September 18, 2015
If you one of the millions of people using a consumer router you may want to check to see if it has malware. Attackers are taking advantage of manufacturers that aren’t bothering to update “old” devices, and are instead making new devices, and attacking routers in huge amounts.
They perform these attacks by changing the DNS server and point it at a malicious server. Your browser will still say the correct website but you’ll be at a phishing site. You may notice that the site isn’t HTTPS encrypted but some attacks can even remove the encryption transit. It may time out on your requests and be unusually slow, which is a good indicator that your router is infected.
Attackers may also infect advertisements, redirect search results, or attempt to install drive-by downloads. It possible for them to capture requests from scripts that almost every website uses and redirect you to a server providing a script that instead injects ads. If you know the website you are on is legitimate, and you see pornographic advertisements on it then you can almost bet your router or PC is infected.
To check and see if your router has been infected, the website HowtoGeek.com suggests the following:
First, you’ll need to access your router’s web-based setup page.
“Check your network connection’s gateway address or consult your router’s documentation to find out how.Sign in with your router’s username and password, if necessary. Look for a “DNS” setting somewhere, often in the WAN or Internet connection settings screen. If it’s set to “Automatic,” that’s fine — it’s getting it from your ISP. If it’s set to “Manual” and there are custom DNS servers entered there, that could very well be a problem.
It’s no problem if you’ve configured your router to use good alternative DNS servers — for example, 22.214.171.124 and 126.96.36.199 for Google DNS or 188.8.131.52 and 184.108.40.206 for OpenDNS. But, if there are DNS servers there you don’t recognize, that’s a sign malware has changed your router to use DNS servers. If in doubt, perform a web search for the DNS server addresses and see whether they’re legitimate or not. Something like “0.0.0.0” is fine and often just means the field is empty and the router is automatically getting a DNS server instead.
Experts advise checking this setting occasionally to see whether your router has been compromised or not.”
If in fact you find a malicious DNS server wiping all your router’s settings and factory-reset it before setting it back up again with a legitimate DNS server. Installing firmware, disabling remote access, and changing the password are some ways to protect your router from future attacks.