Slashdot Mirror
Botnet Worm Targets DSL Modems and Routers
CoreDuo writes "The people who bring you the DroneBL DNS Blacklist services, while investigating an ongoing DDoS incident, have discovered a botnet composed of exploited DSL modems and routers. OpenWRT/DD-WRT devices all appear to be vulnerable. What makes this worm impressive is the sophisticated nature of the bot, and the potential damage it can do not only to an unknowing end user, but to small businesses using non-commercial Internet connections, and to the unknowing public taking advantage of free Wi-Fi services. The botnet is believed to have infected 100,000 hosts." A followup to the article notes that the bot's IRC control channel now claims that it has been shut down, though the ongoing DDoS attack on DroneBL suggests otherwise.
A. How do we know whether our kit is vulnerable?
B. How to tell whether we are infected?
C. What to do about it if we are?
I'd guess most people, even geeks, just think of their router as a black box and don't know much about them as long as they keep on working.
If you allow SSH access from the wide internet and you allow passwords, you are probably still vulnerable.
Really, just use SSH with private/public keys and you'll be okay.
If you allow ssh access from the wide internet, and you have a weak password for root, you always were vulnerable. Now the vulnerability is just being exploited in a more automated way.
any linux mipsel routing device that has the router administration interface or sshd or telnetd in a DMZ, which has weak username/passwords (including openwrt/dd-wrt devices).
Anyone Savvy enough to want to run OpenWRT/DD-WRT should hopefully be savvy enough to have a decent password. I'm guessing by DMZ it means open slather access to the device. Open Slather + Weak Password = Your Own Stupidity
# cat
Damn, my RAM is full of cats. MEOW!!
How so? At least on OpenWrt, SSH and Webif aren't even exposed to the wan side without manually changing the iptables rules first.
I guess it's the same on DD-Wrt.
The devices that were targetted appear to have some serious flaws, here's a cite from an analysis of the malware:
"Several revisions of the NB5 modem shipped with a flaw which meant that the web configuration interface was visible from the WAN side, accepting connections and allowing users to administer the modem using the default username and password of 'admin' from outside the LAN. Furthermore, some of these modems suffered from another flaw, meaning that by default, authentication was not enabled for the web interface - meaning no username or password was required."
It really boils down to the usual find-weak-logins style of attacks, only the target platform has changed.
1. Be granted root access to the vulnerable device.
2. Do something nasty.
describes 99% of *nix (Linux, BSD, OS X) "exploits" I've seen.
Some of it is intentional FUD, but it's still a good example of why users should be forced to learn exactly what programs are allowed to do with user and root/admin privileges.
Most folks still think of programs the way they think of physical gadgets. Users don't understand privileges, and assume that programs are by nature isolated from each other, the operating system, and the user's personal files.
It doesn't occur to them that a malfunctioning toaster could suddenly delete their car.
How can I believe you when you tell me what I don't want to hear?