20

I am behind a router(linksys that runs dd wrt on it) and I was infected with sality. I'm curious, can my router get infected too? If yes, how can I remove the infection?

I used the search bar but found nothing relevant.

AviD
  • 72,708
  • 22
  • 137
  • 218
Skaziana
  • 201
  • 1
  • 2
  • 3

4 Answers4

18

Absolutely. Given that you can modify the firmware on a router, you could infect it with a virus if you were so minded. DD WRT is Linux-based; some routing equipment uses OpenBSD or one of the other BSDs.

However, generally speaking, routers are fairly stripped down pieces of kit - i.e. they run very cut down versions of Linux, or OpenBSD - and as such, the attack surface is much, much smaller than your desktop - in English, there's fewer places you're likely to find a security hole. Short of persuading a user to upload a malicious update, your average router probably doesn't have that many vulnerabilities in it, especially when the default configuration is to drop all incoming connections (connections that originate from the internet side of the router).

That's not to say people won't try though; for example, there have been a number of published exploits against Cisco kit, for example this one.

There is also a value-of-target factor to consider. With home routers, there are many different possible configurations and no standard operating system; they're not even guaranteed to be running x86 processors - I'd suggest an ARM variant would be more likely. Cisco kit is likely to be a much more attractive proposition since there is a lot of it in big businesses and the software on it is likely to be similar, meaning attacks might work across multiple models. This is the same idea that attacking Windows is a much more attractive proposition than attacking Linux, because there are many more Windows installs to target.

If you're asking "is my router likely to be compromised?" I'd say the chances are pretty slim. If you want to check if exploits exist, have a search for vulnerabilities against that model and see what you find.

  • 8
    Routers are stripped-down, but they're also old, custom, and their code tends to be of dubious quality. Many routers have web administration interfaces that are vulnerable to a number of attacks (CSRF, XSS, etc.) -- and often those attacks can be carried out from an infected machine behind the router (or in some cases by a malicious web site that you happen to visit). I wouldn't assume that the chances of your router getting infected are slim. – D.W. Jun 26 '11 at 02:42
  • 1
    @D.W. good point, maybe a better response would include the caveat "assuming the firmware authors have done things right", which is as you point out not necessarily true. I should perhaps also have noted that you don't necessarily need to infect a router to subvert it, depending on the vulnerability. I still think, though, the risk relative to your Windows PC is much much less. –  Jun 26 '11 at 11:04
8

Yes, routers can get infected. Typically they are just Linux boxen with a web server providing an admin interface, and a bunch of sockets and radios to provide networking. I've certainly had one before that, out of the box, had a weak default password and would listen on the public (DSL) interface for the admin server.

But do routers get infected? Yes. An example is psyb0t, which used the default weak state of Linksys routers to grow a botnet. It didn't permanently infect the systems: turning them off removed the malicious code. But routers are typically left on for days at a time, and it can be hard to tell when one is infected.

4

Yes - if there is a vulnerability and the configuration changes to allow someone external to re-load their software, your router will be compromised.

Typically, you can reset the password (or log in if it wasn't changed) and re-load the router with known good firmware/software to undo whatever was done.

You will of course have to find and patch the vulnerability or find it altered again.

bmike
  • 204
  • 3
  • 9
  • And if let's say my router is infected, will a reset be enough? Or do I have to install the firmware again? Isn't the reset going to get me back to firmware default? Thanks! – Skaziana Jun 26 '11 at 09:47
  • I suppose if someone modified the software but didn't/couldn't save the changes to the flash, a reset would do. Why would you even risk is and not re-load everything if you suspect compromise? – bmike Jun 26 '11 at 16:04
1

NO. (you can't, but others can)

The Sality Malware attack is a Win32 based infection, that then uses the known behaviour and limitations of common brand/model ADSL router's firmware to compromise the DNS settings (among other things).

ESET - Win32/Sality newest component: a router’s primary DNS changer named Win32/RBrute

NetworkWorld - Sality malware, growing old, takes on a new trick

Unless they find some way of also attacking DD-WRT / OpenWRT, then NO your router did NOT also get infected.

david6
  • 161
  • 6