More news from the Days Inn, Sullivan

Well, I’ve done some more research, and my findings have been interesting.

Previously, I mentioned that I was getting pop-ups. I should have been more specific, because what I was actually getting was a mixture of pop-ups and re-directions. The re-directions were typically taking effect off of Google (or Bing) search results, while the pop-ups happened randomly (but seemed to trigger more often if StatCounter or Google Analytics scripts were present on a page).

There were other weird effects, too. I couldn’t get to the StatCounter website, for example. Results on Google Images came up as a list of Google search results with a bar of images across the top, rather than as the page of images we are all so familiar with.

And, as previously discussed, I got the problem on Windows XP, and on iOS, and in Ubuntu 10.10 Notebook Edition. I got it in Chrome, Firefox, IE 8, Safari Mobile, SkyFire, and Opera. I got it on installed operating systems, writable live-boots, and non-writable live-boots. I got it in VMs.

It. Was. Everywhere.

Which, of course, means it wasn’t me. But then, what was it? An ad proxy, running on a router?

I think I might have found the answer today. A while ago, I switched my DNS settings from “automatic” to Google’s two public DNS servers (8.8.8.8 and 8.8.4.4) solved the problem. Today, though, I had to change my IP address and DNS settings whilst at the client site; when I came back, I didn’t re-enable the Google DNS settings.

The problems returned.

I went and spoke to the hotel manager, and asked him straight up if the hotel was running any kind of scripts on its routers. He was surprised at the symptoms I described, and even a bit skeptical until his daughter and two other guests confirmed that they too had seen the same problems when connected to the hotel wi-fi networks (there are three networks in total, all of which seem to be affected). Puzzled, I wrote down what symptoms I had observed for him, and he busied himself trying to find a computer tech to come out and see about the problem.

I went back to my room and turned on OCS so I could speak with the network security expert back at the office in Edmonton. As we talked, I remembered the bit about the Google DNS servers, and so I quickly restored those settings and noticed that the problems, again, disappeared. My co-worker listed a few possibilities, but after I told him about the DNS change he speculated that some sort of DNS cache poisoning might have occurred, especially once I told him the router model in use in the hotel.

I did a few Google searches, and stumbled over this article after five or ten minutes. The infection described therein is commonly known as DNSChanger (or Zlob), and it works as follows:

The new DNSChanger trojan now conducts brute-force attacks against the administration web interface of popular routers. The malware performs a “dictionary attack” based on a list of hardcoded credentials, consisting of the web interface URLs to popular routers – such as from vendors D-Link, Linksys and others -, and their default user names and passwords. This poses a great security risk for those users that do not change their router’s factory default settings. The Trojan tries one combination per approximately 100 milliseconds, which makes 600 combinations per minute.

Once DNSChanger has successfully brute-force cracked the credentials, it has access to all the settings and functions provided by the router. It will change its DNS server settings in order to send all DNS queries to the attackers’ DNS servers located in the Ukraine. From there, they can then flexibly redirect all your Internet traffic in whatever way they want.

The symptoms of the infection seem to match what I can find online describing the effects of DNSChanger, but fortunately my computer seems to have none of the symptoms of the infection. And I can circumvent its effects using Google’s public DNS servers. So that’s good, at least.

But it also means that at some point, someone who did have this virus on their computer probably stayed at the hotel, and left it sitting on the desk in their room for a day or three. DNSChanger evidently attempts a brute-force password crack every 100 milliseconds, so even if it only sat out for a couple of days, it could still have attempted thousands of passwords. And if the routers here were using the default passwords for their model…well, I mean, it’d have been so easy.

Anyway, I updated the hotel manager with my findings, and suggested that he and his daughter (and anyone else, for that matter) who accessed ANY password-protected service (email, Facebook, online banking…) from this network to change those passwords (on a different network, at that). I’ll be doing the same, but fortunately I’ve only accessed a handful of sites. And I change passwords every now and again anyhow, so I don’t consider myself to be particularly impacted by this.

I should offer a note of apology for jumping to the conclusion that it was something the hotel operators were doing knowingly. That shows my ignorance: I wasn’t aware there were widespread malware infections that specifically targeted routers, even though I was aware of the existence of numerous exploits for router firmwares. I suppose I should have suspected something malign, but…well, I figured it would be on my system if that were the case. And it wasn’t.

So to the operators of the Days Inn in Sullivan, Indiana, let me just say that I apologize for speaking ill of your establishment. This network issue is of major concern, but the hotel itself is otherwise a fine place to stay. And let me add that I hope you are able to find someone who can resolve this issue for you, and then in short order.

There’s another lesson to be learned here, Dragons and Dragonettes, apart from being cautious in jumping to conclusions. I confirmed with the hotel operator’s daughter that the problem had been going on for quite some time. Additionally, many other guests saw the symptoms of it. Do you think anyone reported it to the managers? Stuff like this can be fought if its presence is known…but knowing that it is present depends on people informing other people that there’s a problem. That didn’t happen in this case; potentially hundreds of guests breezed through this place quietly dismissing the pop-up windows and re-directed search results, without ever thinking to ask the people who operate the network what the cause might be.

2 Responses

  1. Sanctimonia says:

    What’s the quote, something about all it takes for evil to prevail is for good men to do nothing? Good job getting to the bottom of that one. They’ll need to push the pin-hole on their router to reset it to the defaults, then change the password to something crazy and disallow remote (wireless) administration.

    They should make a physical switch on those damn things, like the old 3.5″ disks, to enable write protect. That would be cool.

    • WtF Dragon says:

      That would be handy, actually. It’s not like a router config would even NEED to change unless a technical person known to the router’s owner was working on the thing with the owner’s permission.

      Even some sort of lockout system (maybe based on Kensington) would be…well…something.