During a presentation at the Virus Bulletin Conference in Dallas, Fabio Assolini from Kaspersky Lab described how criminals in Brazil managed to compromise 4.5 million DSL routers for months without being noticed. For their attack, the criminals first used two Bash scripts and a Cross-Site Request Forgery (CSRF) attack to change the admin password and then manipulated the router's DNS server entry. The CSRF attack even allowed them to bypass any existing password protection. Once compromised, the PCs were redirected to specially crafted phishing domains that mainly targeted users' online banking credentials; the attackers had set up 40 DNS servers to handle this redirection. The attack was limited to large parts of Brazil's IP address space.

The security hole has been known about since March 2011. Affected routers from various manufacturers, such as Comtrend's CT-5367 ADSL router, include at least one unspecified Broadcom chipset. Some manufacturers have provided firmware updates to close the holes, reducing the number of hijacked routers to 300,000; however, other manufacturers either no longer maintain older routers or respond slowly to security holes, and ten per cent of the originally affected routers still remained under the attackers' control by March 2012.

Assolini notes that, in these circumstances, there are very few things that users can do to improve their router security, other than tightening their security settings and keeping their firmware and related software up to date – unless their provider offers a better router model.

(sno)