Hi,
I found this website while looking for information about malware, due to being blacklisted by the CBL (abuseat.org), who keeps track of IP addresses used by malicious-spamming bots. I was first told that I might have an infected machine behind my router, but after analysis with every tool imaginable I found no sign of infection by anything other than PUP programs. I was puzzled, and began to wonder if it was the router itself that was infected. Sure enough, the brand I used (past tense), unbeknownst to me, had a serious security flaw that allowed it to be compromised---despite having a super-strength password---through turning on its remote management. I had never heard of this flaw, though it happened in February of 2014, and when I turned on remote management, the router was compromised.
I would advise taking router security very seriously. DO NOT leave your router's main password set to "admin." Consider not using remote management, as it immediately opens you up to probing. And, especially DON'T combine the "admin" password with remote management unless you want to ask for trouble.
People should definitely read what the CBL has to say about infections coming from behind NATs (a fancy name for router), which are often exceedingly hard to find. Most of these spam BOTs, they say, open their own port 25 (or other port) SMTP sending connection directly from a victim's infected computer to the email recipient's SMTP server (mail server). This bypasses using someone else's regular SMTP server, which could leave a log. Anyone who knows a bit about how the internet works knows that machines speak with IP and MAC addresses, so in order to contact the recipient's SMTP server, it must first do a DNS lookup to find the address of the mail server, by looking up its "MX" record.
The CBL suggested using a program called tcpview that monitors all TCP/IP activity, on all ports, showing initiating, active and dying TCP/IP connections, because with the exception of a couple of malware, the program will "light up like a Christmas tree" on an spam-bot infected computer. Any machine that doesn't have an installed SMTP server that is actively sending or listening on port 25, or on non-standard ports above 1024, should be considered suspicious. Also, client computers initiating gazillions of "MX" record DNS lookups.
Here's another thing I recently learned. Microsoft Windows XP is no longer supported, and therefore MS is no longer applying security patches. "No problem. I'm not stupid. I don't run Windows XP." Are you SURE? Everybody and his brother is installing supposedly "smart" thermostats, doorlocks, garage door openers, etc. in their homes, and connecting them up to their private wi-fi networks. Well, GUESS WHAT operating system most of these products use? Yeah, a pared-down version of XP, for which there are no longer any security patches coming out, and no way (that I know of) to run anti-malware checks. My advice is not to allow one of these products onto the same network as your computers. Consider adding a Bitdefender Box to isolate the "things," as they are a security risk. (Do you REALLY want thieves knowing what times your thermostat is set for "away" and when your garage door opens and closes?) The AES encryption advertised on these devices can give a false sense of security; if there is a gaping security hole, passwords can be bypassed.
So, anyway, thought I'd pass this information along...
I found this website while looking for information about malware, due to being blacklisted by the CBL (abuseat.org), who keeps track of IP addresses used by malicious-spamming bots. I was first told that I might have an infected machine behind my router, but after analysis with every tool imaginable I found no sign of infection by anything other than PUP programs. I was puzzled, and began to wonder if it was the router itself that was infected. Sure enough, the brand I used (past tense), unbeknownst to me, had a serious security flaw that allowed it to be compromised---despite having a super-strength password---through turning on its remote management. I had never heard of this flaw, though it happened in February of 2014, and when I turned on remote management, the router was compromised.
I would advise taking router security very seriously. DO NOT leave your router's main password set to "admin." Consider not using remote management, as it immediately opens you up to probing. And, especially DON'T combine the "admin" password with remote management unless you want to ask for trouble.
People should definitely read what the CBL has to say about infections coming from behind NATs (a fancy name for router), which are often exceedingly hard to find. Most of these spam BOTs, they say, open their own port 25 (or other port) SMTP sending connection directly from a victim's infected computer to the email recipient's SMTP server (mail server). This bypasses using someone else's regular SMTP server, which could leave a log. Anyone who knows a bit about how the internet works knows that machines speak with IP and MAC addresses, so in order to contact the recipient's SMTP server, it must first do a DNS lookup to find the address of the mail server, by looking up its "MX" record.
The CBL suggested using a program called tcpview that monitors all TCP/IP activity, on all ports, showing initiating, active and dying TCP/IP connections, because with the exception of a couple of malware, the program will "light up like a Christmas tree" on an spam-bot infected computer. Any machine that doesn't have an installed SMTP server that is actively sending or listening on port 25, or on non-standard ports above 1024, should be considered suspicious. Also, client computers initiating gazillions of "MX" record DNS lookups.
Here's another thing I recently learned. Microsoft Windows XP is no longer supported, and therefore MS is no longer applying security patches. "No problem. I'm not stupid. I don't run Windows XP." Are you SURE? Everybody and his brother is installing supposedly "smart" thermostats, doorlocks, garage door openers, etc. in their homes, and connecting them up to their private wi-fi networks. Well, GUESS WHAT operating system most of these products use? Yeah, a pared-down version of XP, for which there are no longer any security patches coming out, and no way (that I know of) to run anti-malware checks. My advice is not to allow one of these products onto the same network as your computers. Consider adding a Bitdefender Box to isolate the "things," as they are a security risk. (Do you REALLY want thieves knowing what times your thermostat is set for "away" and when your garage door opens and closes?) The AES encryption advertised on these devices can give a false sense of security; if there is a gaping security hole, passwords can be bypassed.
So, anyway, thought I'd pass this information along...
