Misfortune Cookie

Hello ID2015,

how would AV software running on a Mac (or any other computer) be able to protect against this?

Christian

Because if it is a malformed Cookie which then attacks the router it should qualify as malware and hence be detectable.  There must presumably be an executable element in it.

Unless of course I've misunderstood the way it operates.....

http://mis.fortunecook.ie/

First thing to do is find out if your router is vulnerable. If it is, see if there's a Firmware update for your router that patches this vulnerability. If there isn't one, I would get a different router that is known not to be vulnerable. Routers that can be flashed with Tomato and, I believe, DD-WRT firmware are not vulnerable.

Having had another read of the advisory I'm beginning to think I've misunderstood how this operates.  My understanding was that an infected website transmits a malformed cookie which then attacks the router from the LAN side.

I think this is probably wrong and the attack is from the WAN side utilising the remote access web server that many routers contain to facilitate remote support via TR-069.  If this is the case then QC is correct that AV will do nothing to protect against it, although Checkpoint imply in their statement that AV - in their case ZoneAlarm - would offer some protection.  I suppose they would say that wouldn't they.....

If the attack does come from outside then as firmware patches tend to have a lengthy gestation, switiching off remote access via the WAN offers some protection, although an alternative brand of router is possibly a better long term bet.  

Asus routers get patched pretty frequently and I know that Drayteks, at least in the current models, don't use any of the offending code.

I'd be interested to hear from someone more knowledgeable, if my interpretation of the attack vector is correct and that attack is only possible from the WAN side in the manner I describe.