Slashdot Mirror

← Back to Stories (view on slashdot.org)

Botnet Worm Targets DSL Modems and Routers

Posted by kdawson on from the new-vector dept.

CoreDuo writes "The people who bring you the DroneBL DNS Blacklist services, while investigating an ongoing DDoS incident, have discovered a botnet composed of exploited DSL modems and routers. OpenWRT/DD-WRT devices all appear to be vulnerable. What makes this worm impressive is the sophisticated nature of the bot, and the potential damage it can do not only to an unknowing end user, but to small businesses using non-commercial Internet connections, and to the unknowing public taking advantage of free Wi-Fi services. The botnet is believed to have infected 100,000 hosts." A followup to the article notes that the bot's IRC control channel now claims that it has been shut down, though the ongoing DDoS attack on DroneBL suggests otherwise.

17 of 272 comments (clear)

  1. What to do about it? by GrahamCox · · Score: 5, Insightful

    A. How do we know whether our kit is vulnerable?
    B. How to tell whether we are infected?
    C. What to do about it if we are?

    I'd guess most people, even geeks, just think of their router as a black box and don't know much about them as long as they keep on working.

    1. Re:What to do about it? by adolf · · Score: 5, Informative

      A. Is your password "admin," "root," "password," or some other such simplistic shit? Can you log into it remotely? If so, you're vulnerable.
      B. Does SSH still connect? Can you get to your router's web page? If so, it's not infected.
      C. It's a router, not something of any great intrinsic value. Nuke the firmware and start over. (Reset, boot_wait, JTAG - lots of ways to nuke a new firmware into these things without having network access to them. Listed previously are some good terms to Google for.)

      I'd guess that most people, even geeks, don't run dd-wrt, tomato, or openwrt on their router unless they've got a pretty good clue about what's going on.

      On the other hand: The average Joe, who just buys a WRT54G (aka: black box) from Wal-Mart, plugs it into his cable modem, and logs into the "linksys" SSID from his laptop isn't affected by this worm, since the default configuration doesn't allow remote access from the Internet at all.

      --
      Kid-proof tablet..
    2. Re:What to do about it? by John+Hasler · · Score: 5, Funny

      > ...the default configuration doesn't allow remote access from the Internet at all.

      True. The crackers have to use the bot that controls his pc and the default password that he didn't change.

      --
      Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
    3. Re:What to do about it? by seanadams.com · · Score: 5, Insightful

      The average Joe, who just buys a WRT54G (aka: black box) from Wal-Mart, plugs it into his cable modem, and logs into the "linksys" SSID from his laptop isn't affected by this worm, since the default configuration doesn't allow remote access from the Internet at all.

      But it does allow access from the LAN side, so all that takes is one owned client connecting to that AP. It could even spread via laptops physically roaming to different hotspots (maybe not AT&T etc, but think of an independent coffee shop owner who should not have to be a networking guru).

      Routers seem like a nice prize indeed. Always connected and on a public IP, and there's millions of them!. I'm surprised it's taken this long.

      It's hard enough for most people to just hook one of these up, much less wipe a rootkit from it.

    4. Re:What to do about it? by chill · · Score: 5, Interesting

      I'd guess that most people, even geeks, don't run dd-wrt, tomato, or openwrt on their router unless they've got a pretty good clue about what's going on.

      Really?

      1. The article claims between 80,000 - 100,000 infected routers.
      2. Neither DD-WRT nor OpenWRT allow connections from the outside world by default.
      3. The worm brute-forces passwords.

      From this we can conclude that there are at least 80-100K geeks who opened their connections to the outside world and used weak passwords. This does not sound like people with a "pretty good clue" to me.

      --
      Learning HOW to think is more important than learning WHAT to think.
  2. Re:Tomato by zombietangelo · · Score: 5, Informative
    TFA states:

    any linux mipsel routing device that has the router administration interface or sshd or telnetd in a DMZ, which has weak username/passwords (including openwrt/dd-wrt devices)

    This does not exclude Tomato, especially if your router is set up as mentioned or you have weak passwords.

  3. Re:Tomato by Repton · · Score: 5, Informative

    If you allow ssh access from the wide internet, and you have a weak password for root, you are probably still vulnerable..

    --
    Repton.
    They say that only an experienced wizard can do the tengu shuffle.
  4. Easy fix by Anonymous Coward · · Score: 5, Funny

    Not a big deal, you can just:

    ssh to your router
    ifconfig eth0 down

    All fixed, not vulnerable anymore.

  5. Admin interface open on the WAN side? by Mondo1287 · · Score: 5, Interesting

    Who has their router set to allow access to the admin interface from the wan side? This is certainly not done by default. Is there some sort of browser hijack involved with this to gain access to the inside of the network?

  6. Re:How Can I Determine If My D-Link Router is Linu by The_PHP_Jedi · · Score: 5, Informative

    The subject text box isn't the "write-the-beginning-of-the-message-until-space-runs-out-and-then-use-the-big-textarea-under-it" field. The big textarea under it is there for a clear reason.

    Just sayin'.

  7. Needs more detail by lordtoran · · Score: 5, Interesting

    Ok, TFA states

    Get a shell on the vulnerable device (methods vary).

    How will this supposed worm manage to login to the box? Brute force? Properly configured Linux will block login attempts for quite a while after several failures. SSH? Can't be compromised within a reasonable time. Telnet? Not supported on all routers I know.

    The article doesn't go into the essential details, so I call FUD until proven otherwise.

    --
    Want to hear the voice of GOD? cat /boot/vmlinuz > /dev/dsp
    1. Re:Needs more detail by pushing-robot · · Score: 5, Insightful

      1. Be granted root access to the vulnerable device.

      2. Do something nasty.

      describes 99% of *nix (Linux, BSD, OS X) "exploits" I've seen.

      Some of it is intentional FUD, but it's still a good example of why users should be forced to learn exactly what programs are allowed to do with user and root/admin privileges.

      Most folks still think of programs the way they think of physical gadgets. Users don't understand privileges, and assume that programs are by nature isolated from each other, the operating system, and the user's personal files.

      It doesn't occur to them that a malfunctioning toaster could suddenly delete their car.

      --
      How can I believe you when you tell me what I don't want to hear?
  8. Re:Tomato by Anonymous Coward · · Score: 5, Insightful

    If you allow SSH access from the wide internet and you allow passwords, you are probably still vulnerable.

    Really, just use SSH with private/public keys and you'll be okay.

  9. Re:Scary Targets... by Techman83 · · Score: 5, Insightful
    TFA:

    any linux mipsel routing device that has the router administration interface or sshd or telnetd in a DMZ, which has weak username/passwords (including openwrt/dd-wrt devices).

    Anyone Savvy enough to want to run OpenWRT/DD-WRT should hopefully be savvy enough to have a decent password. I'm guessing by DMZ it means open slather access to the device. Open Slather + Weak Password = Your Own Stupidity

    --
    # cat /dev/mem | strings | grep -i cat
    Damn, my RAM is full of cats. MEOW!!
  10. OpenWRT/DD-WRT devices all appear to be vulnerable by xmff · · Score: 5, Insightful

    How so? At least on OpenWrt, SSH and Webif aren't even exposed to the wan side without manually changing the iptables rules first.

    I guess it's the same on DD-Wrt.

    The devices that were targetted appear to have some serious flaws, here's a cite from an analysis of the malware:

    "Several revisions of the NB5 modem shipped with a flaw which meant that the web configuration interface was visible from the WAN side, accepting connections and allowing users to administer the modem using the default username and password of 'admin' from outside the LAN. Furthermore, some of these modems suffered from another flaw, meaning that by default, authentication was not enabled for the web interface - meaning no username or password was required."

    It really boils down to the usual find-weak-logins style of attacks, only the target platform has changed.

  11. Re:Run to my openWRT router and look for.. what? by KillzoneNET · · Score: 5, Informative

    Apparently I'm one of the "100,000" that got infected by this botnet.

    This morning my router would not connect to any websites, yet my modem when directly connected to my PC still did. I reseted the settings to default, disabled the vulnerabilities that got the idiots in and put a stronger 35 character username and password.

    How did I get infected in the first place? I left on remote access. And possibly my username and password weren't that complex. Live and learn I guess.

  12. Re:Hackers. by turing_m · · Score: 5, Funny

    Sex is like pizza... Even when it is bad, it's still pizza.

    The difference is... when you get desperate enough to eat disgustingly bad pizza, your friends won't bring it up for the next ten years at every possible occasion.

    --
    If I have seen further it is by stealing the Intellectual Property of giants.