Problem solve Get help with specific problems with your technologies, process and projects.

How to defend against brute-force router attacks from Sality malware

The Sality malware has reemerged with new capabilities: brute-forcing passwords on wireless access points. Enterprise threats expert Nick Lewis explains how to.

I heard that Sality -- an aging malware -- is trying to come back with a vengeance by brute forcing routers. Can you please explain how this works and how to defend against it?

What is old will always be new again -- or at least new again to someone.

The Sality malware has increased the number of systems it can infect by adding a new component that allows it to perform brute-force passwords attacks on consumer-grade wireless access points that will change the DNS settings on systems using that wireless access point. Once the DNS is changed on client systems, the clients are then sent downloads masquerading as legitimate software, which will then install the malware on the client computer.

Preventing a Sality attack on an enterprise network is different from preventing it on a home network. On a home network, you can just change the default password on the wireless router used and restrict the admin interface to internal access only. An enterprise, on the other hand, must take a more aggressive approach by extending network monitoring. Searching for rogue wireless access points that might be vulnerable can be done with a vulnerability scanner or a basic port scan. Enterprises can also monitor the network with an intrusion detection system for rogue DHCP servers that might be running on rogue wireless routers. To identify compromised systems, enterprises could also monitor for DNS traffic from a client system to unapproved DNS servers. Once a rogue device is identified, enterprises should remove it from the network -- or at least minimally secure the device by changing the default password to a strong one.

Next Steps

Learn about the latest in malware defense from SearchSecurity.

This was last published in October 2014

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Use "dhcp snooping" on Cisco routers and switches to pull the teeth from rogue DHCP servers.