Slashdot Mirror
Botnet Worm Targets DSL Modems and Routers
CoreDuo writes "The people who bring you the DroneBL DNS Blacklist services, while investigating an ongoing DDoS incident, have discovered a botnet composed of exploited DSL modems and routers. OpenWRT/DD-WRT devices all appear to be vulnerable. What makes this worm impressive is the sophisticated nature of the bot, and the potential damage it can do not only to an unknowing end user, but to small businesses using non-commercial Internet connections, and to the unknowing public taking advantage of free Wi-Fi services. The botnet is believed to have infected 100,000 hosts." A followup to the article notes that the bot's IRC control channel now claims that it has been shut down, though the ongoing DDoS attack on DroneBL suggests otherwise.
any linux mipsel routing device that has the router administration interface or sshd or telnetd in a DMZ, which has weak username/passwords (including openwrt/dd-wrt devices)
This does not exclude Tomato, especially if your router is set up as mentioned or you have weak passwords.
If you allow ssh access from the wide internet, and you have a weak password for root, you are probably still vulnerable..
Repton.
They say that only an experienced wizard can do the tengu shuffle.
Glad I recently switched my router to Tomato. Works better than DD-WRT, too.
Why does this article make you glad you switched?
The same thing that makes OpenWRT/DD-WRT vulnerable seems to be part of Tomato.
FTFA
"any linux mipsel routing device that has the router administration interface or sshd or telnetd in a DMZ, which has weak username/passwords (including openwrt/dd-wrt devices)."
From Tomato Features list:
"CLI (using BusyBox) with access via TELNET or SSH (using Dropbear)"
The subject text box isn't the "write-the-beginning-of-the-message-until-space-runs-out-and-then-use-the-big-textarea-under-it" field. The big textarea under it is there for a clear reason.
Just sayin'.
A. Is your password "admin," "root," "password," or some other such simplistic shit? Can you log into it remotely? If so, you're vulnerable.
B. Does SSH still connect? Can you get to your router's web page? If so, it's not infected.
C. It's a router, not something of any great intrinsic value. Nuke the firmware and start over. (Reset, boot_wait, JTAG - lots of ways to nuke a new firmware into these things without having network access to them. Listed previously are some good terms to Google for.)
I'd guess that most people, even geeks, don't run dd-wrt, tomato, or openwrt on their router unless they've got a pretty good clue about what's going on.
On the other hand: The average Joe, who just buys a WRT54G (aka: black box) from Wal-Mart, plugs it into his cable modem, and logs into the "linksys" SSID from his laptop isn't affected by this worm, since the default configuration doesn't allow remote access from the Internet at all.
Kid-proof tablet..
> If you allow ssh access from the wide internet...
Why would you do that?
`ssh -i ~/.ssh/myrouter.key root@my.router.ip '/usr/sbin/wol -i 192.168.0.255 00:11:22:33:44:55'`
But there is no reason on earth to use SSH with password authentication. Ever.
4096bit keys with 30+ character passphrase is my standard at the moment.
Do not meddle in the affairs of geeks for they are subtle and quick to anger
Apparently I'm one of the "100,000" that got infected by this botnet.
This morning my router would not connect to any websites, yet my modem when directly connected to my PC still did. I reseted the settings to default, disabled the vulnerabilities that got the idiots in and put a stronger 35 character username and password.
How did I get infected in the first place? I left on remote access. And possibly my username and password weren't that complex. Live and learn I guess.