Slashdot Mirror
Botnet Worm Targets DSL Modems and Routers
CoreDuo writes "The people who bring you the DroneBL DNS Blacklist services, while investigating an ongoing DDoS incident, have discovered a botnet composed of exploited DSL modems and routers. OpenWRT/DD-WRT devices all appear to be vulnerable. What makes this worm impressive is the sophisticated nature of the bot, and the potential damage it can do not only to an unknowing end user, but to small businesses using non-commercial Internet connections, and to the unknowing public taking advantage of free Wi-Fi services. The botnet is believed to have infected 100,000 hosts." A followup to the article notes that the bot's IRC control channel now claims that it has been shut down, though the ongoing DDoS attack on DroneBL suggests otherwise.
Considering that TFA says one of the things the bot does is lock you out, I suggest that if you can log in, you are fine :-)
Repton.
They say that only an experienced wizard can do the tengu shuffle.
any linux mipsel routing device that has the router administration interface or sshd or telnetd in a DMZ, which has weak username/passwords (including openwrt/dd-wrt devices)
This does not exclude Tomato, especially if your router is set up as mentioned or you have weak passwords.
If you allow ssh access from the wide internet, and you have a weak password for root, you are probably still vulnerable..
Repton.
They say that only an experienced wizard can do the tengu shuffle.
Glad I recently switched my router to Tomato. Works better than DD-WRT, too.
Why does this article make you glad you switched?
The same thing that makes OpenWRT/DD-WRT vulnerable seems to be part of Tomato.
FTFA
"any linux mipsel routing device that has the router administration interface or sshd or telnetd in a DMZ, which has weak username/passwords (including openwrt/dd-wrt devices)."
From Tomato Features list:
"CLI (using BusyBox) with access via TELNET or SSH (using Dropbear)"
The subject text box isn't the "write-the-beginning-of-the-message-until-space-runs-out-and-then-use-the-big-textarea-under-it" field. The big textarea under it is there for a clear reason.
Just sayin'.
A. Is your password "admin," "root," "password," or some other such simplistic shit? Can you log into it remotely? If so, you're vulnerable.
B. Does SSH still connect? Can you get to your router's web page? If so, it's not infected.
C. It's a router, not something of any great intrinsic value. Nuke the firmware and start over. (Reset, boot_wait, JTAG - lots of ways to nuke a new firmware into these things without having network access to them. Listed previously are some good terms to Google for.)
I'd guess that most people, even geeks, don't run dd-wrt, tomato, or openwrt on their router unless they've got a pretty good clue about what's going on.
On the other hand: The average Joe, who just buys a WRT54G (aka: black box) from Wal-Mart, plugs it into his cable modem, and logs into the "linksys" SSID from his laptop isn't affected by this worm, since the default configuration doesn't allow remote access from the Internet at all.
Kid-proof tablet..
You don't have to enable remote ssh access to manage your router, unless you really need to administrate it remotely.
have you read the Moderation Guidelines Addendum?
If you allow SSH access from the wide internet and you allow passwords, you are probably still vulnerable.
Really, just use SSH with private/public keys and you'll be okay.
Another alternative is to close port 22 and use a non-standard, high-numbered port instead. Not as secure but most automated attacks don't scan all 65536 ports looking for an open one. If I disable passwords I'm always afraid that the one time I really need to get into my LAN will be the one time I don't have my private keys with me.
errr, yeah, if you want to kill an ant with a nuke.
Or just change your password from the default and set ssh/web/telnet administration to local segment only.
Did you read the article?
By default, Tomato doesn't allow remote (from WAN port) administration. I don't know about the other WRT firmwares, but Tomato at least is secure from this exploit by default.
The modem/router that Verizon provided for their DSL service had the firmware remotely upgraded. There is no way to avoid these updates. I hope it is secure. If someone roots that process, it will be the mother of all DDOS attacks.
A NYC lawyer blogs. http://www.chuangblog.com/
dd-wrt doesn't allow admin from WAN either, unless you tell it to.
And you can tell it to do that intelligently, using SSH on a nonstandard port, enabling tunneling, and using public key auth.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
> If you allow ssh access from the wide internet...
Why would you do that?
`ssh -i ~/.ssh/myrouter.key root@my.router.ip '/usr/sbin/wol -i 192.168.0.255 00:11:22:33:44:55'`
But there is no reason on earth to use SSH with password authentication. Ever.
4096bit keys with 30+ character passphrase is my standard at the moment.
Do not meddle in the affairs of geeks for they are subtle and quick to anger
Apparently I'm one of the "100,000" that got infected by this botnet.
This morning my router would not connect to any websites, yet my modem when directly connected to my PC still did. I reseted the settings to default, disabled the vulnerabilities that got the idiots in and put a stronger 35 character username and password.
How did I get infected in the first place? I left on remote access. And possibly my username and password weren't that complex. Live and learn I guess.