Slashdot Mirror
Foul-Mouthed Worm Takes Control Of Wireless ISPs Around the Globe (arstechnica.com)
Dan Goodin, reporting for Ars Technica (edited and condensed): ISPs around the world are being attacked by self-replicating malware that can take complete control of widely used wireless networking equipment, according to reports from customers. San Jose, California-based Ubiquiti Networks confirmed recently that attackers are actively targeting a flaw in AirOS, the Linux-based firmware that runs the wireless routers, access points, and other gear sold by the company. The vulnerability, which allows attackers to gain access to the devices over HTTP and HTTPS connections without authenticating themselves, was patched last July, but the fix wasn't widely installed. Many customers claimed they never received notification of the threat.ISPs in Argentina, Spain, Brazil have been attacked by the worm, said Nico Waisman, a research at security firm Immunity, adding that it's likely that ISPs in the U.S. and other places have also been attacked by the same malware. From the report, "Once successful, the exploit he examined replaces the password files of an infected device and then scans the network it's on for other vulnerable gear. After a certain amount of time, the worm resets infected devices to their factory default configurations, with the exception of leaving behind a backdoor account, and then disappears."
The backdoor it leaves behind has a username of "mother" and a password that almost rhymes.
I eat only the real part of complex carbohydrates.
This is the first time I've seen anything that was more than a proof of concept attack for Linux.
It isn't an attack for Linux, it's an attack for the OEM's web interface. The fact that the firmware is based on Linux is incidental. From the article:
The bug is the result of a file upload vulnerability in a Web administrator interface that allows at least one of the worm variants to replace the existing password file...
"The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
You haven't been paying attention then. Linux has had all kinds of vulnerabilities over the years. You've never heard of a "rootkit"?
According to another poster here, this particular vulnerability wasn't with Linux anyway, but the router's webserver, but back to your point, there have been many successful attacks on Linux machines. However, they've all been for network-facing servers. Exploits have been found, for instance, in Apache webservers (commonly used on LAMP-stack servers), PHP, and various low-level network services on Linux servers.
Usually, when people talk about Linux being impervious to attacks in comparison to Windows, they're talking about desktop machines. You don't run an internet-facing Apache server on a desktop Linux box, in fact you generally only connect behind a firewall router, or if not (public Wi-Fi, though that certainly has some kind of firewall router that restricts which services can pass through), you normally don't have many network-facing services running, probably just openssh, if that. It's nothing at all like Windows where an infected email can help someone hack into your system, or automatically install a botnet. Or a webpage that can do the same.
There's been no shortage of security vulnerabilities for various parts of Linux systems. The key is that these are public knowledge, are usually fixed quickly, and the fixes pushed out very quickly. And also that really stupid vulnerabilities affecting desktop systems generally don't exist (like with email). But one weakness that Linux-based systems do have is where some vendor uses Linux because it's free and easy to find semi-competent help to implement, but then they don't bother to keep up on the security fixes and push those out to customers. The vulnerabilities are all publicly disclosed (unlike typical proprietary vendors that try to keep them secret), so if a vendor doesn't take advantage of the fixes and push them out, their customers then become vulnerable.
These aren't average people, unless average people run wireless ISPs.
And these aren't regular consumer grade wireless hardware, these are carrier-grade wireless hardware.
SO yeah, you hope the system administrators at your ISP know what they're doing, applying patches and all that, like any good admin who administers their company's servers.