Botnet Worm Targets DSL Modems and Routers

CoreDuo writes "The people who bring you the DroneBL DNS Blacklist services, while investigating an ongoing DDoS incident, have discovered a botnet composed of exploited DSL modems and routers. OpenWRT/DD-WRT devices all appear to be vulnerable. What makes this worm impressive is the sophisticated nature of the bot, and the potential damage it can do not only to an unknowing end user, but to small businesses using non-commercial Internet connections, and to the unknowing public taking advantage of free Wi-Fi services. The botnet is believed to have infected 100,000 hosts." A followup to the article notes that the bot's IRC control channel now claims that it has been shut down, though the ongoing DDoS attack on DroneBL suggests otherwise.

Admin interface open on the WAN side?

[Mondo1287]

Who has their router set to allow access to the admin interface from the wan side? This is certainly not done by default. Is there some sort of browser hijack involved with this to gain access to the inside of the network?

Needs more detail

[lordtoran]

Ok, TFA states

Get a shell on the vulnerable device (methods vary).

How will this supposed worm manage to login to the box? Brute force? Properly configured Linux will block login attempts for quite a while after several failures. SSH? Can't be compromised within a reasonable time. Telnet? Not supported on all routers I know.

The article doesn't go into the essential details, so I call FUD until proven otherwise.

And you really needed to...

[m6ack]

... administer your home router over the Internet? Who does that? If you don't have an open port, even on these boxen, how could you be attacked?

But, it seems to me that this is more likely an attack on stock Linksys boxen that re-flashes with a special DD-WRT designed to "phone home." Yes, DD-WRT/OpenWRT are also vulnerable if they have weak passwords, but the bulk is more likely the former.

(Disclaimer: My home router runs HyperWRT & is not listed in DroneBL.)

Re:What to do about it?

[chill]

I'd guess that most people, even geeks, don't run dd-wrt, tomato, or openwrt on their router unless they've got a pretty good clue about what's going on.

Really?

1. The article claims between 80,000 - 100,000 infected routers.
2. Neither DD-WRT nor OpenWRT allow connections from the outside world by default.
3. The worm brute-forces passwords.

From this we can conclude that there are at least 80-100K geeks who opened their connections to the outside world and used weak passwords. This does not sound like people with a "pretty good clue" to me.

Re:Tomato

[Kadin2048]

That would be nice, but it is not easy to do. The Linux distros that run on embedded routers are mostly set up to have only a single, root, user. DD-WRT is definitely this way, and I think Tomato is as well. It might be possible to rebuild it with multiple users but that is definitely not how it's designed right now.

Personally what I'd recommend is not having any of the router's management interfaces exposed to the WAN side of things, for any reason, ever. If you think you might need to administer the router remotely, set up a hardened system inside the LAN somewhere, forward a nonstandard port to sshd on it, and then log into that machine and do SOCKS port-forwarding to connect to the router. This is how I run my home network and it takes literally only a second or two longer to connect to the router this way, versus if I had it directly accessible.