{"id":19741,"date":"2022-06-08T20:48:45","date_gmt":"2022-06-08T16:48:45","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/router-malware\/19741\/"},"modified":"2022-06-08T20:48:45","modified_gmt":"2022-06-08T16:48:45","slug":"router-malware","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/router-malware\/19741\/","title":{"rendered":"The hidden threats of router malware"},"content":{"rendered":"

You check your computer for viruses every week, update systems and programs promptly<\/a>, use strong passwords and generally take care online\u2026 yet for some reason your internet is slow and some websites deny access? It could be malware not on your computer, but in the router.<\/p>\n

Why routers?<\/h2>\n

Cybercriminals target routers largely for two reasons. First, because all network traffic goes through these devices; second, you can\u2019t scan a router with a regular antivirus. So malware that has set up shop in the router has plenty of opportunities to attack, and way less chance of being detected \u2014 let alone deleted. Let\u2019s now talk about some things cybercriminals can do with an infected router.<\/p>\n

Create a botnet<\/h2>\n

One of the most common cases is when an infected router joins a botnet; that is, a network of devices that send myriads of requests to a particular website or online service as part of a DDoS attack. The goal of the attackers is to overload the targeted service to such an extent that it slows down and eventually fails.<\/p>\n

Meanwhile, it\u2019s ordinary users whose routers are hijacked that suffer slower internet speeds because their routers are busy sending malicious requests, and only handle other traffic when they pause for breath.<\/p>\n

According to our data, routers in 2021 were most actively attacked by two malware families: Mirai and M\u0113ris, with the former leading by a huge margin \u2014 accounting for almost half of all attacks on routers.<\/p>\n

Mirai<\/h3>\n

This notorious malware family with the sweet-sounding name (meaning \u201cfuture\u201d in Japanese) has been known since 2016. Besides routers, it\u2019s known to infect IP cameras, smart TVs, and other IoT devices, including corporate ones, such as wireless controllers and digital advertising displays. Initially conceived to carry out large-scale DDoS attacks on Minecraft servers, the Mirai botnet was later unleashed on other services. The source code of the malware has long been leaked online and forms the basis of ever more new variants.<\/p>\n

M\u0113ris<\/h3>\n

Not for nothing does M\u0113ris mean \u201cplague\u201d in Latvian. It has already affected thousands of high-performance devices \u2014 mostly MikroTik routers \u2014 and linked them into a network for DDoS attacks. For instance, during an attack on a U.S. financial company in 2021<\/a>, the number of requests from the network of M\u0113ris-infected devices reached 17.2 million per second. A few months later, the botnet attacked several Russian financial and IT companies<\/a>, with a record 21.8 million requests per second.<\/p>\n

Steal data<\/h2>\n

Some router-infecting malware can do even more serious damage, such as steal your data. When online, you send and receive a lot of important information: payment data in online stores, credentials on social networks, work documents by email. All of this information, along with the rest of your network traffic, inevitably passes through the router. During an attack, the data can be intercepted by malware and fall straight into the cybercriminals\u2019 hands.<\/p>\n

One such data-stealing piece of malware is VPNFilter<\/a>. By infecting routers and NAS servers, it gains the ability to collect information and control or disable the router.<\/p>\n

Spoof websites<\/h2>\n

Malware lodged in the router can surreptitiously redirect you to pages with ads or malicious sites instead of the ones you want to visit. You (and even your browser) will think you\u2019re accessing a legitimate website, when in fact you\u2019re in the hands of cybercrooks.<\/p>\n

It works like this: when you enter the URL of a site (say, google.com) in the address bar, your computer or smartphone sends a request to a special DNS server, where all registered IP addresses and their corresponding URLs are stored. If the router is infected, instead of a legitimate DNS server, it may send requests to a fake one that responds to the \u201cgoogle.com\u201d query with the IP address of a completely different site \u2014 one that might be a phishing one<\/a>.<\/p>\n

The Switcher Trojan was doing precisely that: infiltrating router settings and specifying a malicious DNS server as the default. Naturally, all data entered on the fake pages leaked to the attackers.<\/p>\n

How does malware get into routers?<\/h2>\n

There are two main ways to plant malware in a router: by guessing the admin password, or exploiting a vulnerability in the device.<\/p>\n

Password guessing<\/h3>\n

All routers of the same model tend to have the same admin password in the factory settings. Not to be confused with the network security key (the string of characters you enter to connect to Wi-Fi), the admin password is used to get inside the router settings menu. If the user unwittingly left the factory settings unchanged, attackers can easily guess the password \u2014 especially if they know the router brand \u2014 and infect the router.<\/p>\n

Recently however, manufacturers have started taking security more seriously by assigning a unique random password to each particular device, making this method less effective. But guessing the right combination for older models is still child\u2019s play.<\/p>\n

Vulnerability exploitation<\/h3>\n

Router vulnerabilities are holes in your gateway to the internet through which all kinds of threats can stroll right into your home or corporate network\u00a0\u2014 or maybe just sit in the router itself, where detection is less likely. The above-mentioned M\u0113ris botnet does just that, exploiting unpatched vulnerabilities in MikroTik routers.<\/p>\n

According to our research<\/a>, several hundred new vulnerabilities have been discovered in routers in the past two years alone. To secure weak spots, router vendors release patches and new firmware versions (essentially routers\u2019 operating system updates). Unfortunately, many users simply do not realize that the router software needs to be updated, just like other programs.<\/p>\n

How to protect your network?<\/h2>\n

If you want to secure your home or corporate router and keep your data safe:<\/p>\n