Troubleshooting the "Update Your Flash Player" Virus

May 9, 2014

Upon opening my web browser about a month ago, I came across what looked like this when trying to access certain sites.

First, a message stating "WARNING! Your Flash Player may be out of date."

Update Flash Player

And then a fake Flash upgrade webpage.

Update Flash Player

I immediately did an nslookup on the domains that were showing me this webpage, and saw that they were all pointed at one ip address, 74.82.207.26. nslookup was also reporting my DNS server as 173.234.241.50. I confirmed in my system preferences that this was my configured DNS server from my router's DHCP lease.

I set my DNS server to Google's 8.8.8.8 and did a dscacheutil -flushcache. Refresh browser and everything working normal again.

Next, I logged into my router's and DSL modem's admin panels and saw that they both had DNS server set to 173.234.241.50. My DSL modem is a BEC Technologies ADSL Modem/Router that my local ISP gives to me. The DSL modem allowed me to change the DNS server, so I did, making it 8.8.8.8, and I also changed my admin password.

Since my DSL modem was handing out this rogue DNS server as part of its DHCP leases, I figured that this was either my DSL modem being compromised or an upstream router at my ISP being compromised. I investigated the problem a bit and couldn't really find out too much about it. Nor could I find any firmware for my DSL modem. So I decided to give my ISP a call.

They assured me that I had a virus called "Update your Flash Player Virus" on my computer, that they had other customers complaining about it, and that they weren't sure yet what the cause was or how to fix it. I could find no information about this virus attacking Mac computers (there are no physical PCs on my network) or about this desktop/laptop virus changing DNS on a modem/router.

Another week went by without incident, and then the same problem started happening. Same symptoms, but this time the rogue DNS server was 68.168.98.196. This time that IP address came up in a google search and eventually led me to this article describing the "Zynos Rom-0" attack and how to prevent it.

Turns out that my BEC Technologies router was running Zynos firmware, and turns out that access to its internal configuration state was available without an admin password. I verified this from outside of my network.

$ wget http://[my ip address]/rom-0

This downloads a file called rom-0, which contains the router's configuration, including the admin password. The file is LZS compressed and can be decompressed with this tool. Seems that someone or some automated script logged into my router and manually updated the DNS settings.

The article above also gives a great workaround to this problem. By redirecting incoming web traffic to your network to a non-existent server, you can deny access to your router's http interface, and this public rom-0 file. On my router, this is accessed via Advanced Setup -> NAT -> Virtual Server, and my configuration looks like this.

Filter web traffic

The article also suggests setting up a webserver and putting a 1GB file in the root directory called rom-0, just to have a little fun with the attackers.

 

comments powered by Disqus

About This Site

This site was designed by We Are How.

This site is powered by Sculpin static site generator and the source is available here.

Yotta = 10^24, or 1 000 000 000 000 000 000 000 000, the largest metric prefix.


Contact

Get in touch to find out how we can help you refine your vision and implement a dynamite product that will help your business grow. Our agile product development process is thoughtfully designed to give clients ongoing feedback and visibility from project inception to completion.