Bootkits, Cmos, MBR and Router: how to detect changes and repair them?

[Cch123]

MBR rootkits are easy to repair. However, when it comes to bios malware and other hardware based malware, Umbra is right to say that it is near impossible to remove these malware.

In fact, if you are targeted by such an advanced threat, the recommended course of action would be to destroy the infected machine. That is because if the malware has taken control of the bios, it will be started whenever you boot up the computer, hence even if you use live CDs etc. to reflash your bios, the malware can simply trick you into thinking that the bios has been flashed while it is not. The way to go would be to remove the bios from your computer, flash it with another clean PC, and load it back into the computer. However, this is not possible most of the time as the bios is usually soldered in.

 

[Solarquest]

I was right to worry about routers too...
http://www.theregister.co.uk/2014/08/13/fifteen_zero_days_found_in_hacker_router_romp/
http://www.tripwire.com/register/soho-wireless-router-insecurity/showMeta/2/
http://www.csoonline.com/article/24...sed-en-masse-researchers-say.html#tk.rss_news
http://it-beta.slashdot.org/story/14/03/04/016231/new-attack-hijacks-dns-traffic-from-300000-routers

The problem is how to really protect the routers ...
Change passwords, disable remote admin, disable (if option available) Tr-069, update firmware...what else can be done?
Adding another router behind the first one to protect the home network just solve few weaknesses...

 

[Solarquest]

How do you protect your router? Do you use one or 2? Is it a SOHO one?

 

[Solarquest]

Looking for ways to protect the router from intrusions exploiting vulnerabilites I found these interestings sites:
http://www.tomsguide.com/us/home-router-security,news-19245.html
http://www.tripwire.com/state-of-se...ilities-leave-enterprise-networks-vulnerable/
These tipps will make an attack harder, unfortunately not impossible.....

to test the router for some known vulnerabilitues:
https://www.grc.com/shieldsup
http://upnp-check.rapid7.com/scan

I hope this helps other users concerned with their router /network security.
If you have additional ideas, please leave a message!

 

[Solarquest]

What about adding a second router behind the "main" router to protect the network as suggested on some sites?
How safer is the network if the "main" router gets hacked and controlled by a hacker? The traffic will/might be monitored/diverted anyway, correct? DNS server might be changed anyway on the main router, what about the router attached to the main router? Can this get hacked through the main router? Is this as "easy"/feasable as without the main router or "a little bit" harder?

 

[MrBrian]

What about adding a second router behind the "main" router to protect the network as suggested on some sites?
How safer is the network if the "main" router gets hacked and controlled by a hacker? The traffic will/might be monitored/diverted anyway, correct? DNS server might be changed anyway on the main router, what about the router attached to the main router? Can this get hacked through the main router? Is this as "easy"/feasable as without the main router or "a little bit" harder?

Have you seen this - https://www.grc.com/nat/nat.htm ?

 

[Solarquest]

I didn't, thank you....but what's descibed there is an ideal "world/network where the router wasn't hacked.
I'm concerned about the router security and how to defend it or what's behind it.
So if the "external" router gets infected/hacked and is under control of a hacker, how good can a second (internal) router defend the pcs behind him?
How easily can the internal router be hacked if the external already was and is under the control of others? Immagine you use 2 identical routers, same type, same firmware etc...or an older one with vulnerabilities (that cannot be patched/blocked).
The external router "sees" the internal and so a hacker should be able to get access to the internal router (and then to the network/pcs behind it) if this is vulnerable too, correct?
2- if the external got hacked and e.g. the DNS server modified, all traffic is redirected and monitored anyway, the second router won't protect from this, or?
3- theoretically (still on paranoid mode) the attack/hack could start from "inside the LAN", from the PC behind the internal router and "expand" to the external router, or (e.g started by a malware double clicked by the user)? This is possible, or?

 

[MrBrian]

If the BIOS was flashed by a malware, can you detect it somehow (bios date, comparing old with new BIOS if possible..)?

BIOS and other firmware security

 

[MrBrian]

If you flash the BIOS with a clean one the infected one cannot "survive" in the bios(of course with the following low format), correct? thks

Not necessarily. See BIOS Chronomancy: Fixing the Core Root of Trust for Measurement for more details.

 

[Solarquest]

BIOS and other firmware security

Why did the moderator of wilders ask you to stop posting? :-(

 

[MrBrian]

Why did the moderator of wilders ask you to stop posting? :-(

The moderator there apparently didn't like that I posted links in that thread to other Wilders threads that I had created. (I did it for cross-reference purposes.) There was also more material that I was going to post in that thread, but....

 

[Solarquest]

Can you post them here? I think it would be extremely interesting and helpful. ...I think few know about it and the problem is underestimated...thks

 

[MrBrian]

Can you post them here? I think it would be extremely interesting and helpful. ...I think few know about it and the problem is underestimated...thks

I don't recall offhand what they were anymore; sorry.

 

[Solarquest]

Thank you anyway. .if you get something new, pls remember to post it here!