Foul-Mouthed Worm Takes Control Of Wireless ISPs Around the Globe

Dan Goodin, reporting for Ars Technica (edited and condensed): ISPs around the world are being attacked by self-replicating malware that can take complete control of widely used wireless networking equipment, according to reports from customers. San Jose, California-based Ubiquiti Networks confirmed recently that attackers are actively targeting a flaw in AirOS, the Linux-based firmware that runs the wireless routers, access points, and other gear sold by the company. The vulnerability, which allows attackers to gain access to the devices over HTTP and HTTPS connections without authenticating themselves, was patched last July, but the fix wasn't widely installed. Many customers claimed they never received notification of the threat.ISPs in Argentina, Spain, Brazil have been attacked by the worm, said Nico Waisman, a research at security firm Immunity, adding that it's likely that ISPs in the U.S. and other places have also been attacked by the same malware. From the report, "Once successful, the exploit he examined replaces the password files of an infected device and then scans the network it's on for other vulnerable gear. After a certain amount of time, the worm resets infected devices to their factory default configurations, with the exception of leaving behind a backdoor account, and then disappears."

Foul-Mouthed

[Megahard]

The backdoor it leaves behind has a username of "mother" and a password that almost rhymes.

Re:Foul-Mouthed

A quick way users of these products can see if they're infected is by trying to log in to the device over SSH with the username "mother" and the password "fucker."

Goddamnit. That's also how you log in as root on all my servers.

Re:Foul-Mouthed

[wardrich86]

Thank you. The summary did a poor job of explaining the title... and I'll be damned if I actually RTFA. Ain't nobody got time for that.

Re:Foul-Mouthed

[rewindustry]

your loss..

Re:Foul-Mouthed

[MobileTatsu-NJG]

I forgot my password, could you tell me your mother's name again?

Re:Foul-Mouthed

[aduxorth]

I forgot my password, could you tell me your mother's name again?

mum

Danke

[s.petry]

I read the whole of TFA and left scratching my head as to why it was called foul mouthed.

Vulnerability was patched

[The-Ixian]

Patched almost a year ago, apparently... so... I would fault ISP admins for not having a patch cycle...

Many customers claimed they never received notification of the threat

In this day-and-age if you are not proactive in your network security, it's on you.

Re:Vulnerability was patched

[Archangel+Michael]

Average people setting up average home networks are on average, unable to patch anything.

Average people don't care until it is too late, and then it is too late to care. (file under "Its all over but the crying")

Really, when was the last time you checked the Vulnerability list for your home networking products? And when was the last time before that?

Re:Vulnerability was patched

Routers and network infrastructure are rarely patched. Just like your BIOS.

Re:Vulnerability was patched

This isn't for average people, the vulnerability is with the wireless devices that are used for client radios to connect to the WISPs AP on a near by tower. The WISP should have been subscribed to the firmware release mailing list to know what problems were fixed in the event they needed to upgrade their devices. Customers are not generally given login access to these since they would change the settings causing themselves to disconnect from the AP which would then result in a call to tech support. Also there is no reason for any of these devices to have a public facing IP address, the public address should have been given to the customers router and not to the radio itself.

Re:Vulnerability was patched

[tlhIngan]

Average people setting up average home networks are on average, unable to patch anything.

Average people don't care until it is too late, and then it is too late to care. (file under "Its all over but the crying")

Really, when was the last time you checked the Vulnerability list for your home networking products? And when was the last time before that?

These aren't average people, unless average people run wireless ISPs.

And these aren't regular consumer grade wireless hardware, these are carrier-grade wireless hardware.

SO yeah, you hope the system administrators at your ISP know what they're doing, applying patches and all that, like any good admin who administers their company's servers.

Re:Vulnerability was patched

patches for infrastructure gear DO come out though
this was patched a year ago ... and even backported to an earlier version 10 days later

Anybody who got stung by this was *asking* to get stung.
I've got to imagine some heads will roll over this.

Re:Vulnerability was patched

wtf is a wireless isp? like, the wireless part of a regular isp? or the public city wifi with captive portal and all that crap "isp"?

Re:We've hit the big time, folks!

Neat. My WiFi analyzer shows some of their WAPs in range... Guess I'll keep an eye out.

Re:Linux is safe.

Nothing auto-executes. They are replacing the password file.

The bug is the result of a file upload vulnerability in a Web administrator interface that allows at least one of the worm variants to replace the existing password file with one that contains the username "mother" and a corresponding password of "fucker." From then on, attackers have persistent control over the device.

Foul-mouthed?

[wonkey_monkey]

Foul-Mouthed

If you're going to lead with that, you should at least explain it in the summary.

Re:Foul-mouthed?

How about you explain your embarrassing little existence, you insenstive clod?!

Sincerely,

The foul-mouthed-malware dept.

Re:Linux is safe.

Who told you that?

Re:Linux is safe.

For those who can afford lots of RAM, try any Linux live running from DVD-ROM without persistence layer. Invulnerable.

Re:Linux is safe.

Liars, obviously.

Re: Linux is safe.

Not in this circumstance.

Re:We've hit the big time, folks!

[JesseMcDonald]

This is the first time I've seen anything that was more than a proof of concept attack for Linux.

It isn't an attack for Linux, it's an attack for the OEM's web interface. The fact that the firmware is based on Linux is incidental. From the article:

The bug is the result of a file upload vulnerability in a Web administrator interface that allows at least one of the worm variants to replace the existing password file...

Direct quote from TFA:

[mmell]

"...and having its http/https interface exposed to the Internet..."

They aren't talking about PAT'ing ports 80 and 443 to your web server. They aren't talking about machines in your corporate DMZ. They're talking about having your network equipment's management interface over HTTP/HTTPS exposed directly to the internet. I have a couple consumer-grade wifi routers that have that as an option (off by default and left that way!). Sadly (having worked for a couple ISP's in my day) I can say that some of them will enable management interfaces over WWW connections - SSH, HTTP, HTTPS, etc. I've even seen RDP exposed at one place I used to work.

Bottom line - yes this is a really bad (but long since fixed) vulnerability; anybody who gets bit by this pretty well deserves a bite wound or two.

Re:We've hit the big time, folks!

[Grishnakh]

You haven't been paying attention then. Linux has had all kinds of vulnerabilities over the years. You've never heard of a "rootkit"?

According to another poster here, this particular vulnerability wasn't with Linux anyway, but the router's webserver, but back to your point, there have been many successful attacks on Linux machines. However, they've all been for network-facing servers. Exploits have been found, for instance, in Apache webservers (commonly used on LAMP-stack servers), PHP, and various low-level network services on Linux servers.

Usually, when people talk about Linux being impervious to attacks in comparison to Windows, they're talking about desktop machines. You don't run an internet-facing Apache server on a desktop Linux box, in fact you generally only connect behind a firewall router, or if not (public Wi-Fi, though that certainly has some kind of firewall router that restricts which services can pass through), you normally don't have many network-facing services running, probably just openssh, if that. It's nothing at all like Windows where an infected email can help someone hack into your system, or automatically install a botnet. Or a webpage that can do the same.

There's been no shortage of security vulnerabilities for various parts of Linux systems. The key is that these are public knowledge, are usually fixed quickly, and the fixes pushed out very quickly. And also that really stupid vulnerabilities affecting desktop systems generally don't exist (like with email). But one weakness that Linux-based systems do have is where some vendor uses Linux because it's free and easy to find semi-competent help to implement, but then they don't bother to keep up on the security fixes and push those out to customers. The vulnerabilities are all publicly disclosed (unlike typical proprietary vendors that try to keep them secret), so if a vendor doesn't take advantage of the fixes and push them out, their customers then become vulnerable.

6 days

Lost connection for 6 days because of this. They are applying the patch now at least... For now on I'm blocking ports 80, 8080, 443 and 21.

Re: Linux is safe.

But it would be secure in this case. Can't write password file to a read only cd.

Re:Linux is safe.

[sjames]

The only completely safe machine is disconnected from power and network, has no data of value on it, is fully embedded in a concrete block, and sunk in the deepest part of the ocean.

In the real world, safety is relative.

In this particular case, the vulnerability is in the proprietary web server installed in the base linux system.

Re:We've hit the big time, folks!

[techno-vampire]

Usually, when people talk about Linux being impervious to attacks in comparison to Windows, they're talking about desktop machines.

In many cases, they're talking about getting infected by installing some program you found somewhere on the web and didn't bother to scan, or that you got stuck with in a drive-by download. Most if not all modern Linux distros have built-in security, such as SELinux or AppArmor to prevent malicious programs from damaging your system, and the standard file permissions (including the fact that newly-downloaded files aren't executable by default) make it even harder for them to get installed, or to wreak havoc if they do. None of this matters, of course, if somebody finds a security hole in a program you need running, such as a web server, and exploits it, although SELinux and AppArmor may be able to block the malware if it tries to access parts of your system it has no legitimate reason to use.

Re: We've hit the big time, folks!

[jaxn]

Then you're definitely not paying close enough attention...

Lazy and incompetent staff with MBA IT Managers

Yep, I see it a LOT. The paper based CCNA guys and gals do it ALL the time. I say let them eat cake, they should have deployed the updates 7-60 days after they were released. There are bugs and new features that need to be used and tested. I prefer OpenMesh for the low end, Ubiquiti for the SMB and Cisco LWAP units for the big boys. All others are a waste of money and you will eventually have to buy something better as the junk never gets fixed.

regurgitated FUD story

Meanwhile nobody uses that shit.

A better article would be "Microsoft software literally is complete spyware" but where the money goes...

is to Hell.

I myself thought Donald Trump...

...had learned to code.