Alert icon

Your router is infected!

Your router has been compromised and your network connections are being routed through a malicious remote server.

Description


Your router has been hacked and its DNS settings have been modified to serve malicious contents. DNS records on your wireless router are hijacked. While you browse the web, hackers can freely redirect you from an authentic site to a fake one. Sensitive information such as user names, passwords, and credit card details can be acquired. Your personal data is at risk, and so is the security of all devices connected to this network.

The manual solution is to change the DNS records on your router through its admin interface.

Important:

Before trying to solve this problem, make sure to solve all other router problems detected by Avast. Otherwise the following fix will not be effective.

Solution


Select your router manufacturer to view further instructions on how to fix the problem manually:

ASUS

D-Link

Huawei

Linksys/Cisco

NETGEAR

Sagem/Sagemcom

TP-LINK

ZyXEL

Can't find your router?

Details

DNS (short for Domain Name System) is the "phone book" of the Internet. It's a service that provides names for computers, servers or any resources connected to the Internet. It translates easily memorized domain names (like www.example.com) to the numerical IP addresses needed to locate the service in the network.

Normally, when you type in something like www.my-bank.com in your browser, this is what happens:

  1. The browser uses the DNS protocol to ask the DNS server what IP address belongs to www.my-bank.com. The DNS server returns the answer (in the form of the IP address).
  2. The browser then uses that IP address to connect to the bank site.

Now, if the router is infected and the DNS server is hijacked, this is what happens instead:

  1. The browser uses the DNS protocol to ask the DNS server what IP address belongs to www.my-bank.com. However, since the DNS server is controlled by the attacker, it doesn't return the real IP address of the site. Instead, it returns an IP address of a different server that the attacker controls.
  2. The browser than unknowingly connects to that malicious server instead of the correct one.
  3. The malicious server then typically uses resources (images, texts, style sheets etc.) from the original server, so that it looks more legitimate.

Instead of connecting to a clean site or service, you'll visit a rogue one where your banking information can be captured. Depending on the skills of the attacker, the rogue server may even use the HTTPS protocol and have SSL certificates that look genuine to the browser. Therefore, it is very difficult for you, as a user, to detect that there is anything suspicious going on.

In most cases, the remedy is to simply use the DNS servers automatically configured by your Internet provider (via Dynamic Host Configuration Protocol, or DHCP, which dynamically distributes network configuration parameters such as IP addresses). Another possibility is a static value that you assign manually. But first ensure that the router is not vulnerable anymore, otherwise the infection will come back.

Avast Wi-Fi Security supported alerts:



© 1988-2021 Copyright Avast Software s.r.o.