You won't believe THIS virus!!

[kgruber]

The good thing is the virus that attacked my PCs.....and finally even my new MacBook Pro.....is HISTORY.

It was located in my Qwest wireless modem. Really! I should have caught on sooner because just the other day I could update Malwarebytes using my neighbors wireless, which I can steal.

But I could NOT with mine. And then, tonight I was on tech support with Qwest and the virus was there in full, so I switched to my neighbors and it went away. The Tech told me to go to Best Buy and buy a new modem. I did, set it up....and now the virus has disappeared.

I had read that a virus could lodge in a modem and had used the reset button repeatedly, but that alone did never stop the continuous page reassign and pop-up ads.

So now, I am going to try and resurrect the three PCs sitting around forlorn. At least my wife and I got new MacBook Pros out of the deal, and a new modem. It was costly, but I have a good home for a couple of them.

BTW, the Apple store gave me a discount because I was an instructor. A flight instructor!!!!

 

[flyingcheesehead]

BTW, the Apple store gave me a discount because I was an instructor. A flight instructor!!!!

Wow, really? Amazing. They used to be really strict about who they'd give the ed discount to.

 

[Areeda]

Wow, really? Amazing. They used to be really strict about who they'd give the ed discount to.

I think the Ed discounts used to be a lot bigger. My wife works at a university so we qualify but when I was checking out MacBooks I thought it only came to about $100 off of about $2,000. iPads it is nothing or almost nothing.

Joe

 

[ScottM]

I think the Ed discounts used to be a lot bigger. My wife works at a university so we qualify but when I was checking out MacBooks I thought it only came to about $100 off of about $2,000. iPads it is nothing or almost nothing.

Joe

The ed discount was less than my corporate discount last year when I bought by MacBook.

My coporate discount has two level to it. One is to use it online at a special link for access to the apple store and the other to go into brick and mortar Apple Store and show them proof of employment. The latter usually gets me a few percent more off plus then I can also get a small discount on some non-Apple products.

Currently the online discount for iPad is 0%. I have not checked the instore discount yet.

 

[jesse]

Hmm.. That seems odd to me. Perhaps your old modem was forwarding some incoming requests directly to your computer whereas your new modem has some kind of firewall?

I really doubt just changing modems would instantly remove the virus from your computer, embedded in the modem, or not. Do you have any evidence it was embedded in the modem? Is it common for that model? What does the manufacturer say? I'd be wanting them to fix it if it were the case.

 

[Areeda]

Hmm.. That seems odd to me. Perhaps your old modem was forwarding some incoming requests directly to your computer whereas your new modem has some kind of firewall?

I really doubt just changing modems would instantly remove the virus from your computer, embedded in the modem, or not. Do you have any evidence it was embedded in the modem? Is it common for that model? What does the manufacturer say? I'd be wanting them to fix it if it were the case.

I agree. Did a virus make it to your computer or was it in the modem.

I can see somehow remotely setting a redirect in a modem could give you the symptoms you describe.

This is the "feature" of a router that you see in hotels where every web address goes to the sign in until you put in the right code or "agree" to the terms and conditions.

If that were set to a website that was nothing but ads and viruses, it would behave like this.

Joe

 

[wsuffa]

Hmm.. That seems odd to me. Perhaps your old modem was forwarding some incoming requests directly to your computer whereas your new modem has some kind of firewall?

I really doubt just changing modems would instantly remove the virus from your computer, embedded in the modem, or not. Do you have any evidence it was embedded in the modem? Is it common for that model? What does the manufacturer say? I'd be wanting them to fix it if it were the case.

entirely possible.

My USB EvDO modem has the ability to update firmware. It also has the ability to use on-board storage (even will accept a microSD). Firmware is an update loaded from the driver package - and it also stores a copy of the driver package on the modem (which can be loaded to your laptop).

I suspect the same is true for other variants, including the MiFi equipment. Yes, it's more difficult than loding something onto your computer, but it's certainly feasible.

 

[SkyHog]

You're right, I won't.

 

[jesse]

entirely possible.

My USB EvDO modem has the ability to update firmware. It also has the ability to use on-board storage (even will accept a microSD). Firmware is an update loaded from the driver package - and it also stores a copy of the driver package on the modem (which can be loaded to your laptop).

I suspect the same is true for other variants, including the MiFi equipment. Yes, it's more difficult than loding something onto your computer, but it's certainly feasible.

Oh I agree it's possible. I just doubt it's that likely. It'd be a difficult market to target with so many different models all on varying firmware.

Is there a documented "cable modem" virus that is wide stream?

 

[wsuffa]

Oh I agree it's possible. I just doubt it's that likely. It'd be a difficult market to target with so many different models all on varying firmware.

Is there a documented "cable modem" virus that is wide stream?

You don't necessarily need to target all the different models, it becomes a lot simpler to target the ones sold by a particular provider... and some modems - like the ones on FiOS are remotely managed by VZ or have "auto-firmware-updates", meaning that a virus could, in theory, replicate & spread on the WAN side of the network, outside the firewall.

There is at least one virus that was in the wild on Motorola-based cable modems. I see no reason that it can't occur with others.... especially if remote management is turned on or access to the admin functions is possible from the WAN side. (this is part of the reason I stay off of FiOS, by the way, because of the remote management function).

I agree that it would require significant effort, but it certainly is possible. And few, if any, cable/DSL WAN systems have anything to stop a virus that's running around on the "last mile" side of the larger firewall.


See this: http://www.dronebl.org/blog/8

 

[jesse]

You don't necessarily need to target all the different models, it becomes a lot simpler to target the ones sold by a particular provider... and some modems - like the ones on FiOS are remotely managed by VZ or have "auto-firmware-updates", meaning that a virus could, in theory, replicate & spread on the WAN side of the network, outside the firewall.

There is at least one virus that was in the wild on Motorola-based cable modems. I see no reason that it can't occur with others.... especially if remote management is turned on or access to the admin functions is possible from the WAN side. (this is part of the reason I stay off of FiOS, by the way, because of the remote management function).

I agree that it would require significant effort, but it certainly is possible. And few, if any, cable/DSL WAN systems have anything to stop a virus that's running around on the "last mile" side of the larger firewall.

The worm described in that link would not produce the results he said he encountered. I can't find a documented one that does.

See this: http://www.dronebl.org/blog/8

I agree it's possible - just not that likely based on the problem's he described. Seemed like the purchasing a new modem was a WAG. No evidence of a particular virus on the modem.

 

[wsuffa]

I agree it's possible - just not that likely based on the problem's he described. Seemed like the purchasing a new modem was a WAG. No evidence of a particular virus on the modem.

Yep, could well be a misconfiguration - and curable by a factory reset. But still cheaper than paying someone to troubleshoot.

 

[RJM62]

We were talking about this a little last night. I agree that it's possible, via several avenues, but somewhat unlikely. It's certainly not something I've come across.

But I do see where it's possible. Most modems and routers have some sort of remote administration capabilities, and many have at least some configurability on the LAN side, as well. The default passwords, in the latter case, are well-publicized and seldom changed by users. So I can understand how (as one example) a virus on one machine on the LAN could conceivably sniff out the modem model, determine that's it's "infectable," log in as an administrator, and plant a redirect.

But it's certainly not something I've ever come across.

-Rich

 

[jesse]

Yep, could well be a misconfiguration - and curable by a factory reset. But still cheaper than paying someone to troubleshoot.

Just because a new modem might have cut off the path - doesn't mean that the threat isn't still living inside his network or on his pc. Perhaps that is an acceptable risk for him.

 

[wsuffa]

Just because a new modem might have cut off the path - doesn't mean that the threat isn't still living inside his network or on his pc. Perhaps that is an acceptable risk for him.

True. Depends on the infection vector.

 

[jesse]

True. Depends on the infection vector.

None of which is known by just replacing the modem and moving on with life. It's by far more likely that the virus had nothing to do with the modem and the new modem simply has a firewall blocking some requests. If it were in fact a virus in the modem then replacing it may make the most sense. But without any direct evidence of that being the case it's a risky assumption to make.

 

[Cap'n Jack]

Not a modem, but there was a virus spread through digital picture frames a couple of years back.
http://www.computerworld.com/s/article/9058638/Best_Buy_sold_infected_digital_picture_frames

The same article claims that Seagate shipped hard drives with trojans, and Apple sold iPods that delivered viruses to windoze machines. I wouldn't surprise me that a modem could deliver a present.

 

[rpadula]

You don't necessarily need to target all the different models, it becomes a lot simpler to target the ones sold by a particular provider... and some modems - like the ones on FiOS are remotely managed by VZ or have "auto-firmware-updates", meaning that a virus could, in theory, replicate & spread on the WAN side of the network, outside the firewall.

There is at least one virus that was in the wild on Motorola-based cable modems. I see no reason that it can't occur with others.... especially if remote management is turned on or access to the admin functions is possible from the WAN side. (this is part of the reason I stay off of FiOS, by the way, because of the remote management function).

I agree that it would require significant effort, but it certainly is possible. And few, if any, cable/DSL WAN systems have anything to stop a virus that's running around on the "last mile" side of the larger firewall.


See this: http://www.dronebl.org/blog/8

Fascinating Bill.

I guess this hacking method wasn't too useful before, since most home routers were dumber and more ASIC-based. Now thanks to proliferation of features, home gateways now have plenty of Wheaties (i.e. processing power of a general purpose CPU) and are running embedded Linux. Why not hijack them for nefarious purposes?

People reflash their routers all the time. See DD-WRT.

Problem or not, Karl switched over to Macs, and that's what's really important here.

 

[gismo]

entirely possible.

My USB EvDO modem has the ability to update firmware. It also has the ability to use on-board storage (even will accept a microSD). Firmware is an update loaded from the driver package - and it also stores a copy of the driver package on the modem (which can be loaded to your laptop).

I suspect the same is true for other variants, including the MiFi equipment. Yes, it's more difficult than loding something onto your computer, but it's certainly feasible.

AFaIK, virtually all the cable modems (and probably all the DSL interfaces) provide a means for the head end to upload new firmware and most can be remotely configured by the system operator as well. Hacking into the necessary protocol should be fairly simple for someone on the same cable network if they had access to the security key(s) which could probably be had by "social engineering".

But going from there to being able to infect a connected PC seems like a pretty big leap. That would require substituting the hacker's modified file for an executable you downloaded. I could see some potential to do this for an automated update of something that wasn't protected by another security layer. If successfully implemented this would be another form of a "man in the middle" attack.

 

[kgruber]

I agree it's possible - just not that likely based on the problem's he described. Seemed like the purchasing a new modem was a WAG. No evidence of a particular virus on the modem.

Certainly there was. If you read my first post it details the evidence. The fact that a brand new apple Macbook showed the virus when on my network and not on my neighbors is damning.

There certainly was no WAG.

 

[kgruber]

Fascinating Bill.

Problem or not, Karl switched over to Macs, and that's what's really important here.

The Mac showed the same signs of the virus. That got me thinking and finally calling Qwest tech support.

Once the modem was replaced all the signs of the virus disappeared in both the PCs and Mac.

It did get me going on the MacBook Pro however, and I am liking it more and more. It sure has a quality build to it, and I like the lighted keyboard, although there are PCs with that feature.....just not my low end pile.

 

[jesse]

Certainly there was. If you read my first post it details the evidence. The fact that a brand new apple Macbook showed the virus when on my network and not on my neighbors is damning.

There certainly was no WAG.

What "virus" was this that the systems showed? Until one confirms the actual firmware on the cable modem has been infiltrated it's a reach to claim that it was the problem. Considering how there are very very few documented cases of it happening in the wide spread.

 

[RJM62]

Certainly there was. If you read my first post it details the evidence. The fact that a brand new apple Macbook showed the virus when on my network and not on my neighbors is damning.

There certainly was no WAG.

What were the symptoms? If they were along the lines of pop-ups, redirects, pages opening in some unrequested site's frame, or other symptoms commonly associated with browser hijackers, I'd be more inclined to believe it.

Otherwise, I'm not saying it's impossible, but I still find it unlikely.

-Rich

 

[mikea]

What "virus" was this that the systems showed? Until one confirms the actual firmware on the cable modem has been infiltrated it's a reach to claim that it was the problem. Considering how there are very very few documented cases of it happening in the wide spread.

What were the symptoms? If they were along the lines of pop-ups, redirects, pages opening in some unrequested site's frame, or other symptoms commonly associated with browser hijackers, I'd be more inclined to believe it.

Otherwise, I'm not saying it's impossible, but I still find it unlikely.

-Rich

Ya think? A DNS server redirect?

 

[Areeda]

I think it would be interesting to see a dump of the settings on that device.

Also how secure was the password and was remote management enabled?

Joe

 

[RJM62]

Ya think? A DNS server redirect?

Probably. That would be the easiest, although some modems might provide other possibilities, especially if the modem also has firewall / routing capabilities.

-Rich

 

[kgruber]

What were the symptoms? If they were along the lines of pop-ups, redirects, pages opening in some unrequested site's frame, or other symptoms commonly associated with browser hijackers, I'd be more inclined to believe it.
-Rich

That was exactly what was happening, even to the Mac, straight out of the box.

I think it would be interesting to see a dump of the settings on that device.

Also how secure was the password and was remote management enabled?
Joe

I didn't set up a password, and don't know anything about remote management. I have a good password now and should get with Qwest Tech to disable remote management on my new box. Thx.