Upon opening my web browser about a month ago, I came across what looked like this when trying to access certain sites.
First, a message stating "WARNING! Your Flash Player may be out of date."
And then a fake Flash upgrade webpage.
I immediately did an
nslookup on the domains that were showing me this webpage, and saw that they were all pointed at one ip address,
nslookup was also reporting my DNS server as
126.96.36.199. I confirmed in my system preferences that this was my configured DNS server from my router's DHCP lease.
I set my DNS server to Google's
188.8.131.52 and did a
dscacheutil -flushcache. Refresh browser and everything working normal again.
Next, I logged into my router's and DSL modem's admin panels and saw that they both had DNS server set to
184.108.40.206. My DSL modem is a BEC Technologies ADSL Modem/Router that my local ISP gives to me. The DSL modem allowed me to change the DNS server, so I did, making it
220.127.116.11, and I also changed my admin password.
Since my DSL modem was handing out this rogue DNS server as part of its DHCP leases, I figured that this was either my DSL modem being compromised or an upstream router at my ISP being compromised. I investigated the problem a bit and couldn't really find out too much about it. Nor could I find any firmware for my DSL modem. So I decided to give my ISP a call.
They assured me that I had a virus called "Update your Flash Player Virus" on my computer, that they had other customers complaining about it, and that they weren't sure yet what the cause was or how to fix it. I could find no information about this virus attacking Mac computers (there are no physical PCs on my network) or about this desktop/laptop virus changing DNS on a modem/router.
Another week went by without incident, and then the same problem started happening. Same symptoms, but this time the rogue DNS server was
18.104.22.168. This time that IP address came up in a google search and eventually led me to this article describing the "Zynos Rom-0" attack and how to prevent it.
Turns out that my BEC Technologies router was running Zynos firmware, and turns out that access to its internal configuration state was available without an admin password. I verified this from outside of my network.
$ wget http://[my ip address]/rom-0
This downloads a file called
rom-0, which contains the router's configuration, including the admin password. The file is LZS compressed and can be decompressed with this tool. Seems that someone or some automated script logged into my router and manually updated the DNS settings.
The article above also gives a great workaround to this problem. By redirecting incoming web traffic to your network to a non-existent server, you can deny access to your router's http interface, and this public
rom-0 file. On my router, this is accessed via
Advanced Setup -> NAT -> Virtual Server, and my configuration looks like this.
The article also suggests setting up a webserver and putting a 1GB file in the root directory called rom-0, just to have a little fun with the attackers.