Insights and discoveries
from deep in the weeds

Monday, September 12, 2011

Google search redirects: not necessarily a virus

I just returned from a glorious week in Maine. I didn't quite manage to escape from the infiltration of technology in my life, though. My position as the resident geek came into play when one of our guests noted that his google searches appeared to be redirected intermittently to random spam/ad/virus-smelling web sites.

My first instinct when something like this happens would be to assume their machine had a virus. However, in this case, their machine was an iPad. While not at all impossible, it seemed pretty unlikely. Then, it started happening to me too, on my nearly brand new Windows 7 laptop. I was sure I didn't have a virus and besides, what a coincidence that it happened to us both suddenly while on a new internet connection.

After some effort I realized that the Linksys WRT54GL router had been hacked, and the name servers hardcoded to IP addresses in the Ukraine. This isn't unique, nor new, but it was surprising. This is our own internet connection, and we set the router up. I'm not an idiot - or at least I didn't think I was. The root password for the router had been changed when the thing was set up, and there was no remote access allowed to the router. While it's all too common for people to get compromised because they don't bother to do any configuration when they set up a router, I'm not that person.

However, the password was not strong. It was a single English language word.

I am not sure how the router became compromised, since admin access to the box was only allowed from the private network. I haven't researched to find out if any other back door would allow access to it from the internet, or if the attack must have been sourced from a user of the router (perhaps from a virus-infected computer configured to conduct brute force attacks against its gateway?). Either way the point is, never make any assumptions about security.

My assumption was that since this was a private network with very few users, we didn't need a strong password for the router. This assumption didn't consider that an attacker could be from inside your network (a compromised PC), or possibly the router firmware could have bugs that can be exploited to grant access. I am not in control of every user of the network, so I can't make any assumptions. The access to the router should have been hardened as much as possible (on a consumer device like that, anyway).

Hopefully this post will help others trying to resolve this same problem - google searches on the terms in this post's subject returned few results, and none that identified the problem as a DNS or hacked router issue. Most discussion threads concluded the user had a virus on their PC. Check your routers, and make sure they're locked down!

1 comment:

  1. The scary thing here is that redirects COULD lead to viruses. We need some sort of protection against such dangers.

    anti spam software