Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: Can Routers Be Infected?  (Read 2821 times)

Antonios

  • Just arrived
  • *
  • Posts: 2
Can Routers Be Infected?
« on: December 18, 2019, 09:18:52 AM »

Hello Friends,

Can router be infected? I am getting a popup from my AV program that my router could be infected. Any idea what might be going on?
Logged

dee.jay

  • ISP Rep
  • Reg Member
  • *
  • Posts: 952
Re: Can Routers Be Infected?
« Reply #1 on: December 18, 2019, 03:22:44 PM »

A router itself can't be infected.

A router could be open to vulnerabilities, but that is something someone has to openly try and exploit.

In some cases, you get some spam/pop-up scam effort to try and extort money out of you because it will make you believe you have an issue, when in fact, you likely don't. This is commonplace these days to try and extract money out from people who wouldn't know better/have the foresight to ask folks who do know...

However, as this is from an AV - I'd still be suspicious. What AV is it?

Logged
Starlink and AAISP L2TP combo routed by opnSense on proxmox

ejs

  • Kitizen
  • ****
  • Posts: 2078
Re: Can Routers Be Infected?
« Reply #2 on: December 18, 2019, 07:33:40 PM »

A router can be infected. It's quite possible for someone to get their malicious software into a router and get the router to execute it. I don't think any typical AV program would be able to accurately determine if that had actually happened.
Logged

niemand

  • Kitizen
  • ****
  • Posts: 1836
Re: Can Routers Be Infected?
« Reply #3 on: December 18, 2019, 11:25:05 PM »

I wonder if your AV is genuine AV or some fake stuff. Is it trying to sell you something when it claims your router is infected?
Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: Can Routers Be Infected?
« Reply #4 on: December 19, 2019, 12:44:37 AM »

My own understanding is there’s a middle ground whereby a router’s firmware has not been ‘infected’ in the traditional  sense yet a router vulnerability has been exploited that allowed, for example, default DNS settings to be reconfigured with malicious intent.

I would have thought an AV might be able to detect that scenario by testing specific DNS resolutions.   For example, if a .gov.uk address resolves to an IP normally associated with the Kremlin, the AV might want to alert the user to the possibility that something unsavoury is afoot.

I wonder if your AV is genuine AV or some fake stuff. Is it trying to sell you something when it claims your router is infected?

Yes, that too!
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: Can Routers Be Infected?
« Reply #5 on: December 19, 2019, 07:14:55 AM »

A router can be "compromised".  Infected would mean a resident rootkit.  Since many router's use some form of linux, and linux can be rootkit'd, then yes they can be infected.

As long as the router doesnt allow any connections from the WAN then its very unlikely it can happen, it would have to be done from the LAN side which means they need to compromise your LAN first.
« Last Edit: December 24, 2019, 04:21:48 PM by Chrysalis »
Logged

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: Can Routers Be Infected?
« Reply #6 on: December 19, 2019, 09:11:58 AM »

Best thing to do delete the AV program, run Trend Micro Housecall or similar tools
Logged

Antonios

  • Just arrived
  • *
  • Posts: 2
Re: Can Routers Be Infected?
« Reply #7 on: December 24, 2019, 07:20:36 AM »

I also found this post which depicts my scenario. is this really possible what it says here?
Logged

Alex Atkin UK

  • Addicted Kitizen
  • *****
  • Posts: 5260
    • Thinkbroadband Quality Monitors
Re: Can Routers Be Infected?
« Reply #8 on: December 24, 2019, 07:50:37 AM »

I'm curious how Avast are detecting this.  I can only imagine they are checking certain DNS results from the router against lookups from a known-good DNS server and doing a comparison.  Depending on how clever this is it could easily trip up if your ISP has some form of web filtering via DNS.

While DNS hijacking is serious and something you don't want to happen, I fail to see how something like Avast can reliably detect it.
Logged
Broadband: Zen Full Fibre 900 + Three 5G Routers: pfSense (Intel N100) + Huawei CPE Pro 2 H122-373 WiFi: Zyxel NWA210AX
Switches: Netgear MS510TXUP, Netgear MS510TXPP, Netgear GS110EMX My Broadband History & Ping Monitors

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: Can Routers Be Infected?
« Reply #9 on: December 24, 2019, 04:23:12 PM »

Either its some kind of fake warning, or yeah they look for what could be perceived as tell tale signs.  Maybe they check for backdoor ports of known rootkits, rogue dns results, if avast has a firewall thats enabled, they might even log a port scan coming from the router.
Logged

Alex Atkin UK

  • Addicted Kitizen
  • *****
  • Posts: 5260
    • Thinkbroadband Quality Monitors
Re: Can Routers Be Infected?
« Reply #10 on: December 25, 2019, 05:09:20 AM »

Either its some kind of fake warning, or yeah they look for what could be perceived as tell tale signs.  Maybe they check for backdoor ports of known rootkits, rogue dns results, if avast has a firewall thats enabled, they might even log a port scan coming from the router.

Looking at their website, it doesn't sound like it.

All they seem to tell you to do to "fix it", is reset DNS to ISP provided or set it to Google DNS and turn off DDNS.
Logged
Broadband: Zen Full Fibre 900 + Three 5G Routers: pfSense (Intel N100) + Huawei CPE Pro 2 H122-373 WiFi: Zyxel NWA210AX
Switches: Netgear MS510TXUP, Netgear MS510TXPP, Netgear GS110EMX My Broadband History & Ping Monitors

parkdale

  • Reg Member
  • ***
  • Posts: 597
Re: Can Routers Be Infected?
« Reply #11 on: December 25, 2019, 10:20:56 AM »

I used to use Avast in the past but it seems to have become "Scare ware" now by flagging up problems which require you to buy the most expensive version before it's happy.
 :-X :-X :-X

Uninstall Avast and put https://www.quad9.net by putting 9.9.9.9 as your primary DNS and 149.112.112.112 for secondary in your router and change your password.
I have read that routers can be infected, but this mainly occurs with isp supplied devices which all have default passwords etc https://www.zdnet.com/article/brazil-is-at-the-forefront-of-a-new-type-of-router-attack/
Logged
Vodafone FTTC ECI cab 40/10Mb connection / Fritz!box7590

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: Can Routers Be Infected?
« Reply #12 on: December 25, 2019, 10:23:00 AM »

Looking at their website, it doesn't sound like it.

All they seem to tell you to do to "fix it", is reset DNS to ISP provided or set it to Google DNS and turn off DDNS.

Hence the "maybe" :) I doubt a consumer router wouldnt be doing anything like actual proper checks, I would expect its either false or dns related as you said.
Logged