RouterCSRF-A

[XYZABC]

Hi,

I have the free, personal version of Avast installed on a laptop. When I connect it to the ethernet at work, I get "threat blocked" notifications for well reputed websites like Wiley online library and Fortune, for http:routerCSRF-A. I have not checked this with the Wifi connection at work, only with the ethernet.

I reported this to the IT and they told me that in response, they got a new router / switch and replaced the one for our offices. We have a lot of wifi routers, and apparently our ethernet connection is supposed to be extremely secure. When I asked them to upgrade all our routers' firmware, they said we had too many and the routers were different. However, they did change the one that was apparently relevant to me. When I tried wiley again, I got the same threat blocked popup. I scanned the wiley website url using virustotal and it came out clean.

What I want to ask is, the threats that are being blocked, does it mean that Avast is preventing the router from getting infected...or that the router IS already infected?

If it only means that Avast keeps preventing the router from getting infected, then I don't have to worry and bother IT.

The only threads I found were in other languages and did not answer my question.

Regards.

[Pondus]

Virustotal does mot scan websites for infections, it is a blacklist check

Can you post link to your VT scan
also attach a screenshot of avast detection popup


CSRF attacks: Home DSL routers are vulnerable (December 8, 2008)
http://www.techrepublic.com/blog/data-center/csrf-attacks-home-dsl-routers-are-vulnerable/

https://www.howtogeek.com/227384/how-to-check-your-router-for-malware/

[Eddy]

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

[XYZABC]

Hi,

Here's the url to the VT scan for Wiley online library: https://www.virustotal.com/en/url/1cdedd4cd909f23d1d851ab9d411c6b0700020085f9ffdb5d7cf22785b617b04/analysis/1491206229/

Here are the screenshots from notifications and last popup I took a screenshot of.

[Pondus]

The one you scanned at VT is not the same as the one that show on your pic as detected / seems to containe a router exploit

Be aware that VT does not scan for infections, it is a blacklist check
For malware scan you need to click "additional information" tab, scroll down and click Sucuri and/or Quttera link

[Jiří Šembera]

Hello XYZABC,

this detection prevents infection attempts of the router. However this detection can also trigger on a network with already compromised router. It's a way the cybercriminals update configuration on compromised routers.

But looking at the blocked URLs it does not seem like something the detection usually triggers on. I haven't found any similar reports in our telemetry and I was unable to reproduce it locally. Does this happen only on the network in your office or also on other networks (e.g. at home)?

Also, could you run command nslookup beacon.krxd.net in command line (press WIN+R, type in "cmd" and hit OK) and post the result? It should output something like:
Name:    beacon-a-v2-596299490.eu-west-1.elb.amazonaws.com
Addresses:  176.34.105.3
          54.247.81.29
          176.34.179.154
          54.228.198.41
          54.228.222.178
          54.247.165.156
          54.247.76.15
          46.137.181.13
Aliases:  beacon.krxd.net
          beacon-a-dub.lb.krxd.net

Thanks
Jiri

[XYZABC]

Hi,

The beacon url is a long one, and at the end it mentions the Wiley and fortune magazine website urls, and the previous url they came from. The url itself looks suspicious to me as it is not one I clicked or went on. I could go directly onto the wiley site and still get that popup. I did not know how to copy the entire url shown in the notification and this is why I only searched the wiley url.

After I got this notification, I did not connect this same laptop on my home network nor did I visit Wiley on my second laptop. However, I do not get the popup at home. I also get this popup sometimes on other websites like facebook etc. and I did not get that at home. Should I try Wiley or this same laptop at home?

Posting below the results of nslookup

nslookup beacon.krxd.net
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  fe80::589b:29a:bf7d:a1c2

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out

[Jiří Šembera]

Hi XYZABC,

I think I've figured it out (and it is a false positive). The RouterCSRF detection did not properly handle connections through proxy servers, which you probably use since the domain beacon.krxd.net did not resolve to an IP address. The fix is in place and should get released in a couple of days after it passes QA (there's currently quite a few things in the pipeline so testing takes longer than usual).

If the detection does not stop triggering on the beacon.krxd.net site by Friday, please let me know (either in this thread or via PM).

Thank you.

P.S. If the alerts are too annoying, you can use the Silent mode (previously called Gaming mode) as a temporary workaround.