees the fake codec installer screen, the malware has already
attempted to change DNS settings on the victim's router.
I reached out to researchers at Sunbelt Software to check Sloss's data, and Sunbelt was able to confirm that the malware successfully changed the DNS
settings on a Linksys router (model BEFSX41), pulled straight out of the factory box (with the default username and password). Another test showed
that the Zlob variant successfully changed the DNS settings on a Buffalo router running the DD-WRT open source firmware.
Sunbelt also found that if there are multiple machines using the same router, all of the systems connected to that router will have their traffic
"This is definitely something we have not seen before," said Eric Sites, chief technology officer at Sunbelt. Sites said his team is testing the new
Zlob variants against multiple routers to see how they fare against the malware. "It was only a matter of time before someone started using this
Sloss said he captured traffic showing the Zlob variant trying to reconfigure different routers by requesting the local Web page for the various
"setup wizards" that ship with the devices. Some of the requests he noticed are listed below, with my own research noted next to them:
"/index.asp" (still checking, but I believe this is used on DD-WRT and some Linksys routers);
"/dlink/hwiz.html" (D-Link routers);
"wizard.htm" (appears to be used by several different router manufacturers, including Linksys).
"/home.asp" (no idea)
Relatively few people ever change the default username and password on their wireless routers. I see this often, even among people who have locked
down their wireless routers with encryption and all kinds of other security settings: When I confront them about why they haven't changed the default
credentials used to administer the router settings, their rationale is that, 'Well, why should I change it? An attacker would need to already have a
valid connection on my network in order to reach the router administration page, so what's the difference?'
Obviously, an attack like this illustrates the folly of that reasoning.
What's more, the various components dropped onto victim PCs by this malware are fairly ill-detected by most anti-virus tools out there today. A scan
of these three files at Virustotal.com -- which checks submitted files against 31 different anti-virus engines -- indicates that only 11 of the
anti-virus products currently detect any of them as malicious.