Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lizard Stresser DDoS-for-Hire Service Built On Hacked Home Routers

Posted by Soulskill on from the go-change-your-parents'-router-credentials dept.

tsu doh nimh writes: The online attack service launched late last year by the same criminals who knocked Sony and Microsoft's gaming networks offline over the holidays is powered mostly by thousands of hacked home Internet routers, reports Brian Krebs. From the story: "The malicious code that converts vulnerable systems into stresser bots is a variation on a piece of rather crude malware first documented in November by Russian security firm Dr. Web, but the malware itself appears to date back to early 2014. As we can see in that writeup, in addition to turning the infected host into attack zombies, the malicious code uses the infected system to scan the Internet for additional devices that also allow access via factory default credentials, such as 'admin/admin,' or 'root/12345.' In this way, each infected host is constantly trying to spread the infection to new home routers and other devices accepting incoming connections (via telnet) with default credentials.

65 comments

  1. Factory passwords is not an exploit. by Anonymous Coward · · Score: 2, Funny

    Factory passwords is what separates humans from the beasts.

    1. Re: Factory passwords is not an exploit. by MichaelMacDonald · · Score: 1

      Or the lazy. I replace and reset my routers often enough that remembering to change the defaults can get tedious. Things like this remind me to be more careful. I guess the big thing is how to tell if you're infected and remove it if you need to.

    2. Re: Factory passwords is not an exploit. by Trax3001BBS · · Score: 1

      Or the lazy. I replace and reset my routers often enough that remembering to change the defaults can get tedious. Things like this remind me to be more careful.

      My router is the same way, having to reset it every few days, in fact it's down now and I've firewall protection alone, while not having access to Netflix.

      When I get around to resetting it once again (a 7 second process + reboot time), I'll load a .cfg file I saved when it was working just fine, alone with it's different password.

      I'd replace it with my ASUS RT-AC66U Router but it's a bear to do using the 30-30-30 second hard reset every time it's not being seen; I gave up the last time, and I read here it's got security problems itself.

    3. Re: Factory passwords is not an exploit. by Anonymous Coward · · Score: 0

      I've been power cycling mine for years and it just keeps on going. I've never lost my settings, especially not the password I set.

      You both must be doing more with your router then I am to be needing to re-setup the router every week.

    4. Re: Factory passwords is not an exploit. by Trax3001BBS · · Score: 1

      I've been power cycling mine for years and it just keeps on going. I've never lost my settings, especially not the password I set.

      You both must be doing more with your router then I am to be needing to re-setup the router every week.

      Firewall was asking for access from different IP's while playing full screen games; so I reset my old router. My Charter.com DNS server.1 should be "Primary DNS: 24.196.64.53" https://www.whatsmydns.net/dns... my router shows what has been my dynamic address.1 and my dynamic address.2 as my DNS servers.

      The router claims what has been the proper setup as invalid, my dynamic address being DNS as being valid; who am I to argue, it's working. Yet my IP address is of a different nature (it's always started with a 7 and sometimes never changed), not now.

      It's been claimed Comcast was buying out Charter (shutter!) this may be the start.

  2. Why a default? by Anonymous Coward · · Score: 1, Interesting

    Why do all routers of the same model need to come with the same initial credentials?

    1. Re:Why a default? by Anonymous Coward · · Score: 4, Funny

      Because it would be an exceptionally onerous burden to bear to, say, randomly generate a password that gets printed on a piece of paper that ships with the router.

      We are not gods, after all.

    2. Re:Why a default? by barlevg · · Score: 0

      A better question is why routers are accepting incoming connections by default. I see no problem with lax security on a home network when the only way to access a device on the network is if you're in the network, in which case a simple admin/password default is, in my opinion, OVERKILL--you shouldn't even need credentials to manage it.

    3. Re: Why a default? by Anonymous Coward · · Score: 0

      Tour being scarcastic right? My dlink wireless extender came with a random default password printed on it..

    4. Re:Why a default? by ledow · · Score: 4, Insightful

      You already have to do that with the MAC, the s/n, etc. so what difference does it make?

      Just make the default password be the serial number of the device.

    5. Re:Why a default? by Anonymous Coward · · Score: 0

      They were making a joke, Admiral Aspergers.

    6. Re:Why a default? by halivar · · Score: 1, Funny

      I am not an Admiral, and my name is not Aspergers.

    7. Re:Why a default? by DarkOx · · Score: 2

      Right because its completely impossible you could ever visit a site with some malicious site that runs a little JS to build a form on the fly and submit forged request to your internal router if it were completely unauthenticated.

      Don't be stupid, while its a good control to only allow these things to be managed from the inside, and you probably don't need to go overboard you DO need at least a username and password and you DO need to change the defaults!

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    8. Re:Why a default? by vux984 · · Score: 4, Insightful

      Why do all routers of the same model need to come with the same initial credentials?

      It makes printing the manual and setup instructions easier.

      It makes writing any 'plug-in-and-configure' style utilities easier.

      It makes providing support easier.

      It saves a step of changing the password for each unit after its made and flashed, documenting the new password, and including a printout of that new password in the shipping materials.

    9. Re:Why a default? by richy+freeway · · Score: 3

      I'll just leave this here : http://www.cbits.co.uk/ourblog...

    10. Re:Why a default? by Fwipp · · Score: 4, Insightful

      I'd like to see the router simply refuse to communicate with the outside world until that username/password combo is changed. You can print the default user/password right on the device, so when you forget the password you can simply reset to factory settings - and trying to access any site will instead redirect you to a "Hey, change this password!" notice.

    11. Re:Why a default? by Anonymous Coward · · Score: 1

      Some credentials are always necessary.

      How else do you expect to keep your network secure if anyone on the local network ( read that household ) can modify it ?

    12. Re:Why a default? by houstonbofh · · Score: 2

      If 2Wire (the worst fucking router manufacturer on the planet) and ATT (if not the worst, in a close race with Comcast) can manage it, ANYONE can!

    13. Re:Why a default? by Anonymous Coward · · Score: 2

      Routers are configured with an individual MAC address (which is stored in the configuration flash partition and printed on the label on the bottom of the device), so configuring a random default password and printing that on the bottom of the device is hardly extra work. AFAIK all router manufacturers currently do this. In the past, some manufacturers derived the wireless LAN key and the device password from the MAC address, which was a stupid idea and led to exploits. Devices with static default passwords are probably mostly legacy devices which are still in use (or business grade devices, where this practice is still common).

    14. Re: Why a default? by Anonymous Coward · · Score: 0

      How would you change it then? LAN side, WAN side are both " the out side world."

    15. Re:Why a default? by Anonymous Coward · · Score: 0

      That's what anti-CSRF techniques are for. But router manufacturers can't seem to bother hiring a proper web developer to make the web interface for them so they end up with this kind of abortion.

    16. Re:Why a default? by Shatrat · · Score: 1

      Just make the default password be the serial number of the device.

      So I pull the serial number with an SNMP get request as part of my exploit script using a community string that is either 'public' or something standardized across the ISP?
      Your move.

      --
      09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
    17. Re: Why a default? by ShaunC · · Score: 1

      Allow traffic from RFC1918 addresses to the router and vice versa, and refuse to pass any other packets.

      --
      Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
    18. Re:Why a default? by Anonymous Coward · · Score: 0

      My question is why are all of these routers set up to allow external connections to it? My router admin console can't even be used over Wifi, you have to have a PC physically plugged into it.

    19. Re:Why a default? by Anonymous Coward · · Score: 0

      ROT13 it first then

    20. Re:Why a default? by Anonymous Coward · · Score: 0

      Disable SNMP services by default.

      99.99% of folks running a home / consumer router aren't using it anyway, why have it ?

      Your move. :D

    21. Re:Why a default? by Wintywasthere · · Score: 2

      Not random enough I'm afraid - If you understand how the s/n is formatted, you can brute force the password rather easily.

    22. Re:Why a default? by sound+vision · · Score: 1

      There's cocksuckers around? I'm in a dry spell, someone hook me up...

    23. Re:Why a default? by Anonymous Coward · · Score: 0

      More to the point, why in the world would they allow access to the admin screen from the WAN side?!

    24. Re:Why a default? by Anonymous Coward · · Score: 0

      I had an old netgear router that did exactly that.

    25. Re:Why a default? by Anonymous Coward · · Score: 0

      It's still an improvement on almost all passwords though. Certainly upon default ones. It's usually hexadecimal, and much much longer. Only user-set ones that are insanely long or include punctuation would be better.

    26. Re:Why a default? by DamonHD · · Score: 1

      Which is how my new router arrived. Very sensible.

      Rgds

      Damon

      --
      http://m.earth.org.uk/
    27. Re:Why a default? by DarkOx · · Score: 1

      anti-CSRF all require some kind of authorized session, or authentication on the request itself, in the case of REST.

      The grandparent was suggesting the router have no authentication. CSRF attack take advantage of the fact the client may repeat authorization/authentication headers, and things like session cookies whenever it connects to a resource in a realm its previously connected with. The attacker is able to forge request because he does not have to gain access to the authentication secrets or the session secret, he merely needs to induce the request.

      If the router is not going to authenticate the session in the first place, it would be possible for the attacker to simply script out establishing the session, and then follow it with whatever requests he likes.

      I suppose that is a pure XSS attack and no longer CSRF in that you can't 'forge' an anonymous request. CSRF is a vulnerability that might exist on these things anyway, but generally isn't probably a huge concern because people don't spend all day logged into their routers. Assuming there is at least a semi-sane session timeout the risk is probably low.

      The risk still stands though, if the only form of authentication is the request came form an RFC1918 address owning the router from the outside will be a trivial to exploit using allowed behavior of client web browsers.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    28. Re:Why a default? by Anonymous Coward · · Score: 0

      That's a pretty good idea...

    29. Re:Why a default? by vux984 · · Score: 1

      Routers are configured with an individual MAC address

      They actually usually have several.

      (which is stored in the configuration flash partition)

      The NICs themselves have the MAC flashed into their own firmware. So the 'problem' there is already solved by the upstream vendor.

      The router firmware typically just reads the addresses from the NICs, unless you've overridedden it.

      This is why you can flash a router with new firmware, including overriding and resetting all configuration and it doesn't lose its MAC.

      and printed on the label on the bottom of the device)

      In some, but not all cases. Yes.

      The point stands that everything they do that makes each unit more unique adds to the effort and cost. Having the same default password is less effort and cheaper overall, and that is why its common practice.

    30. Re:Why a default? by tlhIngan · · Score: 1

      The NICs themselves have the MAC flashed into their own firmware. So the 'problem' there is already solved by the upstream vendor.

      The router firmware typically just reads the addresses from the NICs, unless you've overridedden it.

      This is why you can flash a router with new firmware, including overriding and resetting all configuration and it doesn't lose its MAC.

      That's almost never the case, actually.

      Maybe on a PC NIC card it has an EEPROM that has the MAC and default startup information, but never on a router because the 20 cents costs too much.

      Especially since the NIC is built into most routing chips, so there's nothing to customize.

      Instead, the flash chip has a configuration partition that's read by software that programs the NICs appropriately - it can either be done at startup by the bootloader, or the NIC driver does it. Saves the cost of an extra chip and there's always spare room anyways. (The flash chip is also where the configuration is stored).

      The reason the NIC isn't wiped when you flash is because you don't flash the entire chip - just a few partitions accessible to the user - usually just the software partition (since the kernel and filesystem are all you need) leaving the bootloader, system configuration and user configuration partitions untouched.

    31. Re:Why a default? by vux984 · · Score: 1

      That's almost never the case, actually.

      You know after I posted, I actually suspected there was no way modern consumer routers would have still have dedicated eeprom or even just prom for the network interfaces.

      I expect the higher end stuff (and the modular stuff of course) still has its own. (as do standalone NICs for PCs PCI, USB, etc).

      But I have no doubt you are completely right with modern consumer grade routers etc.

      Thanks for the correction.

  3. Dark side by ArcadeMan · · Score: 5, Funny

    the malicious code uses the infected system to scan the Internet for additional devices that also allow access via factory default credentials, such as 'admin/admin,' or 'root/12345.'

    Dark Helmet: So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! That's the kind of thing an idiot would have on his luggage!

    --
    Get free satoshi (Bitcoin) and Dogecoins
    1. Re:Dark side by Anonymous Coward · · Score: 3, Funny

      the malicious code uses the infected system to scan the Internet for additional devices that also allow access via factory default credentials, such as 'admin/admin,' or 'root/12345.'

      Dark Helmet: So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! That's the kind of thing an idiot would have on his luggage!

      President Skroob: Did it work? Where's the king?
      Dark Helmet: It worked, sir. We have the combination.
      President Skroob: Great. Now we can take every last breath of fresh air from Planet Druidia. What's the combination?
      Colonel Sandurz: 1-2-3-4-5
      President Skroob: 1-2-3-4-5?
      Colonel Sandurz: Yes!
      President Skroob: That's amazing. I've got the same combination on my luggage.

    2. Re:Dark side by Anonymous Coward · · Score: 0

      Whoever marked you as a troll is an idjit ...likely has the same password for their router

    3. Re:Dark side by steveo777 · · Score: 1

      This is the most relevant topic I've read all day.

      --
      This sig isn't original enough, it's time to come up with something witty...
  4. pfSense by Anonymous Coward · · Score: 1

    Get some hardware, install pfSense, configure, never worry about this shit again.

    1. Re:pfSense by houstonbofh · · Score: 1

      Or m0n0wall, or Untangle, or ddwrt, or.... Shit, anything. Of course changing the fucking password works too, and is easier.

    2. Re:pfSense by Anonymous Coward · · Score: 0

      But then you're still running shit that we know has had a backdoor intentionally inserted into the firmware. At least put ddwrt or tomato or something on there... but, honestly, those are old and dated. The x86 projects are at least still active.

    3. Re:pfSense by Anonymous Coward · · Score: 0

      eh, I run tomato on two routers, both have a build 60days old and have been patched the latest/greatest SSL exploits.

  5. W W W by Anonymous Coward · · Score: 1

    "In this way, each infected host is constantly trying to spread the infection to new home routers and other devices" ... there used to be a name for this, oh, it's on the tip of my tongue. W.. W.. Wor..

    1. Re: W W W by Anonymous Coward · · Score: 2, Funny

      Oh! I know this one!

      World Wide Web, right?

  6. This resource is no longer valid. Please return to by Anonymous Coward · · Score: 0

    The Beta sucks. Why will it not let me posts? Why is this not working?

  7. Remote Admin Enabled by Default? by nuckfuts · · Score: 2

    Most home routers I've dealt with don't enable remote administration by default. Allowing administration from outside one's LAN seems like a more serious problem than using a default password.

    1. Re:Remote Admin Enabled by Default? by Anonymous Coward · · Score: 0

      My understanding is they're not allowing remote access by default nor design, but rather zero-days and other unpatched vulnerabilities that are gaining access to the router via the wan interface. If you never bothered to change the default logins, their job just becomes that much easier.

    2. Re:Remote Admin Enabled by Default? by smaddox · · Score: 1

      But why is the router's diagnostic/config interface accessible from the WAN port? It seems rather obvious that only the LAN ports should have access to that.

      Now, if this is some kind of buffer overflow error induced by malformed packets, that is of course rather different.

    3. Re:Remote Admin Enabled by Default? by Anonymous Coward · · Score: 0

      Poorly coded firmware that is no longer updated would be my guess. No shortage of those.

    4. Re:Remote Admin Enabled by Default? by Anonymous Coward · · Score: 0

      That's why my ISP (and many others) block incoming ports below 1024. So even if my router were listening on WAN:80, there'd be no problem. I'd have to idiotically set listening port to 8080 or some high port. I don't, I ssh in then I work from the LAN not WAN side.

    5. Re:Remote Admin Enabled by Default? by Bengie · · Score: 1

      My ISP is blocking SMTP and SMB, but everything else is wide open. You can request to have all ports opened.

    6. Re:Remote Admin Enabled by Default? by Anonymous Coward · · Score: 0

      Wow. Talk about the baby and his bathwater.

      Your ISP are retards. Do they at least stop being retarded on a customers connection if the customer requests it or are they always retards?

    7. Re: Remote Admin Enabled by Default? by gnu-sucks · · Score: 1

      Or, they hack a host on the otherwise of the firewall, say via some JavaScript that sends commands to the router. It's very trivial. The assumption that everything on the LAN side is inherently safe is so 90s NFS/rhosts...

  8. Why a default? by Anonymous Coward · · Score: 0

    That's not the problem. The problem is allowing logins from the WAN side by default. That's a ridiculous thing to allow, however, I feel that the blame more likely likes with ISPs shipping routers with their own poorly-modified firmware than with hardware manufacturers.

  9. duck? by Anonymous Coward · · Score: 0

    get at me sexyduck!

  10. Dem haxxorz by Anonymous Coward · · Score: 0

    krebz noz dem and dere haxxin

  11. I want to hire this service ---- by Anonymous Coward · · Score: 0

    to knock out a bunch of compromised routers...

  12. Re:GayWAD Announces War on Lizard Squad by Anonymous Coward · · Score: 0

    GayWAD Announces War on Lizard Squad

    Be my guest.

  13. Botnet on other devices involved? by lippydude · · Score: 1

    "The botnet is not made entirely of home routers; some of the infected hosts appear to be commercial routers at universities and companies, and there are undoubtedly other devices involved."

    What would be the name of the Operating System that these other devices run on?

    1. Re:Botnet on other devices involved? by CronoCloud · · Score: 1

      VxWorks.