Botnet Worm Targets DSL Modems and Routers

CoreDuo writes "The people who bring you the DroneBL DNS Blacklist services, while investigating an ongoing DDoS incident, have discovered a botnet composed of exploited DSL modems and routers. OpenWRT/DD-WRT devices all appear to be vulnerable. What makes this worm impressive is the sophisticated nature of the bot, and the potential damage it can do not only to an unknowing end user, but to small businesses using non-commercial Internet connections, and to the unknowing public taking advantage of free Wi-Fi services. The botnet is believed to have infected 100,000 hosts." A followup to the article notes that the bot's IRC control channel now claims that it has been shut down, though the ongoing DDoS attack on DroneBL suggests otherwise.

Tomato

[Merritt.kr]

Glad I recently switched my router to Tomato. Works better than DD-WRT, too.

Re:Tomato

[snowraver1]

I'm pretty sure that Tomato is in the same boat. According to the Tomato FAQ, Tomato is Linux based, and according to TFA Embedded Linux devices seem to be the target.

Re:Tomato

[zombietangelo]

TFA states:

any linux mipsel routing device that has the router administration interface or sshd or telnetd in a DMZ, which has weak username/passwords (including openwrt/dd-wrt devices)

This does not exclude Tomato, especially if your router is set up as mentioned or you have weak passwords.

Re:Tomato

[Repton]

If you allow ssh access from the wide internet, and you have a weak password for root, you are probably still vulnerable..

Re:Tomato

[Krizdo4]

Glad I recently switched my router to Tomato. Works better than DD-WRT, too.

Why does this article make you glad you switched?
The same thing that makes OpenWRT/DD-WRT vulnerable seems to be part of Tomato.

FTFA
"any linux mipsel routing device that has the router administration interface or sshd or telnetd in a DMZ, which has weak username/passwords (including openwrt/dd-wrt devices)."

From Tomato Features list:
"CLI (using BusyBox) with access via TELNET or SSH (using Dropbear)"

Re:Tomato

[John+Hasler]

> If you allow ssh access from the wide internet...

Why would you do that?

> ...and you have a weak password for root...

Why would you do that?

Re:Tomato

If you allow SSH access from the wide internet and you allow passwords, you are probably still vulnerable.

Really, just use SSH with private/public keys and you'll be okay.

Re:Tomato

[Yossarian45793]

If you allow ssh access from the wide internet, and you have a weak password for root, you are probably still vulnerable.

If you allow ssh access from the wide internet, and you have a weak password for root, you always were vulnerable. Now the vulnerability is just being exploited in a more automated way.

Re:Tomato

> If you allow ssh access from the wide internet...

Why would you do that?

Normally those routers do not have users other than root...

Re:Tomato

[xiong.chiamiov]

You don't have to enable remote ssh access to manage your router, unless you really need to administrate it remotely.

Re:Tomato

[doon]

If you allow root to login via ssh from $internet with a password (Regardless of strength). You've probably got issues... Seriously, Port knocking + moving the default ssh port + Public key to a non priv'ed account with a great password (for sudo access), and you are probably a bit better off. Now I have no idea if these devices can do any/all of that, as I have no interest in deploying them to find out.

Re:Tomato

[tobiasly]

If you allow SSH access from the wide internet and you allow passwords, you are probably still vulnerable.

Really, just use SSH with private/public keys and you'll be okay.

Another alternative is to close port 22 and use a non-standard, high-numbered port instead. Not as secure but most automated attacks don't scan all 65536 ports looking for an open one. If I disable passwords I'm always afraid that the one time I really need to get into my LAN will be the one time I don't have my private keys with me.

Re:Tomato

[zonky]

There are of course OpenVPN or other options in some of the *.WRT's as well.

Re:Tomato

[644bd346996]

By default, Tomato doesn't allow remote (from WAN port) administration. I don't know about the other WRT firmwares, but Tomato at least is secure from this exploit by default.

Re:Tomato

[Repton]

<shrug> Ask one of the 80,000 who got infected :-)

Re:Tomato

[X0563511]

> If you allow ssh access from the wide internet...

Why would you do that?

My usage case:

SSH in, tunnel to localhost:80 for web admin.

Would it be better to leave the HTTP/HTTPS world-exposed? Probably not.

Note that with a strong root password and usage of a non-standard port will help keep the bots away. Even better if you disable password authentication for SSH and use a key instead.

Re:Tomato

[X0563511]

If you really need to access the router from the outside then forward a port (like SSH) to a secure machine on the inside and then connect to the router from that machine.

And if that's not an option, because you need to fiddle with NAT? Or the hardware is not responding for some reason (that's unimportant to my point)?

Re:Tomato

[X0563511]

They can do everything except the limited user and sudo bit. Usually they only have root.

However, nothing stops you from fiddling around and adding this in yourself. All you need is a gcc/binutils crosscompiler for the right arch, and away you go.

Re:Tomato

[X0563511]

dd-wrt doesn't allow admin from WAN either, unless you tell it to.

And you can tell it to do that intelligently, using SSH on a nonstandard port, enabling tunneling, and using public key auth.

Re:Tomato

[PReDiToR]

> If you allow ssh access from the wide internet...

Why would you do that?

`ssh -i ~/.ssh/myrouter.key root@my.router.ip '/usr/sbin/wol -i 192.168.0.255 00:11:22:33:44:55'`

But there is no reason on earth to use SSH with password authentication. Ever.

4096bit keys with 30+ character passphrase is my standard at the moment.

Re:Tomato

[Lord+Kano]

But, Vice-President Quayle, what about Potatoes?

LK

Re:Tomato

[IvyKing]

Note that with a strong root password and usage of a non-standard port will help keep the bots away. Even better if you disable password authentication for SSH and use a key instead.

Even better yet would be setting up a user acount with a non-common name and su'ing or sudo'ing to do the administrative stuff. As an example, both OpenBSD and Solaris default to blocking root access by ssh. Another nifty ssh trick is to set it up sshd to drop most connection attempts after two attempts in a minute.

Re:Tomato

[Kadin2048]

That would be nice, but it is not easy to do. The Linux distros that run on embedded routers are mostly set up to have only a single, root, user. DD-WRT is definitely this way, and I think Tomato is as well. It might be possible to rebuild it with multiple users but that is definitely not how it's designed right now.

Personally what I'd recommend is not having any of the router's management interfaces exposed to the WAN side of things, for any reason, ever. If you think you might need to administer the router remotely, set up a hardened system inside the LAN somewhere, forward a nonstandard port to sshd on it, and then log into that machine and do SOCKS port-forwarding to connect to the router. This is how I run my home network and it takes literally only a second or two longer to connect to the router this way, versus if I had it directly accessible.

Re:Tomato

[Runaway1956]

I have a very strong password. "Administrator" See? Twelve letters. I'm pretty sure that Microsoft assured me years ago that a twelve letter password made for a real strong hash......

Re:Tomato

[xeoron]

Assuming ssh is usable. My ISP gave me a router that despite letting me set various port forwarding, refuses to honor them, so remote access to any of the machines just does not seem to work the way I would like. I do have ssh on my network machines, but they are keys, password, whitelist protected on uncommon port while only supporting version 2 connections.

Re:Tomato

[Runaway1956]

"I'm always afraid that the one time I really need to get into my LAN will be the one time I don't have my private keys with me." You could have the keys digitally tatoo'd to your anatomy somewhere. Then, you could sit on a scanner to access your keys. All of the 32nd century James Bond types do it! :-)

Re:Tomato

[Lehk228]

umm. because people are frelling stupid that's why.

Re:Tomato

[evilviper]

If I disable passwords I'm always afraid that the one time I really need to get into my LAN will be the one time I don't have my private keys with me.

Disable root login in the sshd_config, and use a sufficiently unguessable username, as well as very strong password.

If you have other user accounts on the system, you can use the "Match" keyword in the sshd_config to only allow one specific user account to perform keyboard-interactive (password) login.

Re:Tomato

Normally those routers do not have users other than root...

DD-WRT, at least, allows you to create a "Router Username" which, if I understand correctly, disables root and creates a user with root privileges with the name of your choice (maybe it just changes the root user's name?). In any case, this should prevent any kind of login with the user "root."

Let's assume you decide to change the username. If n is the number of possible passwords, to get access to your router would take on the order of n^2 attempts. If the user "root" is available, it would take only n attempts to access your router. A brute force attack requiring n^2 attempts would take months, at least. I didn't RTFA, but I expect that, if the worm even bothers trying multiple usernames, it probably limits them to "root," "admin," "administrator," and any other defaults, so just using a non-default username would make the router much more secure.

Re:Tomato

[palegray.net]

If you allow ssh access from the wide internet, and you have a weak password for root, you are probably still vulnerable..

This is why disallowing password logins is a good thing, and an even better thing is restricting access to SSH enabled devices by IP via firewall rules.

It's been a long, long time since I ran a system that let just anyone have a "crack" (ha ha) at an SSH login...

Re:Tomato

[WaroDaBeast]

Glad I'm still on dial-up. Works better than some of my friends' DSL connection, too. :o)


(They just happen to have unsteady throughput and un-tweaked connexion settings.)

Re:Tomato

[emj]

Yes making it real easy for windows users to use private keys is a good idea. Perhaps a central key rentention, so you have some use of you 30+ char key phrase ;-)

Re:Tomato

[rapiddescent]

it's a pity that dd-wrt etc don't allow the renaming of the root account... That would make this attack vector a whole lot harder.

Re:Tomato

[repvik]

Tomato is a different distribution, and might not suffer from the same vulnerabilities. Just like RedHat and Ubuntu doesn't.

Re:Tomato

[BikeHelmet]

My password is somewhere between 48 and 64 characters/numbers/symbols long. I lost count.

I don't know anything about these fancy xBit encryption doohickeys, but if you can guess my router's password, you deserve a reward. (like a new bot for your botnet)

Re:Tomato

> If you allow ssh access from the wide internet...

Why would you do that?

[...]

But there is no reason on earth to use SSH with password authentication. Ever.

Except if you want to do something useful with your boxes. Like access them. From anywhere. With anything.

Re:Tomato

[machine321]

If you allow SSH access from the wide internet and you allow passwords, you are probably still vulnerable.

Really, just use SSH with private/public keys and you'll be okay.

Aren't private/public keys just long passwords?

Re:Tomato

[OolimPhon]

we run our DSL modems unmanaged - we do not have the ssh password, the admin port allows the managing company to remote in. we have no choice in the matter.

Unmanaged, managed, pick one.

Re:Tomato

[Tony+Hoyle]

You don't need ssh to the router to do that. ssh to a machine behind the router.

I struggle to think of a legitimate reason to allow remote access directly to a router, to be honest.

Re:Tomato

[SL+Baur]

But, Vice-President Quayle, what about Potatoes?

Quayle read that off a flash card. Obama congratulated himself for hosting a party read off a teleprompter. Same thing.

Re:Tomato

[Tony+Hoyle]

To avoid dictionary scan attacks I rate limit SSH via iptables to 15 attemps every 5 minutes per IP. The average dictionary scanner quickly gets on the blacklist and ends up being ignored until it goes away. In theory they could come back over 2-3 days very slowly, but I've never seen that happen. And our passwords are all complex enough to avoid dictionary attacks anyway.

I've had the same problem with ssh keys.. I frequently need access from external sites where there's no possibility using such a key.

Re:Tomato

[Antique+Geekmeister]

Because you're an idiot, and you think that because it's Linux it's "safe".

Re:Tomato

[Lumpy]

Even then you dont.

Set up a VPN in the router with good passwords and usernames.

VPN in, do your admin work, all done. I have not set up a router with a public accessible ports for config for over 3 years now.

Re:Tomato

[skeeto]

Once another account is setup, there is absolutely no reason to allow root logins on SSH. PermitRootLogin should be turned off. I took it further: on my setup, DenyHost instantly bans IPs that try to log in as root.

Re:Tomato

[numbski]

Eh - why not? Edit /etc/passwd and re-populate /etc/shadow. Does that not do the trick? (I'm not trolling, I've honestly never tried...)

Re:Tomato

[bracher]

openwrt (7.09, 8.09) blocks ssh via the wan by default.

Re:Tomato

[Seq]

Wouldn't it be substantially easier to just set a really strong SSH password and use key-based auth if you need to configure your router remotely?

Re:Tomato

[NVP_Radical_Dreamer]

> If you allow ssh access from the wide internet... Why would you do that?

`ssh -i ~/.ssh/myrouter.key root@my.router.ip '/usr/sbin/wol -i 192.168.0.255 00:11:22:33:44:55'` But there is no reason on earth to use SSH with password authentication. Ever. 4096bit keys with 30+ character passphrase is my standard at the moment.

Let me be the first to say it

Re:Tomato

[PReDiToR]

I use PuTTY from my WinMob 5 PDA (HTC Universal). I can log into my router and WOL my other machines, then log into them.

You can use PuTTYgen under Linux or Windows to convert your RSA keys to .PPK and retain the security.

id_rsa, id_rsa.pub, id_rsa.ppk. On an SD card/USB key. In case of rubber hose, bite it hard (nod to NVP_Radical_Dreamer).

Ideally, people should have very strong passwords and be able to use them. DenyHosts, Knockd and host keys do help, but determined crackers will always find a way, won't they?

Re:Tomato

[Gerzel]

remove probably and still.

If you allow ssh access and have a weak password you are vulnerable.

Seriously, unless you have the box locked down and only allow direct console access to have admin rights don't set a weak password.

Re:Tomato

[Medievalist]

If you allow SSH access from the wide internet and you allow passwords, you are probably still vulnerable.

Really, just use SSH with private/public keys and you'll be okay.

Aren't private/public keys just long passwords?

No, but in this instance they are functionally equivalent.

A 64 character or better password that only you know, that's not in any dictionary, would serve you just as well as the most complex key scheme... either way, you're not going to get cracked by guessing engines.

But keys are geekier, it gives you an excuse to carry data storage outside your head. If you'd rather use your head just pick extremely complex passwords, you Luddite rebel you.

Re:Tomato

[Medievalist]

Assuming ssh is usable. My ISP gave me a router that despite letting me set various port forwarding, refuses to honor them, so remote access to any of the machines just does not seem to work the way I would like. I do have ssh on my network machines, but they are keys, password, whitelist protected on uncommon port while only supporting version 2 connections.

Most likely you aren't programming it right, because it has a retarded programming interface. For example, you might have to open firewall holes for forwarded ports, even though it's excruciatingly obvious that you want to let in anything for which you've set up forwarding rules.

ISP routers are the cheapest crap imaginable. If you have Verizon, they'll likely give you a Westell specially built to be extra-crappy (or worse yet an Actiontec). You can usually make them do what you want with hundreds of hours of trial and error, but you may as well throw away the manual and don't bother calling tech support. Write down the configuration that works, when you find it, because the box will reach it's MTBF about the same time you find the insanely baroque combination of options that will make it do what you need.

Of course, if you have Comcast they probably won't even give you a router - they'll just plug the Internet right into your soon-to-be-worm-hosting-machine. And if you have any problems, the first thing their tech support will tell you is to turn off your firewall.

Re:Tomato

[SCPRedMage]

They're attacking routers with weak usernames and passwords, too, so Tomato is indeed vulnerable.

Re:Tomato

[Beat+The+Odds]

Another alternative is to close port 22 and use a non-standard, high-numbered port instead. Not as secure but most automated attacks don't scan all 65536 ports looking for an open one. If I disable passwords I'm always afraid that the one time I really need to get into my LAN will be the one time I don't have my private keys with me.

Ahh, the old "security through obscurity" gambit....

This is not at all more secure.

Re:Tomato

[X0563511]

I posted this elsewhere. But for sanity reasons, here it is as well.

What happens if that machine is down for some reason, and you need to access something that you normally would go through it? The ability to get into the router and adjust NAT is very handy.

Re:Tomato

[whs8360]

Dumb question to all the geeks out there, but I don't know SHIT. Does this affect commercial broadband cards(AT&T, Verizon, etc). I admit, I don't know shit. I visit here to learn about things (BTW U guys R usually on top of things.). Help me out!

Re:Tomato

[zombietangelo]

This affects purposefully modified routers. So no, it probably doesn't affect you unless you're in way over your head with router customization.

Re:Tomato

[Lord+Kano]

Quayle was watching children write on a chalk board. What flashcard was he looking at?

Besides, just because Obama can be stupid doesn't mean we should forget about when others were stupid.

LK

Re:Tomato

[SL+Baur]

Quayle was watching children write on a chalk board. What flashcard was he looking at?

http://www.capitalcentury.com/1992.html

"What are we supposed to do?" I asked Keith Nahigian, the advance man who had prepared this little photo op," Quayle wrote.

"Just sit there and read these words off some flash cards, and the kids will go up and spell them at the blackboard," the handler told the VP. ...
Quayle looked at the blackboard, then at his contest card, and gently and quietly told the boy, "Youâ(TM)re close, but you left a little something off. The e on the end.

(That's the same source wikipedia cites and matches my own memory of the incident).

Besides, just because Obama can be stupid doesn't mean we should forget about when others were stupid.

True, but fair is fair. Obama is stupid enough to repeat anything he reads off a teleprompter and that puts him squarely in the mental category of a Dan Quayle. In fairness to Quayle, "potatoe" is an obsolete spelling and is not quite in the same category as congratulating yourself on hosting a party.

"Stand up, Chuck. So everyone can see you!"

Re:Tomato

[Kadin2048]

Maybe possibly in your universe of infinite energy and ecology resources..."for any reason, ever". Yeah right. Shot down that brainfart argument in 2 seconds, right there.

Is that you, Timecube Guy? I have no idea what you're getting on about, but just to restate for clarity:

There's no reason to have the management interface exposed on the WAN side. No good reasons, anyway. The router developers leave it in there as an option so that you can do remote administration, but enabling it vastly increases the attack surface that someone has available to them. (You have to worry about a whole web+ssh server, probably thousands of lines of code that are difficult to upgrade and patch, instead of just the packet filter.)

If you really need the ability to remote administer the router, the way to do it is to forward a single port to a machine inside the LAN, one that you can easily keep patched and up to date, and then connect to it from the outside and use it to administer the router from the normal LAN-side interface. This keeps your external exposure minimized to a single system, keeps you on a nonstandard port of your choice, allows you to do much more sophisticated authentication than the router's interface generally allows (i.e. you can do publickey-only), and allows better logging.

Frankly I'd encourage developers of router firmware to remove the WAN-side management option completely, or at least bury it somewhere deep in the "Advanced Settings" type menus, and make clear that it's only something you should use when the router is being installed inside a LAN already.

How Can I Determine If My D-Link Router is Linux-

based?

Tomato

Don't forget, Tomatoes get worms too!

Run to my openWRT router and look for.. what?

I actually RTFA, logged into my router, and I'm still not sure what to look for to see if we've been compromised.

What exactly are we looking for?

first post!
-edfardos

Re:Run to my openWRT router and look for.. what?

[Repton]

Considering that TFA says one of the things the bot does is lock you out, I suggest that if you can log in, you are fine :-)

Re:Run to my openWRT router and look for.. what?

[snowraver1]

If you are logged in using standard SSH port settings, then you should be okay. According to TFA, the worm adds the following rules:

# iptables -A INPUT -p tcp --dport 23 -j DROP
# iptables -A INPUT -p tcp --dport 22 -j DROP
# iptables -A INPUT -p tcp --dport 80 -j DROP

If you telnet/ssh connections are working, and you can get to the web page, then you should be okay.

Re:Run to my openWRT router and look for.. what?

[indi0144]

so making a hard reset would clean the router?

I was about to upgrade my router to a Linux based one, now I'll wait a little.

What we see now is a trend into making every web connected appliance a part of a botnet. Will this be the end of scams like antivirus 2009? since any botnet it's more profitable in theory.

Re:Run to my openWRT router and look for.. what?

[xmff]

What exactly are we looking for?

ls -lh /var/tmp/udhcpc.env

And while you're at it, maybe recheck your password :)

Re:Run to my openWRT router and look for.. what?

[bobbonomo]

A Linux based router with public/private keys would do the trick. Well I guess 'till someone breaks that too. DD-WRT has this ability but, when you do turn it on, it does not disable the user/password thing (last time I looked). A -p or something on the sshd command needs to be added.

Re:Run to my openWRT router and look for.. what?

[TheSHAD0W]

It doesn't block 8080? That means you can use the web interface from outside. Maybe.

Re:Run to my openWRT router and look for.. what?

[Darkk]

Look at the info from the above link....I pasted it in here for you:

http://dronebl.org/blog/8

Re:Run to my openWRT router and look for.. what?

[KillzoneNET]

Apparently I'm one of the "100,000" that got infected by this botnet.

This morning my router would not connect to any websites, yet my modem when directly connected to my PC still did. I reseted the settings to default, disabled the vulnerabilities that got the idiots in and put a stronger 35 character username and password.

How did I get infected in the first place? I left on remote access. And possibly my username and password weren't that complex. Live and learn I guess.

Re:Run to my openWRT router and look for.. what?

[itsthebin]

Good for you for being honest about it mate - I am sure there are a few other /.ers who were also compromised.

are you able to tell us the user and password and port that was compromised so we can make a judgment on how bruteforced it was .

if it is a password you use elsewhere ( ./ acc :D ) , I can understand if you won't want it published.

Re:Run to my openWRT router and look for.. what?

[dargaud]

I thought remote access was only possible from the local network on all (most?) adsl router/modems...

Re:Run to my openWRT router and look for.. what?

[tuzzer]

This morning my router would not connect to any websites, yet my modem when directly connected to my PC still did.

Actually the above firewall rules only block access to the web server, telnet server and ssh server running on the router itself, not the forwards to the Internet (the rules are appended to the INPUT chain, not the FORWARD chain).

That would be kind of stupid anyway, because the user would notice this rather quickly, and probably power cycle the router because his Internet doesn't work. Kinda pointless to make it obvious there is something wrong when your goal is to run a botnet...

Re:Run to my openWRT router and look for.. what?

[naturaverl]

And change the combination on my luggage!

Re:Run to my openWRT router and look for.. what?

[KillzoneNET]

Not sure what the ports it was using exactly, but telnet was definitely on. The username was still 'root' and the password was a simple word. TFA mentions the botnet has brute forcing capabilities so I imagine with only one thing to bust through, it wouldn't at all be a hard task to get into.

Funny thing is, I thought this was just a minor bug until the first thing I saw was this /. article when my router was restored.

Re:Run to my openWRT router and look for.. what?

[atraintocry]

Oh that's easy, I just use my credit card number. It's...

What to do about it?

[GrahamCox]

A. How do we know whether our kit is vulnerable?
B. How to tell whether we are infected?
C. What to do about it if we are?

I'd guess most people, even geeks, just think of their router as a black box and don't know much about them as long as they keep on working.

Re:What to do about it?

[Yossarian45793]

If you RTFA you'll see that you're only vulnerable if you have a weak password. I guess the worm uses password guessing as the "exploit" to take over your router.

Re:What to do about it?

[adolf]

A. Is your password "admin," "root," "password," or some other such simplistic shit? Can you log into it remotely? If so, you're vulnerable.
B. Does SSH still connect? Can you get to your router's web page? If so, it's not infected.
C. It's a router, not something of any great intrinsic value. Nuke the firmware and start over. (Reset, boot_wait, JTAG - lots of ways to nuke a new firmware into these things without having network access to them. Listed previously are some good terms to Google for.)

I'd guess that most people, even geeks, don't run dd-wrt, tomato, or openwrt on their router unless they've got a pretty good clue about what's going on.

On the other hand: The average Joe, who just buys a WRT54G (aka: black box) from Wal-Mart, plugs it into his cable modem, and logs into the "linksys" SSID from his laptop isn't affected by this worm, since the default configuration doesn't allow remote access from the Internet at all.

Re:What to do about it?

[Krizdo4]

A. Telnet or SSH listening to the internet + weak username/password
B. Configuration access via port 22 (SSH), 23 (TELNET), and 80 (HTTP) are all blocked (assuming you normally would use one of these.
C. Reflash your device (tftp method probably). Pick a secure password.

Re:What to do about it?

[John+Hasler]

> ...the default configuration doesn't allow remote access from the Internet at all.

True. The crackers have to use the bot that controls his pc and the default password that he didn't change.

Re:What to do about it?

[seanadams.com]

The average Joe, who just buys a WRT54G (aka: black box) from Wal-Mart, plugs it into his cable modem, and logs into the "linksys" SSID from his laptop isn't affected by this worm, since the default configuration doesn't allow remote access from the Internet at all.

But it does allow access from the LAN side, so all that takes is one owned client connecting to that AP. It could even spread via laptops physically roaming to different hotspots (maybe not AT&T etc, but think of an independent coffee shop owner who should not have to be a networking guru).

Routers seem like a nice prize indeed. Always connected and on a public IP, and there's millions of them!. I'm surprised it's taken this long.

It's hard enough for most people to just hook one of these up, much less wipe a rootkit from it.

Re:What to do about it?

[chill]

I'd guess that most people, even geeks, don't run dd-wrt, tomato, or openwrt on their router unless they've got a pretty good clue about what's going on.

Really?

1. The article claims between 80,000 - 100,000 infected routers.
2. Neither DD-WRT nor OpenWRT allow connections from the outside world by default.
3. The worm brute-forces passwords.

From this we can conclude that there are at least 80-100K geeks who opened their connections to the outside world and used weak passwords. This does not sound like people with a "pretty good clue" to me.

Re:What to do about it?

[MichaelSmith]

A. Is your password "admin," "root," "password," or some other such simplistic shit?

OpenVMS has a nice feature:

set password/generate

It sets the password then tells you what the password is. Personally on linux and BSD I use

echo $RANDOM$RANDOM

...then set the password to the resulting string.

Re:What to do about it?

[nenolod]

Actually, the worm also exploits some vulnerabilities in the HTTP servers in some of these models.

Re:What to do about it?

[Repton]

I recall reading a while ago about a javascript exploit that would attempt to log in to your router using the default admin login/password. It had a list of a few hundred different defaults to try. If it got in, it would mess with your DNS.

I'm not sure what came of that..

Re:What to do about it?

[noidentity]

It's a router, not something of any great intrinsic value. Nuke the firmware and start over. (Reset, boot_wait, JTAG - lots of ways to nuke a new firmware into these things without having network access to them. Listed previously are some good terms to Google for.)

I'm just curious; if the malware alters the flash memory, how can you trust the reflash functionality? Is there some kind of unmodifiable boot ROM that the boot_wait functionality runs from, i.e. it works even if you rewrite every byte of the flash with zero?

Re:What to do about it?

[Darkk]

I run DD-WRT on my WRT54G as a wireless access point. Two things I did first was change the default username and password. And disable web-admin access via the wireless if they ever break my WPA2 encryption.

Pretty safe to me.

Re:What to do about it?

[MichaelSmith]

Must better than "admin," "root" and "password"

Re:What to do about it?

[totally+bogus+dude]

I use pwgen for pretty much all my passwords. It has some nice options to restrict/expand the allowed set of characters, and should be a standard installable package on most distros.

Its main advantage is that it creates passwords with a mix of vowels and consonants so you get an almost word-like password. If creating a password I'll need to remember, I usually set it to create 10 or 20 and skim through for something that seems memorable to me. If creating passwords for services that I just need to enter somewhere, I'll create a 20+ character password including punctuation (-y) and make it completely random (-s), then just copy and paste.

Re:What to do about it?

[DaphneDiane]

I assume you realize that using echo $RANDOM$RANDOM, results in a higher chance that the first and fifth character of your password are a 1 or 2, even 3 has a slightly higher chance than the other digits.

Re:What to do about it?

[Randall311]

If your username and password are "admin", then you're deservedly fucked.

Re:What to do about it?

[Techman83]

No one said it _only_ affected DD-WRT or OpenWRT. There are still _a lot_ of consumer grade routers that can be accessed via telnet and some I've seen in my travels with Telnet open to the world by default.

I did take great pleasure in dropping the routes on a device that appeared to be trying to brute force my ssh!

Re:What to do about it?

[Otto]

On the other hand: The average Joe, who just buys a WRT54G (aka: black box) from Wal-Mart, plugs it into his cable modem, and logs into the "linksys" SSID from his laptop isn't affected by this worm, since the default configuration doesn't allow remote access from the Internet at all.

Many Linksys routers, to pick an example, run on top of a Linux even with their default firmware. And many (most?) of these firmwares have had known vulnerabilities that give you enough to get a shell out of it. Google "Linksys ping hack" if you want to see a truly devastating back door.

On top of that, many of these had remote access bugs. I recall one where, if you knew the right URL to hit, you could make the router execute your commands even though remote access had been disabled. All disabling it really did was not make the web pages show up on remote connections. The POST requests from the forms on them still, stupidly, went through.

Most of these problems have been patched, but how many people have never updated their router firmware? I'll bet you it's a lot. And every one of those could be hit with a not-even-that-hard-to-write worm.

In this case, the guy doesn't seem all that malicious, maybe. Especially since he's only storing the exploit script in the tmp directory. He could have just as easily stuck it in the flash memory and made it quite well hidden indeed.

Re:What to do about it?

[msimm]

Ya, opening a remote services like it's no big deal is always stupid. If you want to be that stupid do it with logging on, and check your logs and counts the failed logon attempts. Now do that for a couple of weeks, or hell, months. Eventually you'll get the pictures that the bombardment of you services will be constant, and ongoing. And that was before this automated trick. I like to use ip based restrictions so first the perp would have to compromise (and discern) another trusted system. Only to then find they have to go through the whole process over again to compromise this systems. Let them reconsider the low hanging fruit. There's no point in making these things easy for anyone, after all, apparently a lot of us already are, use that to your advantage.

Re:What to do about it?

[Tony+Hoyle]

I remember that VMS password generator from college... It gave you a list of passwords, all incomprehensible line noise, and asked you to pick one.

The problem with a password that complex is even you won't be able to guess it next time around.. perfectly secure, but not exactly useful.

Re:What to do about it?

[dargaud]

That's why I don't trust a DNS returned by any intermediary. I'd rather use OpenDNS.

Re:What to do about it?

[powerlord]

It's hard enough for most people to just hook one of these up, much less wipe a rootkit from it.

FTFA: http://dronebl.org/blog/8

Update 4 -- Before you read anything else, read this

Am I Vulnerable?

You are only vulnerable if:

Your device is a mipsel device.
Your device has telnet, SSH or web-based interfaces available to the WAN
Your username and password combinations are weak, OR the daemons that your firmware uses are exploitable.
As such, 90% of the routers and modems participating in this botnet are participating due to user-error (the user themselves or otherwise). Unfortunately, it seems that some of the people covering this botnet do not understand this point, and it is making us look like a bunch of idiots.

Any device that meets the above criteria is vulnerable, including those built on custom firmware such as OpenWRT and DD-WRT. If the above criteria is not met, then the device is NOT vulnerable.

How can I tell if I have been infected?

Ports 22, 23 and 80 are blocked as part of the infection process (but NOT as part of the rootkit itself, running the rootkit itself will not alter your iptables configuration).

If these ports are blocked, you should perform a hard reset on your device, change the administrative passwords, and update to the latest firmware. These steps will remove the rootkit and ensure that your device is not reinfected.

The removal instructions seem pretty easy to me. Wipe the image and reinstall.

Re:What to do about it?

[adolf]

Ping hack? Truly devastating back door? Google it yourself and then come back once you understand that it's not a remote exploit[1]. You call it a back door; but it's just a clever way to execute commands on the box, after having already logged into it as a superuser.

The other problem was fixed five years ago. I'll wager that most of these routers have either had their firmware upgraded, or found themselves in the trash can, because the whole thing was a steaming pile of shit at that point in time. They'd lock up frequently. Lose wireless from time to time. Fun stuff. Newer firmwares eventually began to not suck quite as bad.

Hardware failure rates of Linksys stuff from back then have been pretty high as well. Linksys had a habit (as did most everyone else) of using lousy filter capacitors on their boards, which would eventually swell up and fail. I've seen their wall-wart power supplies having high failure rates. There's a good chance that between the bunky firmware, and the bunky hardware, that there's only a very small percentage of these boxes still in use in a vulnerable state.

[1]: And since it's a local exploit, then it really doesn't matter -- by the time they've infiltrated their way deep enough that they're attacking your router from inside your own network, you've already lost the last important battle, and the war is over.

Re:What to do about it?

[adolf]

I use GNU Keyring for the same thing. Except, I run it on an old PalmOS device. It keeps a neat little encrypted database of all of the passwords it makes, along with anything else I want to keep private, and it's easy to carry anywhere...

Re:What to do about it?

[Thaelon]

an independent coffee shop owner who should not have to be a networking guru

I disagree.

If you're going to offer a free new service to your customers, you should know what you're doing to some degree. Otherwise you're just jumping on the bandwagon like the next mouth breather.

It would be like a oil change shop offering free coffee to customers (and many do), but reusing the same disposable paper filter over and over (none do this, in my experience).

Securing your network is a basic responsibility of using one just as using fresh filters or a reusable one is a basic responsibility of a coffee pot operation.

Re:What to do about it?

[seanadams.com]

It would be like a oil change shop offering free coffee to customers (and many do), but reusing the same disposable paper filter over and over (none do this, in my experience).

That's what they do with your old oil filter.

Re:What to do about it?

[Krizdo4]

If it's your router that's infected it could have OpenDNS's IPs redirect to itself and answer anyways.

Re:What to do about it?

[adolf]

Kind of.

The flash is in several sections (similar to disk partitions). Part of the boot code (which has its own section) is smart enough to talk TFTP; the boot_wait parameter just tells it how long to sit and wait for TFTP to happen.

Nobody -should- be touching that location - it's there for safety. And while there isn't really any grand protection preventing someone from maliciously modifying this code, it is somewhat device-specific and fickle. In fact, it's somewhat like a PC BIOS in that there's usually nothing preventing malware from overwriting it, but nobody ever bothers to try.

Further, the worm being discussed here does not perform boot code updates, so there's no current reason for it to be suspect.

Meanwhile, JTAG: This is a hardware interface allowing you to directly rewrite the flash ROM on the device, usually using a parallel port on a PC. My own JTAG cable consists of a few resistors on an old internal serial cable, worked just fine recovering a bricked WRT54G (with boot_wait disabled) a couple of years ago. There's nothing anything on the device can do to prevent you from rebuilding the entire system with a JTAG cable.

Re:What to do about it?

[atraintocry]

Eh, that's sort of like trading the devil you don't know (and maybe only imagine) for the devil you do. Specifically, they monkey around with Google searches. If you need a not-your-ISP backup, I've always felt better off with 4.4.4.x, but really there are plenty of public DNS servers from reputable companies that won't start redirecting things.

But in all honestly, your ISP's DNS servers are going to be closer to you, and you're paying for them. It's really one of those "it ain't broke, don't fix it" things. DNS works best when everyone's using the server that's closest to them.

The actual security value in using OpenDNS and it's ilk, if any, comes from knowing where your DNS traffic is going. Because it means you looked at the IP, which is not something everyone does. I know everyone here loves OpenDNS but my honest advice is to just use your ISP unless there's a real problem with it, because I haven't seen any instance of those guys being cleaner or safer, despite what they claim on the site.

Re:What to do about it?

[atraintocry]

but think of an independent coffee shop owner who should not have to be a networking guru

That's the thing...everyone gets mad that networking (and often computers in general) aren't so easy and magical that you can just set up an AP without knowing what you're doing. I think maybe people are made to feel dumb if they can't do this, because you can walk into a department store and see a router (something that requires expertise) on a shelf next to a CD player (something that doesn't).

It's like plumbing or roofing or anything else. Lots of people do it themselves. But that doesn't mean you don't have to know anything about it. It's a skill that people build up, even go to school for. A CCNA takes very little time to acquire if that's your thing, but frankly it's a little insulting when people imply that even that short time is worthless, that any coffee shop owner should be born with those skills.

Re:What to do about it?

[Otto]

Ping hack? Truly devastating back door? Google it yourself and then come back once you understand that it's not a remote exploit[1]. You call it a back door; but it's just a clever way to execute commands on the box, after having already logged into it as a superuser.

Ever heard of an XSS exploit? The ping hack is/was exploitable in that manner rather easily.

Re:What to do about it?

[adolf]

XSS, eh?

That's a lot more like a security failure in the browser, than any sort of remotely-exploitable failure of the router.

But what do I know - I'm just an idealist.

Re:What to do about it?

[Otto]

No, as it's actually even simpler than that. The thing doesn't even require a POST, so clever use of an IMG tag in a web page could have hacked the damn thing. Unless you want to block all third party images from webpages, or something.

The security on those things is just basically non-existent.

Re:What to do about it?

[adolf]

Interesting -- I didn't realize that.

I stand corrected. Thanks!

Re:How Can I Determine If My D-Link Router is Linu

[gmuslera]

The problem, more than linux based, is if have fixed/easy/guessable user/password for it to get into. And if well you could be responsible for that kind of info, what if is not your router/dsl modem, but from the company that gives you connectivity? What if they weren't so creative with the password of the device?

Easy fix

Not a big deal, you can just:

ssh to your router
ifconfig eth0 down

All fixed, not vulnerable anymore.

Re:Easy fix

[Darkk]

Ummm...then it doesn't really fix the problem..just annoyed buncha users! LOL

Re:Easy fix

[TinBromide]

woosh

Re:Easy fix

[this+great+guy]

Help ! When I try it I keep getting discon

Re:Hackers.

[palegray.net]

That's like saying CiCi's Pizza is the best dining experience of all time. It's not really pizza, but it is edible...

Scary Targets...

[IonOtter]

Okay, now this is scary.

Folks having OpenWRT/DD-WRT are usually a bit more savvy that the average user, so to see something specifically targeting such users is surprising.

And the fact it's gone this long without being noticed is even MORE frightening.

Re:Scary Targets...

[pushing-robot]

If you let anyone on the internet ssh into your linux boxes, and your root password is "admin" or somesuch, why is it surprising that someone will eventually exploit you?

This virus does not target "savvy users". Like most viruses, it targets idiots.

Re:Scary Targets...

[Techman83]

TFA:

any linux mipsel routing device that has the router administration interface or sshd or telnetd in a DMZ, which has weak username/passwords (including openwrt/dd-wrt devices).

Anyone Savvy enough to want to run OpenWRT/DD-WRT should hopefully be savvy enough to have a decent password. I'm guessing by DMZ it means open slather access to the device. Open Slather + Weak Password = Your Own Stupidity

Re:Scary Targets...

[lumenistan]

The choice of words in this post is interesting.

Instead of being scared or frightened, check if you have a vulnerable device in a vulnerable configuration. If you do, change the password, or better yet, flash the firmware. Monitor your other systems for signs of compromise. Fix any issues you find in the manner that makes the most sense.

I don't see where the implications of this botnet are any more or less scary than any other botnet based on the affected population. I imagine for most OpenWRT users, their device is their main gateway to the internet and once they have the device configured the way they want, they don't have much of a need to mess with it unless their needs change, and out of sight, out of mind.

We have enough manufactured fear being thrown at us as it is.

This is my opinion, please feel free to disagree.

Re:Scary Targets...

[Foodie]

The problem is that these are slightly more savvy idiots. :)

Re:Scary Targets...

[Socguy]

And the fact it's gone this long without being noticed is even MORE frightening.

It certainly is sobering. Although, when one thinks about it, folks who THINK they know what they're doing are often way more dangerous than than the guy who doesn't have a clue (especially when you got a bunch of them on your hands!) and this is not just true with computers: Imagine all the people who thought they knew what they were doing when they took out that 40y, pay-what-you-want, no-downpayment-necessary mortgage on that 7 bed 7 bath mansion!
...Or the broker that thought he knew what he was doing when he convinced that guy the mortgage was a good idea.
...Or the bank that knew what it was doing when it authorized that loan.
...Or the insurance corporation that knew what it was doing when it insured that mortgage...
...Or the ratings company that felt these mortgages bundled together comprised a sound financial asset.
...Or, well, this could go on for a while and you get the idea!

Re:Scary Targets...

[Microlith]

DMZ = All ports not forwarded to other machines are routed to the IP specified as the "DMZ" IP.

So what we have is not simply routers getting attacked, but actual machines that are completely unprotected.

Re:Scary Targets...

[The+Hooloovoo]

You'd be surprised. It's easy enough for someone with just a bit of knowledge to read an article that raves about custom firmware, download said firmware, and flash the router. Plus, DD-WRT is configured rather poorly by default (doesn't everyone want telnet?) and is vulnerable to a rather elementary XSS exploit.

The XSS exploit can be prevented by logging out of the router when you're done, but here's the catch -- DD-WRT provides no logout button/link/etc. I recall someone suggesting it on the mailing list, and it earned them a good-ol' fanboy flaming. The solution, of course, is to close your browser -- but again, there are plenty of users out there who don't know that.

Preventative workaround

[XanC]

Configure the device for IPv6, over a tunnel or whatever. The worm blocks your control ports using iptables, but not apparently ip6tables.

Re:Preventative workaround

[Krizdo4]

If you're relying on this particular worm not blocking ip6, why don't you just enable ssh on a second, high numbered port.

Re:Preventative workaround

[ristretto_dreams]

errr, yeah, if you want to kill an ant with a nuke.

Or just change your password from the default and set ssh/web/telnet administration to local segment only.

Did you read the article?

Admin interface open on the WAN side?

[Mondo1287]

Who has their router set to allow access to the admin interface from the wan side? This is certainly not done by default. Is there some sort of browser hijack involved with this to gain access to the inside of the network?

Re:Admin interface open on the WAN side?

[kyjl]

I've yet to see a router - enterprise, consumer or otherwise - that does enable that out-of-box and frankly it would be STUPID as SHIT to do that. But it does have it's uses.

My Tomato'd WRT54GL originally had outside web access via SSL as my roomie didn't have a laptop and he wanted to do work over at his girlfriend's place often. The ports were already ready to go for SSH and whatnot, just he left his Mac to go to sleep after 30 minutes or some such nonsense. He'd log in to the router, WOL, wait a minute, then he'd be ready to go. While we don't get metered for power usage (on-campus apartments, WOO!) it saved some power.

After he got his MBP and scrapped the iMac he never had a use for remote access but I never bothered to turn it off. Now that I found out about this worm I turned it off fast as Hell.

Re:Admin interface open on the WAN side?

[itzfritz]

It's necessarily being exploited from the WAN; I've seen poc code that, guessing the gateway's internal ip (typically 192.168.1.1 class c), uses javascript or html trickery to attempt a GET request that modifies that router's config. ex:, on some webpage) img src='192.168.1.1/allow-external-connections.cgi' You get the idea. Dont remember where I saw it, maybe ha.ckers/sla.ckers.org..

Re:Admin interface open on the WAN side?

[Mr_Whoopass]

Who has their router set to allow access to the admin interface from the wan side?

Me. I use Tomato so that I can log in remotely from work and then use WoL to boot my computer, server and NAS remotely in order to access any files I might need but it still allows me to shut my machines down when not needed in order to keep my electricity bill low.

I do however use an 18 digit password that uses mixed-case, numbers and special characters to make the likelihood of a brute force attack being successful to almost nil. I also regularly change my passwords which I know (having been in the IT field for 10 years) that most people do not.

It all comes down to using tried and true security practices in my opinion. If you use simple common sense you can avoid most of these issues outright.

1) Use long passwords with mixed case, numbers and special characters.
2) Change those passwords regularly.
3) Do not use the same password for different site logins.
4) Keep your router firmware up to date (though that would not have helped in this particular case apparently).
5) I would also add that you stay away from installing applications not obtained directly from the software vendor that wrote them (read warez). You have no idea what that copy of Windows XP Super-Ultimate Gold might be installing in addition.
6) Stay away from websites that are heavily laden with nefarious advertising such as porn, etc.

Common sense really.

Re:Admin interface open on the WAN side?

[Tony+Hoyle]

You don't need external router access for that. Setup a port that when given a specific string, like 'wakeup' automatically sends a WOL to the computer, and does nothing else. Worst a hacker can do then is wake your computer up.

Re:How Can I Determine If My D-Link Router is Linu

[The_PHP_Jedi]

The subject text box isn't the "write-the-beginning-of-the-message-until-space-runs-out-and-then-use-the-big-textarea-under-it" field. The big textarea under it is there for a clear reason.

Just sayin'.

Needs more detail

[lordtoran]

Ok, TFA states

Get a shell on the vulnerable device (methods vary).

How will this supposed worm manage to login to the box? Brute force? Properly configured Linux will block login attempts for quite a while after several failures. SSH? Can't be compromised within a reasonable time. Telnet? Not supported on all routers I know.

The article doesn't go into the essential details, so I call FUD until proven otherwise.

Re:Needs more detail

[Krizdo4]

Ok, TFA states

Get a shell on the vulnerable device (methods vary).

How will this supposed worm manage to login to the box? Brute force? Properly configured Linux will block login attempts for quite a while after several failures. SSH? Can't be compromised within a reasonable time. Telnet? Not supported on all routers I know.

The article doesn't go into the essential details, so I call FUD until proven otherwise.

From the article:

any linux mipsel routing device that has the router administration interface or sshd or telnetd in a DMZ, which has weak username/passwords (including openwrt/dd-wrt devices).

Telnet is used at least on OpenWRT after you first flash it but before you set a root password.

No consumer router I've used blocked repeated failed password attempts be default.

A bug in the web interface for the default Linksys allowed people to load the OpenWrt by sending shell commands to turn on boot wait. Just do the same but insert malicious shell code instead with the default password.

Re:Needs more detail

[v1]

one would assume it does a slow throttled attempt, starting with the true idiot passwords like "admin", "administrator", "root", "password" etc. Those four alone probably get you into 10% of those routers

Re:Needs more detail

[AHuxley]

Like root, admin?
username is blank?

Re:Needs more detail

[Plekto]

One would assume it does a slow throttled attempt, starting with the true idiot passwords like "admin", "administrator", "root", "password" etc. Those four alone probably get you into 10% of those routers.

The number of clients that I used to run into doing consulting that had no password set on their machines at all on any level was about 10-20%. They buy it and plug it in and that's that. Then the insanity starts as they are often connected to a DSL or cable connection 24/7 without any real protection.

Re:Needs more detail

[pushing-robot]

1. Be granted root access to the vulnerable device.

2. Do something nasty.

describes 99% of *nix (Linux, BSD, OS X) "exploits" I've seen.

Some of it is intentional FUD, but it's still a good example of why users should be forced to learn exactly what programs are allowed to do with user and root/admin privileges.

Most folks still think of programs the way they think of physical gadgets. Users don't understand privileges, and assume that programs are by nature isolated from each other, the operating system, and the user's personal files.

It doesn't occur to them that a malfunctioning toaster could suddenly delete their car.

Re:Needs more detail

[BronsCon]

It doesn't occur to them that a malfunctioning toaster could suddenly delete their car.

Never occurred to me... but my toaster blew up this morning and when I went to leave for work, my car was gone. I thought it had been stolen!

Re:Needs more detail

[ion.simon.c]

...I call FUD until proven otherwise.

It's not FUD.
TFA effectively says:
"Do you have telnet or SSH on your router w/ a weak password? Is that telnet or SSH port exposed to the internet? Well we've seen folks get root through those means and deploy MIPS shellcode to do nasty things to your router."

That is very calm, very certain, and very undoubtable. :)

Re:Needs more detail

[againjj]

It doesn't occur to them that a malfunctioning toaster could suddenly delete their car.

That is an incredibly insightful comment. That makes so clear what it is that people do not get about computers. This implies that that sandboxing needs to be taken to the next level. A VM for every app, perhaps?

Old news to me

[GaryOlson]

I commented on this exact subject about 18 months ago. Amused to see the security industry finally catching up.

Re:Old news to me

[snowraver1]

That's pretty awesome. Hats off to you good sir!

Re:Old news to me

[maxume]

Did you have a reasonable password set? The security industry has known that weak passwords are an issue for a lot longer than 18 months (though I do doubt that most cheapo routers have much support for anything like rate limiting, or alarms).

Re:Old news to me

[GaryOlson]

Yes, I had complex and increasingly long passwords set -- the last password was 22 characters long with mixed case and special characters. And, configuring the router from the WAN was disabled.

Re:Old news to me

[Rockoon]

The really funny part is that someone in that thread suggested that you use the same base router being hacked up in this article.

Re:Old news to me

[Spyder]

I thought I saw this kind of thing at Blackhat US 2006, as a browser expliot.

The difference is that it's "weaponized" now. We start patching, tracking and working on sigs when an expliot comes out, but the risk level really goes up when the threat is in the wild, and again when the expliot is packaged. I'm actually suprised that it's not a multi-vector threat, using maybe a spam or lured browser propagation. That would give the worm access to the protected interface.

Re:Old news to me

[maxume]

That is sort of a separate issue then, that the Netgear router you had was a POS. If the linux router box that you mention elsewhere in the thread had a weak password, you would be in the same boat as these routers (except you might be providing the botnet even more resources...).

Re:Hackers.

[houstonbofh]

That's like saying CiCi's Pizza is the best dining experience of all time. It's not really pizza, but it is edible...

Sex is like pizza... Even when it is bad, it's still pizza.

And you really needed to...

[m6ack]

... administer your home router over the Internet? Who does that? If you don't have an open port, even on these boxen, how could you be attacked?

But, it seems to me that this is more likely an attack on stock Linksys boxen that re-flashes with a special DD-WRT designed to "phone home." Yes, DD-WRT/OpenWRT are also vulnerable if they have weak passwords, but the bulk is more likely the former.

(Disclaimer: My home router runs HyperWRT & is not listed in DroneBL.)

Re:And you really needed to...

[itsthebin]

my internet facing router (tomato) accepts connections on port 1194

Re:And you really needed to...

[Samah]

... administer your home router over the Internet? Who does that? If you don't have an open port, even on these boxen, how could you be attacked?

I administer my home router over the Internet, but through an SSH tunnel. So technically, I'm actually administering from home, but yet not... you get the idea.

Re:And you really needed to...

boxen,

boxen

Please stop using this word.

Re:And you really needed to...

Well, I don't want my computers to run 24/7, but I need a low-power device that is always on so that I can log into the LAN to start the computers with WoL. OpenWRT is great, I have no telnetd or httpd and password authentication for sshd can be disabled.

Re:And you really needed to...

[Tony+Hoyle]

Limit sshd so it can only send the WOL command... or even better just have the router listening on a port for a command. No need to expose the entire CLI for a simple operation.

OpenWRT/DD-WRT devices all appear to be vulnerable

[xmff]

How so? At least on OpenWrt, SSH and Webif aren't even exposed to the wan side without manually changing the iptables rules first.

I guess it's the same on DD-Wrt.

The devices that were targetted appear to have some serious flaws, here's a cite from an analysis of the malware:

"Several revisions of the NB5 modem shipped with a flaw which meant that the web configuration interface was visible from the WAN side, accepting connections and allowing users to administer the modem using the default username and password of 'admin' from outside the LAN. Furthermore, some of these modems suffered from another flaw, meaning that by default, authentication was not enabled for the web interface - meaning no username or password was required."

It really boils down to the usual find-weak-logins style of attacks, only the target platform has changed.

Rumpelstiltskin.

[aXi]

This has put a new twist on the story of Rumpelstiltskin.
Don't set the password to a simple name you plan on say while talking to yourself and gloating.

private/public keys

[bobbonomo]

The commercial routers don't have this option. Um like D-link, Linksys, etc. Unfortunately they are the majority of home/small enterprise routers But this would be the trick to use.

Re:private/public keys

[tobiasly]

The commercial routers don't have this option. Um like D-link, Linksys, etc. Unfortunately they are the majority of home/small enterprise routers But this would be the trick to use.

Except anyone who's knowledgeable enough to set up a private/public key based ssh server on their router would have ditched that crippled factory default firmware in the first place and installed something more advanced like Tomato, which does have this feature.

Re:private/public keys

[totally+bogus+dude]

I think you might be missing the point of the article, which is that the home user / small business routers are the ones being targeted by the botnet. Pretty sure our ASAs are safe from this botnet as well, but you know, it's not particularly relevant.

One word...

[GooDieZ]

m0n0wall

maybe savvy users use bsd instead...

Re:One word...

[Tony+Hoyle]

And that will help how exactly?

It's just as easy to expose web/ssh to the internet and set an easy password on m0n0wall. Stupid users will always be stupid users.

Re:OpenWRT/DD-WRT devices all appear to be vulnera

[LingNoi]

I got DD-wrt and I am pretty everything is off by default when you first install.

Re:Hackers.

[Nutria]

Even when it is bad, it's still pizza.

Some pizza crust is so bad it's inedible...

Re:Hackers.

[anagama]

ever have mayo and corn pizza in Japan?

Re:OpenWRT/DD-WRT devices all appear to be vulnera

[nenolod]

That analysis is old.

And, it only targets DD-WRT/OpenWRT/Tomato routers configured in the way described in the article.

Re:OpenWRT/DD-WRT devices all appear to be vulnera

[xmff]

So the conclusion is "worm can infect machines with weak logins - now runs on mipsel too". :) Thanks for the info.

Wait Till They Get Verizon Routers Rooted

[darkmeridian]

The modem/router that Verizon provided for their DSL service had the firmware remotely upgraded. There is no way to avoid these updates. I hope it is secure. If someone roots that process, it will be the mother of all DDOS attacks.

Re:Wait Till They Get Verizon Routers Rooted

That remote upgrade is not done over IP, but over some DSL specific protocol that only exists within the specific ISP.

So while not impossible, it's far less likely.

Re:Wait Till They Get Verizon Routers Rooted

[Lumpy]

Really? you cant avoid that update?

Why was I able to turn it off along with disabling the crappy "router" function in the westell modems?

you CAN avoid it, you have to know what you are doing.

Re:Wait Till They Get Verizon Routers Rooted

[bartwol]

Congratulations in having established your distaste for Verizon. Otherwise, you have ignored any of the specifics of this vulnerability and established NO likelihood of vulnerability in Verizon's modems.

Well...having been modded up as you have, you are clearly in good company. Perhaps you can all get together and share more of this kind of wisdom? If you put your heads together, you might be able to protect Verizon modems from ghosts and evil spirits.

Re:Wait Till They Get Verizon Routers Rooted

[LuxMaker]

Install sniffer between line and line in on Verizon router. Wait for update and capture traffic. Analyze traffic and get username password info. Use said info to secure new botnet. Definitely not FUD.

Re:Wait Till They Get Verizon Routers Rooted

[bartwol]

You, like the grandparent, offer nothing to specifically relate the "Verizon router" to the specific vulnerability being discussed.

All you have described here is the widely-known and very generic vulnerability of sending clear text credentials over an unsecured network (to a router in this case). I suspect you were aware of that vulnerability well before you read this article. Your point would be similarly understood and elementary to understanding Slashdot readers. To non-understanding readers, the grandparent's unqualified remarks do exactly as you deny: spread FUD.

(BTW: That "install sniffer" requirement is much larger and riskier than is likely to be accepted by a botnet operator.)

bart

Re:Hackers.

[palegray.net]

Better question: did the fact that you ate it in Japan make it taste different? :)

Re:How Can I Determine If My D-Link Router is Linu

[Darkk]

I'd imagine the password would be either "password" or "123456"

DSL in bridge mode

[baomike]

Can I feel smug that I use a dsl modem in bridge mode to a slack box (dual home) using iptables for NAT?
I am hoping...

Re:OpenWRT/DD-WRT devices all appear to be vulnera

[nenolod]

Except it also attacks the http daemons on several models.

Re:How Can I Determine If My D-Link Router is Linu

Mine's your mom's safe word.

Re:How Can I Determine If My D-Link Router is Linu

[MrLint]

WTH have you been doing playing with my luggage

Re:How Can I Determine If My D-Link Router is Linu

[Kalriath]

What meta-moderation?

Re:Hackers.

[c_forq]

I'm going out on a limb and saying it probably did. I know the mangos and bananas in South East Asia taste way different than the mangos and bananas in America. I would expect the common corns are different too.

Vulnerable to a two-phase attack

[Animats]

If this attack is combined with some PC-based worm, it will be much more effective. Routers that are vulnerable from the WAN side can be attacked by zombie PCs. The router can then be reprogrammed to try to attack anything that attaches on the WAN side, bypassing any firewalls in the router. The attack on the PC, of course, includes the code that attacks routers.

We need more devices that boot from a true read-only medium. Yes, upgrading is a pain, but most devices never get upgraded anyway. At least then they'd be stable.

Linux botnet?

[w0mprat]

OpenWRT is a linux based embedded operating system.

Surely this is a first. Sure nix boxes and devices get hacked all the time, but I assumed that such automated attacks were natively difficult on linux?

Re:Linux botnet?

[michaelhood]

but I assumed that such automated attacks were natively difficult on linux?

You assumed wrong. Incompetent configuration is cross-platform.

Re:Linux botnet?

[compro01]

In the hands of an idiot, pretty much any system can be made insecure. In this case, it requires using a weak username/password and allowing password authenticated login from WAN (this is off by default in the mentioned systems). Linux is no more resistant to this type of attack than Windows is or any other OS.

Re:Hackers.

[ushering05401]

Sex is like pizza... Even when it is bad, it's still pizza.

Non-dairy cheese substitute.

*Snerk*

[pathological+liar]

Yeah unless you generated them on a Debian machine...

Re:Hackers.

You see, corn was very important in Japanese culture as it was originally from Japan, although an American Indian raid stole all plants and took them to America.
However, after they met Americans which are greasy and yellowy white just like popcorn, they stopped eating it altogether.
They put it over pizza so that the Yakuza can torture its victims. Japanese people are so scared of becoming fat like Americans that they would rather commit Hairy Curry also known as Sailor Fuku than eating corn pizza.

Re:Hackers.

[palegray.net]

they would rather commit Hairy Curry also known as Sailor Fuku than eating corn pizza.

I don't even know where to begin on this one...

Re:Hackers.

[turing_m]

Sex is like pizza... Even when it is bad, it's still pizza.

The difference is... when you get desperate enough to eat disgustingly bad pizza, your friends won't bring it up for the next ten years at every possible occasion.

Is my ass hanging in the wind?

[Dreadneck]

I have a WRT54G v3.0 router using the linksys v4.21.1 firmware.

I am using WPA2 Personal w/ 256-bit key[randomly generated], wireless MAC filter[whitelist] enabled, firewall enabled, block WAN request filter enabled, VPN passthrough[IPSEC,PPTP,L2TP] disabled, DMZ disabled, 256-bit randomly generated router password, and remote management and wireless access disabled.

So, am I [reasonably]safe from this thing?

Re:Is my ass hanging in the wind?

[jobst]

You're safe.

But I hope you *know* where the hardware based reset button is in case you forget that password ;-)

Re:Is my ass hanging in the wind?

Depends. What's your password?

Re:Is my ass hanging in the wind?

[Dreadneck]

Thanks for the reply. I feel somewhat relieved now.

Yes, I know where the hardware reset button is and I also use roboform to manage my passwords and routinely image my entire system for backup purposes, so I'm not too worried about forgetting the password - though I do additionally backup my roboform data to a thumb drive for paranoia's sake.

I know... I'm using Windows... but I live in a household where trying to run Linux just causes me grief from the illiterati in the family, so I do my best to keep Windows secure and up to date. Please, be merciful with the verbal abuse, lol.

Re:Is my ass hanging in the wind?

[Dreadneck]

Apologies. I spent the last few years building up an immunity to iocane powder.

Re:Is my ass hanging in the wind?

[jobst]

Don't worry, I have around 10 machines I like to look (servers/clients running linux) after and 100's (98,me,2000,xp) odd that I do not like ... so I know how you feel ;-)

Re:Hackers.

[ozmanjusri]

Sex is like pizza. FYI: Crusty and cheesy is good for pizza, for sex, not so.

I predicted this a few years ago

[wertarbyte]

While playing around with the fonera routers I already predicted issues like this: http://stefans.datenbruch.de/lafonera/whywedidit.shtml Consumer routers without decent firmware support are a even greater risk than unpatched windows systems; while access to the latter will probably be noticed, the profile of a hijacked routers stays low to its owner.

Re:Hackers.

[ivucica]

From "they"? :)

Re:OpenWRT/DD-WRT devices all appear to be vulnera

[Otto]

There's lots of ways to exploit cheapo home routers, whether they're running custom firmware or stock stuff.

- Linksys firmwares have had shell execution vulnerabilities (that's how it was originally discovered that they were running Linux in the first place) as well as remote access vulnerabilities (where turning it off didn't actually work), among others.
- Many of the custom firmwares (DD-WRT in particular) are vulnerable to rather trivial XSS attacks. Yes, visit the wrong webpage with malicious javascript and your router can get owned.
- Not to mention the large number of routers with default passwords out there...

A mildly clever script could gain a large foothold quite fast, without even having to resort to password guessing.

Useful...

[AliasMarlowe]

The problem is that these are slightly more savvy idiots. :)

Lenin would have called them Useful Idiots.

Re:Hackers.

[machine321]

Some sex crust is so bad it's inedible too.

Re:Hackers.

[Hatta]

You're not supposed to eat the handle.

So, block IRC at all firewalls

[Antique+Geekmeister]

This is not just flamebait, but a serious policy: IRC has been a popular protocol for years, but with the advent of more secure and less abused protocols, there is no modern excuse for permitting IRC through any network or system firewalls. That helps cut the painful-to-monitor control channel.

In fact, most corporate and institutional firewalls should only allow a few registered and useful protocols through their breaches, such as HTTP, HTTPS, SMTP, and SSH, and even those can often be funneled to a small set of securable servers. Yes, it interferes with the random-service-of-the-moment that some folks demand as their right. If they want such rights, they can pay the cost of running a host isolated by more secure firewalls and software management, outside the more trusted internal environment: folks should not expect both easy sharing of resources, and external access.

Re:So, block IRC at all firewalls

[Tony+Hoyle]

WIRC is not inherently insecure (or secure.. it's just a chat protocol), and is a popular means of talking with other admins for example. I use it for development purposes every day.

There's absolutely nothing to stop $virus_of_the_week using port 80 instead of port 6667. You're solving nothing by blocking a port like that.

Re:So, block IRC at all firewalls

[Lumpy]

So having the worm ssh to a server and then tunnel it's IRC controls would not be hampered by your proposal at all.

or better yet get it's controls from http over port 80, just check random compromised web servers.

I can thwart any system you can come up with to keep control over my bot on your machine. If the user on that machine can even look at webpages, I can control my bot.

no I dont run bots. But I do write some commercial software that calls home so I can disable it if the customer does not pay for that month's service fees. I have been able to get around ANY "clever" network admins tricks.

Re:So, block IRC at all firewalls

[Antique+Geekmeister]

An SSH access to the server wouldn't be blocked, true. The existing IRC control channel would, and IRC has turned into a swamp of abuse, not justifying the bandwidth it takes up in any commercial and most social environments. And monitorinig IRC is _painful_, because of the tendency for raw traffic from spewing idiots to fill the logs. It's just not worth leaving unfiltered.

Re:How Can I Determine If My D-Link Router is Linu

[Tony+Hoyle]

It probably is (most cheap routers are) but it doesn't matter. Default firmwares for consumers routers don't have shells, let alone root ones.

This affects 3rd party firmwares.. DD-WRT and the like, that offer shell access. Further it requires that you open that access to the world (which isn't the default on any version I've seen).

Re:I attempted to come up with a witty "first post

[interested+pyro]

I wear the AC hat with shame.

dont forget the -1 Off topic one! (sorry just had to!)

Re:Hackers.

[laejoh]

That's what she said :(

Re:Hackers.

[hesaigo999ca]

LOLOLOLOLOLOL

Comment removed

[account_deleted]

Comment removed based on user account deletion

Stop making sense.

[Medievalist]

Wouldn't it be substantially easier to just set a really strong SSH password and use key-based auth if you need to configure your router remotely?

You're interrupting the flow of this conversation.

You may need to down a few pints before posting in this topic. Or at least this particular thread.

Yahoo cached version of DroneBL announcement

[veranikon]

Yahoo cached version of DroneBL announcement at http://dronebl.org/blog/8

http://74.6.239.67/search/cache?ei=UTF-8&p=http%3A%2F%2Fdronebl.org%2Fblog%2F8&fr=ubuntu&u=dronebl.org/blog/8&d=XjpWTp2uSg7q&icp=1&.intl=us

Re:Hackers.

[Patch86]

When you eat a really bad pizza, you can only really bring it up the once...

Comment removed

[account_deleted]

Comment removed based on user account deletion

SSH enabled from Vonage!!

[DadLeopard]

having SSH disabled is not an option if you have a Vonage router! I'm just hoping that they have a strong password set! Has anyone figured out how to tell if your router has been compromised?