Cleaning a compromised Router


At the office I noticed malware symptoms on one of the computers. I tried cleaning it and found nothing. Then I noticed I got the same behavior on my phone and the other computer: occasional links would redirect to malware download pages.

I changed my phone to cellular data and the behavior went away. I figured it must be the router or cable modem. I power cycled them and checked for a proxy or any other strange settings. I didn't see any, and it worked normally for a while, only to return again later.

What am I missing? Where else could the malware be coming from?

Best Answer

Check DNS settings on the router, modem and other devices. Also consider a factory reset, rather than just a reboot - the reset will completely clear all settings.

If you are using default (ISP-assigned) DNS servers, consider changing them to an alternative, such as Google's - if you observe this behaviour stopping, consider checking with other users of this ISP, or reporting the issue to them. It's possible (though unlikely) that your ISP was compromised. There's also the possibility that malware on your computer itself was designed to attempt common passwords on consumer routers and make this change, though that is unlikely.

Another potential attack vector is a vulnerability in the router software itself. Unfortunately, it's not easy to detect such an attack - probably the simplest thing to do is look up the model number and see if there are any known vulnerabilities. If any exist, then you should either update the firmware (if possible) or replace it with a different device.