Slashdot Mirror
Botnet Worm Targets DSL Modems and Routers
CoreDuo writes "The people who bring you the DroneBL DNS Blacklist services, while investigating an ongoing DDoS incident, have discovered a botnet composed of exploited DSL modems and routers. OpenWRT/DD-WRT devices all appear to be vulnerable. What makes this worm impressive is the sophisticated nature of the bot, and the potential damage it can do not only to an unknowing end user, but to small businesses using non-commercial Internet connections, and to the unknowing public taking advantage of free Wi-Fi services. The botnet is believed to have infected 100,000 hosts." A followup to the article notes that the bot's IRC control channel now claims that it has been shut down, though the ongoing DDoS attack on DroneBL suggests otherwise.
A. How do we know whether our kit is vulnerable?
B. How to tell whether we are infected?
C. What to do about it if we are?
I'd guess most people, even geeks, just think of their router as a black box and don't know much about them as long as they keep on working.
any linux mipsel routing device that has the router administration interface or sshd or telnetd in a DMZ, which has weak username/passwords (including openwrt/dd-wrt devices)
This does not exclude Tomato, especially if your router is set up as mentioned or you have weak passwords.
If you allow ssh access from the wide internet, and you have a weak password for root, you are probably still vulnerable..
Repton.
They say that only an experienced wizard can do the tengu shuffle.
Not a big deal, you can just:
ssh to your router
ifconfig eth0 down
All fixed, not vulnerable anymore.
Glad I recently switched my router to Tomato. Works better than DD-WRT, too.
Why does this article make you glad you switched?
The same thing that makes OpenWRT/DD-WRT vulnerable seems to be part of Tomato.
FTFA
"any linux mipsel routing device that has the router administration interface or sshd or telnetd in a DMZ, which has weak username/passwords (including openwrt/dd-wrt devices)."
From Tomato Features list:
"CLI (using BusyBox) with access via TELNET or SSH (using Dropbear)"
Who has their router set to allow access to the admin interface from the wan side? This is certainly not done by default. Is there some sort of browser hijack involved with this to gain access to the inside of the network?
The subject text box isn't the "write-the-beginning-of-the-message-until-space-runs-out-and-then-use-the-big-textarea-under-it" field. The big textarea under it is there for a clear reason.
Just sayin'.
Ok, TFA states
Get a shell on the vulnerable device (methods vary).
How will this supposed worm manage to login to the box? Brute force? Properly configured Linux will block login attempts for quite a while after several failures. SSH? Can't be compromised within a reasonable time. Telnet? Not supported on all routers I know.
The article doesn't go into the essential details, so I call FUD until proven otherwise.
Want to hear the voice of GOD? cat
If you allow SSH access from the wide internet and you allow passwords, you are probably still vulnerable.
Really, just use SSH with private/public keys and you'll be okay.
If you allow ssh access from the wide internet, and you have a weak password for root, you always were vulnerable. Now the vulnerability is just being exploited in a more automated way.
any linux mipsel routing device that has the router administration interface or sshd or telnetd in a DMZ, which has weak username/passwords (including openwrt/dd-wrt devices).
Anyone Savvy enough to want to run OpenWRT/DD-WRT should hopefully be savvy enough to have a decent password. I'm guessing by DMZ it means open slather access to the device. Open Slather + Weak Password = Your Own Stupidity
# cat
Damn, my RAM is full of cats. MEOW!!
... administer your home router over the Internet? Who does that? If you don't have an open port, even on these boxen, how could you be attacked?
But, it seems to me that this is more likely an attack on stock Linksys boxen that re-flashes with a special DD-WRT designed to "phone home." Yes, DD-WRT/OpenWRT are also vulnerable if they have weak passwords, but the bulk is more likely the former.
(Disclaimer: My home router runs HyperWRT & is not listed in DroneBL.)
How so? At least on OpenWrt, SSH and Webif aren't even exposed to the wan side without manually changing the iptables rules first.
I guess it's the same on DD-Wrt.
The devices that were targetted appear to have some serious flaws, here's a cite from an analysis of the malware:
"Several revisions of the NB5 modem shipped with a flaw which meant that the web configuration interface was visible from the WAN side, accepting connections and allowing users to administer the modem using the default username and password of 'admin' from outside the LAN. Furthermore, some of these modems suffered from another flaw, meaning that by default, authentication was not enabled for the web interface - meaning no username or password was required."
It really boils down to the usual find-weak-logins style of attacks, only the target platform has changed.
> If you allow ssh access from the wide internet...
Why would you do that?
`ssh -i ~/.ssh/myrouter.key root@my.router.ip '/usr/sbin/wol -i 192.168.0.255 00:11:22:33:44:55'`
But there is no reason on earth to use SSH with password authentication. Ever.
4096bit keys with 30+ character passphrase is my standard at the moment.
Do not meddle in the affairs of geeks for they are subtle and quick to anger
Apparently I'm one of the "100,000" that got infected by this botnet.
This morning my router would not connect to any websites, yet my modem when directly connected to my PC still did. I reseted the settings to default, disabled the vulnerabilities that got the idiots in and put a stronger 35 character username and password.
How did I get infected in the first place? I left on remote access. And possibly my username and password weren't that complex. Live and learn I guess.
That would be nice, but it is not easy to do. The Linux distros that run on embedded routers are mostly set up to have only a single, root, user. DD-WRT is definitely this way, and I think Tomato is as well. It might be possible to rebuild it with multiple users but that is definitely not how it's designed right now.
Personally what I'd recommend is not having any of the router's management interfaces exposed to the WAN side of things, for any reason, ever. If you think you might need to administer the router remotely, set up a hardened system inside the LAN somewhere, forward a nonstandard port to sshd on it, and then log into that machine and do SOCKS port-forwarding to connect to the router. This is how I run my home network and it takes literally only a second or two longer to connect to the router this way, versus if I had it directly accessible.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
The difference is... when you get desperate enough to eat disgustingly bad pizza, your friends won't bring it up for the next ten years at every possible occasion.
If I have seen further it is by stealing the Intellectual Property of giants.
Some sex crust is so bad it's inedible too.