The past few days have revealed new data that suggests the recent upsurge in malware targeting routers—as Ars has chronicled here, here, and here—is not only continuing, but it's spreading to digital video recorders (DVRs).

Exhibit A came Monday from researchers at security training institute Sans, which unearthed a Bitcoin-mining trojan that has infected DVRs. The researchers found the infection while researching the source of an automated script they observed scanning the Internet for data storage devices made by Synology. The researchers eventually found that the bot ran on a DVR with an ARM processor but didn't know much else. They later determined it was part of a Bitcoin miner that took control of DVRs used to record video from security cameras, most likely by exploiting an exposed telnet port and a default root password of "12345." Samples of the malware are here . The password to access the binaries is "infected."

On Tuesday, Sans researchers uncovered evidence that the binaries can also infect routers, even when they're configured to provide network address translation (NAT), which can help lock down the security of devices on a network.

"To our surprise, at least in one case it turned out that a binary by the same name, 'cmd.so', was running on the NAT router itself," Sans CTO Johannes Ullrich wrote. "In addition, a second process was running that looked just like the Bitcoin miner we saw running in the infected DVRs. Sadly, we were not able to retrieve the binaries, but the processlist looks similar enough to make us believe that this is the same basic binary just compiled for MIPS in this case (the router in question uses a MIPS CPU)."

Exhibits B and C

Exhibit B for the case that infections against routers and similar devices are growing comes from researchers at antivirus provider Eset. In a blog post published Wednesday, they reported that Win32/Sality, an 11-year-old piece of computer malware for sending spam and performing denial-of-service attacks, was recently updated to change the domain name system (DNS) settings of home broadband gateway routers. The new component was first used in late October. The Eset researchers wrote:

This feature adds a new dimension to the Win32/Sality operation. The first component, detected by ESET as Win32/RBrute.A, scans the Internet for router administration pages in order to change the entry for their primary DNS server. The rogue DNS server redirects users to a fake Google Chrome installation page whenever they are trying to resolve domains containing the words “google” or “facebook.” The binary distributed through this installation page is in fact Win32/Sality itself, providing a way for the Sality botnet’s operators to increase its size further by infecting other users behind this router.

The Eset researchers went on to conclude that RBrute is likely a way to ensure the continuing survival of the Win32/Sality ecosystem as PC-improving computer security makes traditional infections harder. They wrote:

The usual infection vectors of Win32/Sality might not be sufficient enough to keep the botnet alive; hence the botnet controllers are deploying new component to grow the botnet. DNS hijacking on routers can be quite effective if done correctly. It can reach a lot of users behind a single router, especially on public access points. As routers are not commonly protected by security solutions, it provides an unrestricted environment to attackers allowing them to try several techniques to steal users’ information. An existing technology that could fix the problem is DNSSEC, since the result of a DNS request is cryptographically signed and hence not prone to tampering. A good security practice that would reduce the scope of the problem is to change the default password on router’s web interface.

The third piece of data comes from Nominum, a provider of analytics software for telecommunications and service providers. Company researchers on Wednesday said they have identified 24 million home routers that have DNS proxies that are accessible to people on the Internet. In February alone, more than 5.3 million of those routers were used to generate traffic used in denial-of-service attacks, they said.

The takeaway is that it's no longer realistic to think that routers, DVRs, or other Internet-connected home appliances aren't worth an attacker's time. The ability of malware to infect a growing number of platforms, combined with the increasing difficulty of compromising more traditional targets, makes poorly designed "Internet of Things" devices the 2014 equivalent of Windows XP, particularly during the early years when the Microsoft OS was particularly easy to hack.

People who don't rely on networked services provided by their smart TVs, DVRs, and other Internet-capable appliances should consider disconnecting them altogether. Those who need or want those devices to be available on the Internet should spend a few minutes to make sure default passwords have been changed and that remote access and other features are disabled unless absolutely needed.