There Might Be A ZuoRAT In Your SOHO Router, Infecting Your Machines

It’s Probably Time To Start Scheduled Reboots For Your Routers

Today brings the revelation that yet another sophisticated attack against SOHO routers has been attacking hardware for well over a year.  The complexity of ZuoRAT, the fact that three of the four components were written from scratch and the fact it has been found on over 80 different models of routers suggests it has the backing of an entity with a lot of resources.  The trojan runs on the MIPS architecture, which is why it can infect so many different types of routers, but that also brings good news.  This type of trojan will not survive a router reboot, so you might want to figure out a way to bounce yours regularly.

It is communicating back to it’s control servers via a number of proxies including ones in Taiwan and Canada which is making it hard to determine where those servers are located, though researchers are still hoping for a breakthrough.  The infection, one it moves into your router, will enumerate the devices on your network and hijack DNS and HTTP requsets to redirect your browser to malicious sites masquerading as the sites you intended to visit.  From there they can infect the machines on your network, sadly those infections will survive a reboot.

You can learn more about what has been discovered about ZuoRAT over at Ars Technica; though maybe reboot that router, just in case.

Leave a Reply