Slashdot Mirror

← Back to Stories (view on slashdot.org)

Botnet Worm Targets DSL Modems and Routers

Posted by kdawson on from the new-vector dept.

CoreDuo writes "The people who bring you the DroneBL DNS Blacklist services, while investigating an ongoing DDoS incident, have discovered a botnet composed of exploited DSL modems and routers. OpenWRT/DD-WRT devices all appear to be vulnerable. What makes this worm impressive is the sophisticated nature of the bot, and the potential damage it can do not only to an unknowing end user, but to small businesses using non-commercial Internet connections, and to the unknowing public taking advantage of free Wi-Fi services. The botnet is believed to have infected 100,000 hosts." A followup to the article notes that the bot's IRC control channel now claims that it has been shut down, though the ongoing DDoS attack on DroneBL suggests otherwise.

3 of 272 comments (clear)

  1. Admin interface open on the WAN side? by Mondo1287 · · Score: 5, Interesting

    Who has their router set to allow access to the admin interface from the wan side? This is certainly not done by default. Is there some sort of browser hijack involved with this to gain access to the inside of the network?

  2. Needs more detail by lordtoran · · Score: 5, Interesting

    Ok, TFA states

    Get a shell on the vulnerable device (methods vary).

    How will this supposed worm manage to login to the box? Brute force? Properly configured Linux will block login attempts for quite a while after several failures. SSH? Can't be compromised within a reasonable time. Telnet? Not supported on all routers I know.

    The article doesn't go into the essential details, so I call FUD until proven otherwise.

    --
    Want to hear the voice of GOD? cat /boot/vmlinuz > /dev/dsp
  3. Re:What to do about it? by chill · · Score: 5, Interesting

    I'd guess that most people, even geeks, don't run dd-wrt, tomato, or openwrt on their router unless they've got a pretty good clue about what's going on.

    Really?

    1. The article claims between 80,000 - 100,000 infected routers.
    2. Neither DD-WRT nor OpenWRT allow connections from the outside world by default.
    3. The worm brute-forces passwords.

    From this we can conclude that there are at least 80-100K geeks who opened their connections to the outside world and used weak passwords. This does not sound like people with a "pretty good clue" to me.

    --
    Learning HOW to think is more important than learning WHAT to think.