Trend Micro has identified a new piece of malware (see article) that attempts to connect to your home router using default userids and passwords for a number of home router vendors. It tries userids like admin, guest, root and user and passwords like admin, password and 12345678.
The malware, named VICEPASS, scans for devices and attempts to figure out the device manufacturer, looking for strings like apple, cisco, iphone and samsung. Once it finishes the inventory, it encrypts the results and sends them to it’s control server.
The unusual thing is what it does next – it deletes all traces of itself.
The malware, which may be delivered using a phishing attack which sends users to a web page that purports to be a Flash update. Since Adobe seems to update Flash at least once a week, this doesn’t seem very suspicious to users. That update is really VICEPASS.
The real question here is what are these guys up to. Clearly, they could have a map to millions of devices by doing this, but what do they plan to do with the results.
That is the $64,000 question.
As I have said many times, change the default userid and password on your router. You need to do that anyway. Apparently, that is sufficient to stop this attack.