Never forget to change your default router password

Insecure routers open the back door to DNS hijacking

Posted by Vijay Koushik on May 23, 2017
#dns-hijacking #insecure-routers #factory-access-credentials #personal-experience

Two years ago on a fine morning I opened my computer to check my email. I started searching for job opportunities on Google and opened each result that Google brought up. Now, a strange thing happened! Whenever I tried to interact with a website that I opened from the results page an ad-popup opened. I thought I disabled the ad blocker plug-in, but it was enabled. I started to wonder what was going on. I then visited every webpage I used to visit and the same thing happened. Every time I clicked on an element an ad-popup opened. This frustrated me so I closed my browser and started a complete virus scan on my pc and then stared browsing on my phone. But alas! The same thing happened. This time every time I try to scroll a page on my phone it started to redirect to an advertisement. I felt something was not right and so I started to inspect on all my devices on my network the result was the same. By this time I could guess that something was wrong with my modem. Amidst this problem Google and Facebook were working fine. No irritating popups (thank god!). I fiddled around with my network configuration on my PC. I opened command prompt and typed in the command ipconfig and I noticed something unusual in the results displayed on the screen.

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.1.5
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 213.109.79.255

The default gateway address was not the modem's IP. I made a quick search on google on the unusual IP and I found that it was a "rouge dns" server's address and I was a victim of DNS Hijacking. After further research on dns high jacking trying very hard to ignore the ad-popup I came to know that this was done by a malware called DNS changer. That moment, I regretted the times I clicked the ignore button every time when my computer warned me about installing software from unknown publishers.

DNS Hijacked

Illustration of DNS hijacking An Illustration of how ads were embeded into websites

On further reading about DNS changer malware, I learnt its working procedure. The malware exploited vulnerability in my modem. It used the default access credentials to get into my modem settings and changed the dns address to a rouge dns. I never changed the generic username:admin and password:admin credentials that came with the box because it was easy for me to remember. Another warning I ignored. Now that the malware changed the dns settings all my traffic to the internet were sent to a rouge dns instead of my ISP's DNS. The rouge dns was monitoring all the websites I visited, my email accounts and my passwords.

Wikipedia says

DNS hijacking or DNS redirection is the practice of subverting the resolution of Domain Name System (DNS) queries. This can be achieved by malware that overrides a computer's TCP/IP configuration to point at a rogue DNS server under the control of an attacker, or through modifying the behaviour of a trusted DNS server so that it does not comply with internet standards.
In my case the rouge server read all my queries and attached a script to the response that opens an advertisement pop whenever I interacted with any website I wanted to visit. Pretty cruel right? This way the hacker could earn money for the ads I was forced to visit. I had spent almost half a day trying to understand the problem and now I was desperate to find a solution to my problem.

Opendns to the rescue

After surfing the internet for about half an hour I was suggested to do 2 things:

  1. To change my modem's access credentials from the factory provided one.
  2. To change my dns setting in my modem from automatic to a secure static dns, either Google Public DNS or Opendns.
While the former is higly recomended, the latter is optional.
Google Public DNS provided the benefit of faster access to web pages and security from various attacks (more on this here).But, Opendns along with seemingly faster internet access and security also provided web filtering options (more on this here) which made me choose Opendns for my network.

I then changed the password for my modem which started all of my problems (I suggest you to include numbers and symbols in your password for added security). Now, everything is working fine and I'll never forget about his incident. If you think you are still using your modem/router's default username and password then change it immediately.

A random quote

You must not lose faith in humanity. Humanity is an ocean; if a few drops of the ocean are dirty, the ocean does not become dirty.-Mahatma Gandhi

Photographs by Sentrant.com and header photo by Wikimedia Commons.

Share