Is your router a tomato? Manufacturers and developers may be a little red-faced

It appears that the open source Tomato router firmware, which is also increasingly being adopted by manufacturers of routers, has a bit of a problem.

One of the router’s default settings leaves port 8080 open to the Internet - with a default user name of “admin” and a default password of “admin”. Alternatively, the user name is “root” with the same “admin” password.

If your router runs Tomato, you can check whether ports are open to the Internet using the GRC ShieldsUp tool - which tries to send your system messages to commonly used ports. You can also specify the port to be scanned - in this case 8080.

If your router is exposed to the Internet:

  1. Did you deliberately expose it and set a strong user name/password combination?
  2. If not, panic. Then read the router’s manual to find out how to close the port (preferably) or at least set a strong password.

While you’re on the GRC website, you may wish to try the UPnP probe for Windows (which requires a small download that must be run as Administrator) and read the supporting information to see if you have that particular vulnerability. In most cases, routers and Windows are both set up to accept UPnP connections.

(I just learned that my current Windows install had UPnP enabled, and immediately turned it off. It doesn’t matter enormously, as my router is rejecting requests - but if I had a rogue program it would have slightly more difficulty communicating with the mothership.)

6 Likes

Thanks for that @postulative. Always good to check and recheck these things.

Apparently we’re in stealth mode :sunglasses: Very sneaky.

2 Likes

Something unexpected also came with it, which Norton considers to be unsafe and has removed.

2 Likes

That is very puzzling, given that Mr Gibson hosts all his own files and is somewhat touchy about security. It could be because of the age of the program, or perhaps its need for administrator permissions?

I also see that the program is not digitally signed, and have sent a message on Twitter asking about this.

2 Likes

The program you linked to downloaded and Norton said it was safe, and I have run it and disabled MS’s PnP fail, but something arrived just before it with a name of a very large number of letters, which Norton exterminated before I could make note of it.

Checked Norton logs, here it is:

4 Likes

Could that be a file sent (warning given and permission asked) to probe the ports?

3 Likes

I have no idea, but it would seem a bit rude to send it before you run the program. Perhaps our Privacy Champion will come to the rescue with an answer :slight_smile:

2 Likes

Almost certainly not. By its name, it looks like a temp file created as part of the download (i.e. false positive). No reply from the software author about digital signatures yet, but that’s not entirely surprising as I think he gets a lot of mail.

Did Norton identify from which folder it quarantined the file? I see the report says “fewer than 5 users have used this file”, and that it was released less than 1 week ago - both suggesting to me that it may simply be a misclassified temp file. I see there is also an ‘origin’ tab - does that add any useful information? File size would also be interesting to know.

Bear in mind too that the modern computer has dozens of different programs accessing the Internet at once, so it is also possible that something other than your web browser (and the page it was visiting) was responsible. Additionally, web browsers are not static - mine downloads several megabytes while I am away from it during the day (and/or night).

2 Likes

Timing is 5 seconds before Norton started looking at unpnp.exe

All the details from Norton:

Filename: 0BD6F67799F60A6B6CFCEF7D446AC1224CE39335
Threat name: Heur.AdvML.BFull Path: C:\Users\VIP\AppData\Local\Mozilla\Firefox\Profiles\0iv0kvmv.default\cache2\entries\0BD6F67799F60A6B6CFCEF7D446AC1224CE39335


On computers as of
01-Feb-20 at 14:16:16

Last Used
01-Feb-20 at 14:18:16

Startup Item
No
Launched
No
Threat type: Heuristic Virus. Detection of a threat based on malware heuristics.


0BD6F67799F60A6B6CFCEF7D446AC1224CE39335 Threat name: Heur.AdvML.B
Locate

Very Few Users
Fewer than 5 users in the Norton Community have used this file.

Very New
This file was released less than 1 week ago.

High
This file risk is high.


Source: External Media

Source File:
0BD6F67799F60A6B6CFCEF7D446AC1224CE39335


File Actions

File: C:\Users\VIP\AppData\Local\Mozilla\Firefox\Profiles\0iv0kvmv.default\cache2\entries\ 0BD6F67799F60A6B6CFCEF7D446AC1224CE39335 Removed


File Thumbprint - SHA:
b64b490ce1646aaa3d69968dbb4ec6f3f7a466ac20788a8efade3004bc651d27
File Thumbprint - MD5:
d91047c794e569a8ee638872e54f166b

2 Likes

So definitely a cache file. There was a question about this in the Norton community, and it looks like a false positive from what the person has said. There is also allegedly a write-up, but Norton’s website redirects me. Ah - another link works. (Note: if you do not need to go to the Norton website I recommend against it - it behaves poorly, with popups and disabling the ‘back’ button on some pages.)

Basically, Norton is saying ‘send us the file, we think it’s malware because our heuristics say it’s malware’.

Here is a thread on the Microsoft developer community website (MSDN) - a developer’s own code was labelled as a virus based upon this heuristic.

I would recommend using Windows Security - a lot cheaper, and getting just as good as the competition.

3 Likes

It is a Heuritic detection (ie the file involves virus like behaviour) so it is quarantined by NAV. If it is the temp file for the uPNP tester or more particularly the port prober this would not be unusual to be found to have virus like behaviour. Submit the file to Norton/Symantec to get them to look at it for possible false positive (FP). This Heur.AdvML.B has been an ongoing FP troublesome part of their engine since at least 2016 https://community.norton.com/en/forums/heuradvmlb-detected-false-positive-or-not and is because the files are normally trying to usurp the Windows Win32k Local Privileges. The action of the known bad ones in this is they act as Trojans to enable downloading of other packages and exploiting vulnerabilities.

From a write up about this detection process:

"Heur.AdvML.B is a heuristic detection designed to generically detect malicious files using advanced machine learning technology. A file detected by this detection name is deemed by Symantec to pose a risk to users and is therefore blocked from accessing the computer.

Due to the generic nature of this threat, we are unable to provide specific information on what it does. A typical behavior for Trojans like Heur.AdvML.B is one or all of the following:

  • Download and install other malware.
  • Use your computer for click fraud.
  • Record your keystrokes and the sites you visit.
  • Send information about your PC, including usernames and browsing history, to a remote malicious hacker.
  • Give a remote malicious hacker access to your PC.
  • Advertising banners are injected with the web pages that you are visiting.
  • Random web page text is turned into hyperlinks.
  • Browser popups appear which recommend fake updates or other software.

Files reported as Heur.AdvML.B may not necessarily be malicious. Should you be uncertain as to whether a file has been reported correctly, you can submit the affected file to https://www.virustotal.com/en/ to be scanned with multiple antivirus engines."

As you can see it is quite a broad check and does catch legit files, particularly vulnerability testing programs.

5 Likes

I love false positives, especially when the AV deletes or quarantines the file and the application that needs it for installation or operation suddenly cannot find it and summarily crashes.

After a bit of this we learn to try disabling our AV if we are confident it is not a real threat, but it does get old. It is not as if AV companies have never taken down entire companies, one of the more egregious clueless cases.

5 Likes