Bear with me, for now this will be a tiny post, a placeholder, but I am looking for feedback, ideas, comments and I will keep this post updated.
The scenario: My local sandwich shop where I often hang out and work remotely has a wireless router that started to redirect me to a fake "update your flash" and download a "Install flashplayer_10924_i13445851_il345.exe" malware file. There are no viruses, rootkits, or malware on my PC. This affects their PoS (Point of Sale) system, tablets, iPhones. Also, it's not a DNS hijack, as the URL from the HTTP doesn't change. It's a MitM attack (Man in the Middle) where x number of HTTP GETs work fine and then every few hundred the router returns it's own HTML. The requestor doesn't know the difference.
The router he has is a V1000W Wireless N VDSL Modem Router. I'm suspecting the "Moon" virus but I'm not sure, as this isn't a Linksys. The firmware is ancient from 2009 and that's the latest one I can find.
Before you reply:
- I'm technical, but the public is often not. Comments like "run openwrt" are certainly valid for a techie, but I'd like to know something more populist:
- Can this router (and others like it) be fixed? Or is this bricked? Can I flash it with the original firmware to restore?
- Remote management isn't enabled. What port did the attack happen on?
- How can I confirm it has it (all signs point to it) with some curl command?
- What routers have this? What is the source?
- What can a regular Jane/Joe do about this if they have Frontier/FIOs/CenturyLink, etc?
Thoughts?
© 2015 Scott Hanselman. All rights reserved.
