The Barracuda Labs Internet Security Blog

By Barracuda Labs

Many savvy computer users have experience setting up a wireless access point in their home or office. It’s not that hard, really. Change the SSID, change the password, and perhaps change the channel. Set the IP and you’re good to go.

But if that’s all you’ve done, you could be leaving open an attack vector that malware authors have been targeting for years. They’re still targeting it today.

Many routers, including those that are part of wireless access points, implement the Universal Plug and Play (UPnP) interface. This interface allows programs running on computers connected to the router to control the router.  No authentication is necessary. The bad news is that this makes it easy for malware to change router settings.

While scanning for malware, we found this bogus forum post pretending to be a video recipe for Yankee Pot Roast. However, when looking a bit closer, it revealed itself as TROJ_TDSS.AKA, a downloader that initially downloads a fake antivirus but, as demonstrated, also tries to open a port in the gateway, leaving your computer and personal information exposed.

Malware automatically opening a port in the gateway is significant because most router users, particularly most home wireless access point users, assume a few simple security steps are all they need – enable WEP or WPA, set a strong password and you’re good (enough) to go. The UPnP vulnerability doesn’t have very high non-geek visibility, even though it’s still being exploited – and by Conficker no less.  And despite it having been around for quite a while now (referenced in this ZDNet article at http://www.zdnet.com/blog/soho-networking/wi-fi-routers-vulnerable-to-upnp-attack-from-hackers/120), it’s still alive and incredibly widespread. In fact, Google gives approximately 1,870,000 results for sites linking to the primary attack site, hxxp://vixensandschoolgirls.com.

Users should check to see if their routers allow for more secured startups. For example, it is recommended to disable UPnP and to use forced static IP so that the system will not be subject to unannounced attacks leaving the DHCP server open to assign an IP to any system that breaches your WiFi security.

Further, this once again reiterates the importance of knowing the source of information online, and to not click on links from unknown sources.

Screenshots of the attack follow for reference.

1)  Clicking on this ‘video’ brings up another window displaying a video prompt.

2) At this point, the astute user might wonder why the Yankee Pot Roast recipe is being offered up by hxxp://vixensandschoolgirls.com, but then the standard Windows warning message appears.

3) Running the offered program doesn’t seem to do anything at first. After a long delay, a fake anti-malware program named Defense Center is downloaded and executed.

4) Meanwhile, behind the scenes, multiple attempts are made against the router, followed by this UPnP payload. The payload changes the firewall settings of the router to open a port for additional malicious traffic. Conficker uses this same internal UPnP attack against routers to open up ports for its peer-to-peer control mechanism. UPnP is sometimes used for file or printer sharing, but in most cases it can be disabled with no ill effects.

5) The setting used on the Linksys router used in testing.