Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: Can Routers Be Infected?  (Read 1230 times)

Antonios

  • Just arrived
  • *
  • Posts: 2
Can Routers Be Infected?
« on: December 18, 2019, 09:18:52 AM »

Hello Friends,

Can router be infected? I am getting a popup from my AV program that my router could be infected. Any idea what might be going on?
Logged

dee.jay

  • Reg Member
  • ***
  • Posts: 468
Re: Can Routers Be Infected?
« Reply #1 on: December 18, 2019, 03:22:44 PM »

A router itself can't be infected.

A router could be open to vulnerabilities, but that is something someone has to openly try and exploit.

In some cases, you get some spam/pop-up scam effort to try and extort money out of you because it will make you believe you have an issue, when in fact, you likely don't. This is commonplace these days to try and extract money out from people who wouldn't know better/have the foresight to ask folks who do know...

However, as this is from an AV - I'd still be suspicious. What AV is it?

Logged
Sky + AAISP FTTC ~ 130/34 combined @ 3dB HG612's
Routed by pfSense on VMware ESX 6.7 on Ryzen 3 3200

ejs

  • Kitizen
  • ****
  • Posts: 2052
Re: Can Routers Be Infected?
« Reply #2 on: December 18, 2019, 07:33:40 PM »

A router can be infected. It's quite possible for someone to get their malicious software into a router and get the router to execute it. I don't think any typical AV program would be able to accurately determine if that had actually happened.
Logged

CarlT

  • Kitizen
  • ****
  • Posts: 1672
  • Next generation network design and deployment
Re: Can Routers Be Infected?
« Reply #3 on: December 18, 2019, 11:25:05 PM »

I wonder if your AV is genuine AV or some fake stuff. Is it trying to sell you something when it claims your router is infected?
Logged
WiFi: Nighthawk® AX12 RAX120 - 5Gb uplink
Routing: pfSense VM - 10Gb in and indeed out
Switching: 2 * Mikrotik CRS305-1G-4S-IN, 10Gb uplinks, various cheap and cheerful
Exchange: Wakefield
ISP: BT Full Fibre 900. Zen Full Fibre 900. Zoom, zoom.

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5170
Re: Can Routers Be Infected?
« Reply #4 on: December 19, 2019, 12:44:37 AM »

My own understanding is there’s a middle ground whereby a router’s firmware has not been ‘infected’ in the traditional  sense yet a router vulnerability has been exploited that allowed, for example, default DNS settings to be reconfigured with malicious intent.

I would have thought an AV might be able to detect that scenario by testing specific DNS resolutions.   For example, if a .gov.uk address resolves to an IP normally associated with the Kremlin, the AV might want to alert the user to the possibility that something unsavoury is afoot.

I wonder if your AV is genuine AV or some fake stuff. Is it trying to sell you something when it claims your router is infected?

Yes, that too!
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 6295
Re: Can Routers Be Infected?
« Reply #5 on: December 19, 2019, 07:14:55 AM »

A router can be "compromised".  Infected would mean a resident rootkit.  Since many router's use some form of linux, and linux can be rootkit'd, then yes they can be infected.

As long as the router doesnt allow any connections from the WAN then its very unlikely it can happen, it would have to be done from the LAN side which means they need to compromise your LAN first.
« Last Edit: December 24, 2019, 04:21:48 PM by Chrysalis »
Logged
AAISP - Billion 8800NL bridge & PFSense BOX running PFSense 2.4 - ECI Cab - LINE STATISTICS CLICK HERE

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 8954
  • Retd sw dev; A&A; 4 × 7km ADSL2; IPv6; Firebrick
Re: Can Routers Be Infected?
« Reply #6 on: December 19, 2019, 09:11:58 AM »

Best thing to do delete the AV program, run Trend Micro Housecall or similar tools
Logged

Antonios

  • Just arrived
  • *
  • Posts: 2
Re: Can Routers Be Infected?
« Reply #7 on: December 24, 2019, 07:20:36 AM »

I also found this post which depicts my scenario. is this really possible what it says here?
Logged

Alex Atkin UK

  • Kitizen
  • ****
  • Posts: 1528
    • My Broadband History
Re: Can Routers Be Infected?
« Reply #8 on: December 24, 2019, 07:50:37 AM »

I'm curious how Avast are detecting this.  I can only imagine they are checking certain DNS results from the router against lookups from a known-good DNS server and doing a comparison.  Depending on how clever this is it could easily trip up if your ISP has some form of web filtering via DNS.

While DNS hijacking is serious and something you don't want to happen, I fail to see how something like Avast can reliably detect it.
Logged
Exchange: INTAKE (ECI) ISP/Modems: Zen (Home Hub 5A running OpenWrt) + Plusnet (VMG-3925-B10B) + Three (Hauwei B535-232)
Router: pfSense (i5-7200U) WiFi: Ubiquiti nanoHD

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 6295
Re: Can Routers Be Infected?
« Reply #9 on: December 24, 2019, 04:23:12 PM »

Either its some kind of fake warning, or yeah they look for what could be perceived as tell tale signs.  Maybe they check for backdoor ports of known rootkits, rogue dns results, if avast has a firewall thats enabled, they might even log a port scan coming from the router.
Logged
AAISP - Billion 8800NL bridge & PFSense BOX running PFSense 2.4 - ECI Cab - LINE STATISTICS CLICK HERE

Alex Atkin UK

  • Kitizen
  • ****
  • Posts: 1528
    • My Broadband History
Re: Can Routers Be Infected?
« Reply #10 on: December 25, 2019, 05:09:20 AM »

Either its some kind of fake warning, or yeah they look for what could be perceived as tell tale signs.  Maybe they check for backdoor ports of known rootkits, rogue dns results, if avast has a firewall thats enabled, they might even log a port scan coming from the router.

Looking at their website, it doesn't sound like it.

All they seem to tell you to do to "fix it", is reset DNS to ISP provided or set it to Google DNS and turn off DDNS.
Logged
Exchange: INTAKE (ECI) ISP/Modems: Zen (Home Hub 5A running OpenWrt) + Plusnet (VMG-3925-B10B) + Three (Hauwei B535-232)
Router: pfSense (i5-7200U) WiFi: Ubiquiti nanoHD

parkdale

  • Reg Member
  • ***
  • Posts: 392
Re: Can Routers Be Infected?
« Reply #11 on: December 25, 2019, 10:20:56 AM »

I used to use Avast in the past but it seems to have become "Scare ware" now by flagging up problems which require you to buy the most expensive version before it's happy.
 :-X :-X :-X

Uninstall Avast and put https://www.quad9.net by putting 9.9.9.9 as your primary DNS and 149.112.112.112 for secondary in your router and change your password.
I have read that routers can be infected, but this mainly occurs with isp supplied devices which all have default passwords etc https://www.zdnet.com/article/brazil-is-at-the-forefront-of-a-new-type-of-router-attack/
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 6295
Re: Can Routers Be Infected?
« Reply #12 on: December 25, 2019, 10:23:00 AM »

Looking at their website, it doesn't sound like it.

All they seem to tell you to do to "fix it", is reset DNS to ISP provided or set it to Google DNS and turn off DDNS.

Hence the "maybe" :) I doubt a consumer router wouldnt be doing anything like actual proper checks, I would expect its either false or dns related as you said.
Logged
AAISP - Billion 8800NL bridge & PFSense BOX running PFSense 2.4 - ECI Cab - LINE STATISTICS CLICK HERE
 

anything