Wireless Trojan

Posted on June 11, 2008

A new Trojan horse posing as a video codec required to view content on some Web sites tries to change settings on the user’s router so that all of their Internet traffic goes through servers controlled by the attackers.

Recent versions of the “Zlob” Trojan (also known as DNSChanger) will check to see if the victim uses a wireless or wired router. It then tries to guess the password needed to gain administrator access to the router by consulting its own list of default router username/password combinations. If successful, it then changes the DNS records so that all future traffic passes through the attacker’s network first.

While researchers have long warned that threats against hardware routers could one day be incorporated into malware, this appears to be the first time this behavior has been spotted in malware released into the wild.

The type of functionality in this version of the Trojan is concerning for several reasons. First, Zlob is among the most common type of Trojan downloaded onto Windows computers. According to Microsoft, the company’s malicious software removal tool zapped some 14.3 million instances of Zlob-related malware from customer machines in the second half of 2007.

Perhaps the most important reason this Trojan is scary is that a Windows user with an infected machine may succeed in cleaning the malware, but still leave the network compromised. Few regular PC users or even techs) think to look to the router settings, provided the customer’s Internet connection is working fine.