What's happening to rootkits? Are they still a threat?

Solarquest

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
n.nvt said:
Well assuming that the Rootkit/Trojan does ONLY monitor your data stream from point A to B and captures login, credit and such data your local data will be pretty save.
But if such malware is monitoring your data streams with the aim to download, install and inject code in for example your windows update stream (As it can capture and modify/inject code into a secure legit data stream) you can be infected with other malware.
And due to the fact such malware uses Windows update, or even your anti virus update data link, it can penetrate your system beyond the reach of your conventional security options.

So i assume that the reply to your question would be: You might be secure and your data night be clean under the right conditions.
But i honestly cannot judge about that as i do not know what particular infection Umbra is talking about. Because there are huge numbers of router injectors and tapping malwares out there each on with their own abilities and payload / toolset.

That said, generally if its just a packet sniffing malware you should be fine.
Click to expand...

In the last time Routers are getting hacked/infected more and more, even ISP's update servers. :(:mad:
e.g http://www.theregister.co.uk/2014/08/13/fifteen_zero_days_found_in_hacker_router_romp/
http://www.tripwire.com/register/soho-wireless-router-insecurity/showMeta/2/
http://www.csoonline.com/article/24...sed-en-masse-researchers-say.html#tk.rss_news
http://it-beta.slashdot.org/story/14/03/04/016231/new-attack-hijacks-dns-traffic-from-300000-routers

Umbra Polaris said:
the infection i talked about was a malware (if my memory is good) that penetrated the routers provided by the ISP to relay datas from its customers
Click to expand...

How do you protect your (SOHO) router from these attacks? How do you manage to detect changes in your router? Which "unconventional" security option do you suggest to protect against/detect these threats? Which router would you recommend (not SOHO)?
Do OpenWRT, DDWRT and Tomato firmware offer better protection/updates (if well configured)?
 
Nico@FMA

Nico@FMA

Level 27
Verified
May 11, 2013
1,687
How do you protect your (SOHO) router from these attacks? How do you manage to detect changes in your router? Which "unconventional" security option do you suggest to protect against/detect these threats? Which router would you recommend (not SOHO)?
Do OpenWRT, DDWRT and Tomato firmware offer better protection/updates (if well configured)?
Click to expand...

If well configured you can actually stop these attacks and avoid data snooping as mentioned in my own posts and @Umbra Polaris his replies.
However it does require a terminal server, a master server and data verify and encryption server plus a dedicated closed network that only accesses the outside world trough the mentioned servers.
Obviously this costs money and small up to med companies often lack the funds to have dedicated support like this.
So generally it is unreasonable to even apply such security unless you have dedicated security staff monitoring your servers.
That being said usually SOHO type security hardware does the job reasonable well, yet with the increasing malware development and the new option available to those malware creators it becomes painfully clear that companies like Cisco and Alto Palto have a really hard time providing todays security.
So as a rule of thumb you are doing a pretty good job to apply yesterdays security, and if you are a small company then you should settle for last month security as you just do not have the funds and expertise to stay tuned as required.
A attack can only be detected if known, and while next generation technology is being applied by known companies there is still a black hole between release of malware > detection > reverse engineering > remedy.
And in my experience it takes at least 2 months for the security industry to a solid remedy against attack "X" so within those 2 months any dedicated hacker group has a potential window where they can do whatever they feel like even while running state of the art security or a SOHO solution.

On a forensic level PPA (Point to Point Analysis) is a really big step in closing down that window but it still requires a event, as the technology is after the event "solution" which i have applied in my own software.
I do know that there are some companies working on the same concept and that they are trying to see if they can do something in realtime, but during the development of our own PPA solution it has been proven that it might take another year to develop a internet protocol that allows such tight monitoring....
But yeah PPA and other new technologies are a leap forward and are by far superior to any other solution out there, yet it still will not be enough to be on par with malware developments for obvious reasons.

I hope this helps.
 
  • Like
Reactions: Oxygen
Solarquest

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
I'm a home user with a home router concerned with security and nowadays with what is going on with SOHO routers and the relates security issue.
It' s very important to me to have a(as) safe (as possible) environment (router, network, pcs...).
In another post I asked on how to prevent, detect and if possible cure BIOS, MBR, hard to detect infections.
A normal (informed and maybe paranoic) user can do something to prevent, detect and if possible cure this kind of infections.
With router the situation is drammatically opposite...the user is almost defendless...

The user cannot avoid that a hacker infects the update server of a ISP, for example, and so might get an infected firmware upsdate.
He cannot patch/update a bad programmed firmware, block (at least the known) vulnerabilities (only some, best case).
He apparently cannot block attacks to his SOHO router (from WAn and/or LAN....only some, best case).
Router manufacturer are not always "ready" and willing to update the firmware of their SOHO products (http://www.pcworld.com/article/2464...s-reported-during-router-hacking-contest.html).
He cannot install an AV or "router" monitor to protect the router and detect changes....

If you were a home user and wanted to protect your router/network, what would you do?
Change password, disable remote admin and TR-069 (if possible), update firmware (hopefully not already infected on the ISP's server :()...what else can be done or installed?

Do OpenWRT, DDWRT and Tomato firmware offer better protection/updates (if well configured)?
I'm worried about this and would like to do more, if possible....I hate the idea that the DNS server gets changed, my traffic (psw etc) monitored or diverted etc....
 
Last edited:
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
Technology AdGuard Blog: Overreliance on AI is growing, and this is a problem
    • Like
    • Hundred Points
Replies
3
Views
394
Technology News
Zero Knowledge
Z
L
Question What are the best options for fast and secure VPN's?
    • Like
Replies
28
Views
2,060
VPN and DNS
Jonny Quest
Jonny Quest
Andy Ful
Cybercrime Fantastic Rootkits
    • Like
    • +Reputation
    • Thanks
Replies
2
Views
1,074
Malware Analysis
ForgottenSeer 69673
F

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top