New
#1
Suspected Remote Access Trojan (RAT) On Router
I have a suspected remote access Trojan originating from my router as the problem is affecting all my Windows 10 machines. The router for the past 7-10 years has always been replaced with one of exactly the same model and I very much doubt that it has had many if any firmware or firewall updates during this time.
My broadband contract is coming up for renewal in the next few days and I have been told that my old router has finally been discontinued and my ISP wants to give me a much more powerful router which is more than double the size of the old one and hopefully it will have security advantages too.
I don’t use wi-fi on my computers only for a streaming stick and there is a button on the side of the router to turn the wi-fi off and on which I find is useful.
The new router doesn’t have this feature and I would have to access the routers configuration page to access the wi-fi, and I will also need to do this to turn off the higher of the two wi-fi frequencies. The router is user specific and I would have to enter password details, these details I know will be really strong based on my old routers but could also possibly be seen by hackers.
You may be wondering why I am writing this all about my router and how do I know I have a RAT. It all started several weeks ago and I was noticing in process explorer that every time the computers connected to the internet a powershell.exe would be shown, sometimes two of them at the same time. I was able to write down the script which appeared to be a type of interrogation to get details of my machines. Also the occasional command prompt extension would appear in process explorer. The remote machine managed to download “winget” which appeared suddenly in my apps and features which I quickly uninstalled. Although Winget is a genuine programme I class it along with Powershell and Terminal as programmes from H*ll.
Doing detective work and using the Internet I was able to (mostly) stop Powershell scripts from being run from both local and remote locations. I also disabled some programs in apps and features.
Process Explorer doesn’t have the processes jumping about now. I think I have at least made an attempt to limit the damage to my machines.
I have run full scans of Kaspersky antivirus, Microsoft Safety Scanner and the regular monthly scanner. Both the Microsoft scans detected 7 items during the scans but upon completion said no malicious items had been detected. I have also tried Zemana, Hitman Pro etc and near enough given up.
What I have never done with Windows 10 is use safe mode as I am concerned that once in it I wouldn’t be able to get out. The emergency procedure to exit involves using the command prompt, which would be a step to far for me.
My main thoughts are with my impending internet contract. I can continue using the old router even when I get the new one. I cannot see a way out of my problems.
I am not a stranger to getting new items and not using them . I got a printer 6 years ago, didn’t use it. Got another one 3 years ago and they are both currently unused. One of the printers manuals is over 500 pages but this is all moving away from my current situation that I am in.