As the title says, use default password on your wireless/wired routers and wait for the new variant of the "Zlob" trojan to infect some machines, then try every default router username/password combinations from http://www.routerpasswords.com/. Or even check this text file, search for your current user/pass to make sure they are not in the list. http://blog.washingtonpost.com/securityfix/zlobpass.txt
Zlob (or as known DNSChanger) will modify the DNS settings to use other rogue DNS servers. These name servers will resolve non-existing domains (typo-squatting) to IP addresses associated with the authors to generate revenue and could potentially re-routes traffic from legitimate web sites to other suspicious web sites.
Countermeasures against DNSChanger:
- Change your router default password to something complex. Make sure it's long, and contains symbols and numbers.
- Configure your router to allow management access from specific machine only (e.g, Admin PC), this will prevent infected machines from reaching your router.
- Update the current firmware to fix any security issues.
- If possible, change the management port to something else. (e.g, port 80/443 to 555)
- Configure Syslog/SNMP on the router to watch any configuration modifications or failed login.
- Rename the admin account on the router, Or see next.
- Disable/delete admin account, and create another one with different name and password.
- Deploy an IDS on your network to detect malicious activities (e.g, router user/pass brute force attack / requests to rogue dns servers / video codec downloads )
- Deploy an URL filtering software/appliance that filters access to any malicious websites/pages that provides codec/fake codecs.
- Disable UPNP on your router, becuase it's not secure anymore. check here: http://www.google.com/search?hl=en&q=upnp+exploit+router
- Block access to these IP's (220.127.116.11 / 18.104.22.168)
- Use Purenetwork Security scan for wireless networks, http://www.purenetworks.com/securityscan/
- Keep your machines up-to-date. Most malwares targets a specific vulnerability to reach the system.
- Get legitimate video codecs, install them on your machines, and inform your users that their machines are ready to play any video format and there is no need to download codecs from untrusted sites. check http://www.free-codecs.com/download/K_lite_codec_pack.htm