Botnet Worm Targets DSL Modems and Routers

CoreDuo writes "The people who bring you the DroneBL DNS Blacklist services, while investigating an ongoing DDoS incident, have discovered a botnet composed of exploited DSL modems and routers. OpenWRT/DD-WRT devices all appear to be vulnerable. What makes this worm impressive is the sophisticated nature of the bot, and the potential damage it can do not only to an unknowing end user, but to small businesses using non-commercial Internet connections, and to the unknowing public taking advantage of free Wi-Fi services. The botnet is believed to have infected 100,000 hosts." A followup to the article notes that the bot's IRC control channel now claims that it has been shut down, though the ongoing DDoS attack on DroneBL suggests otherwise.

Re:Tomato

[snowraver1]

I'm pretty sure that Tomato is in the same boat. According to the Tomato FAQ, Tomato is Linux based, and according to TFA Embedded Linux devices seem to be the target.

Re:Run to my openWRT router and look for.. what?

[Repton]

Considering that TFA says one of the things the bot does is lock you out, I suggest that if you can log in, you are fine :-)

Re:Tomato

[zombietangelo]

TFA states:

any linux mipsel routing device that has the router administration interface or sshd or telnetd in a DMZ, which has weak username/passwords (including openwrt/dd-wrt devices)

This does not exclude Tomato, especially if your router is set up as mentioned or you have weak passwords.

Re:Run to my openWRT router and look for.. what?

[snowraver1]

If you are logged in using standard SSH port settings, then you should be okay. According to TFA, the worm adds the following rules:

# iptables -A INPUT -p tcp --dport 23 -j DROP
# iptables -A INPUT -p tcp --dport 22 -j DROP
# iptables -A INPUT -p tcp --dport 80 -j DROP

If you telnet/ssh connections are working, and you can get to the web page, then you should be okay.

Re:Tomato

[Repton]

If you allow ssh access from the wide internet, and you have a weak password for root, you are probably still vulnerable..

Re:Tomato

[Krizdo4]

Glad I recently switched my router to Tomato. Works better than DD-WRT, too.

Why does this article make you glad you switched?
The same thing that makes OpenWRT/DD-WRT vulnerable seems to be part of Tomato.

FTFA
"any linux mipsel routing device that has the router administration interface or sshd or telnetd in a DMZ, which has weak username/passwords (including openwrt/dd-wrt devices)."

From Tomato Features list:
"CLI (using BusyBox) with access via TELNET or SSH (using Dropbear)"

Preventative workaround

[XanC]

Configure the device for IPv6, over a tunnel or whatever. The worm blocks your control ports using iptables, but not apparently ip6tables.

Re:How Can I Determine If My D-Link Router is Linu

[The_PHP_Jedi]

The subject text box isn't the "write-the-beginning-of-the-message-until-space-runs-out-and-then-use-the-big-textarea-under-it" field. The big textarea under it is there for a clear reason.

Just sayin'.

Re:What to do about it?

[adolf]

A. Is your password "admin," "root," "password," or some other such simplistic shit? Can you log into it remotely? If so, you're vulnerable.
B. Does SSH still connect? Can you get to your router's web page? If so, it's not infected.
C. It's a router, not something of any great intrinsic value. Nuke the firmware and start over. (Reset, boot_wait, JTAG - lots of ways to nuke a new firmware into these things without having network access to them. Listed previously are some good terms to Google for.)

I'd guess that most people, even geeks, don't run dd-wrt, tomato, or openwrt on their router unless they've got a pretty good clue about what's going on.

On the other hand: The average Joe, who just buys a WRT54G (aka: black box) from Wal-Mart, plugs it into his cable modem, and logs into the "linksys" SSID from his laptop isn't affected by this worm, since the default configuration doesn't allow remote access from the Internet at all.

Re:Needs more detail

[Krizdo4]

Ok, TFA states

Get a shell on the vulnerable device (methods vary).

How will this supposed worm manage to login to the box? Brute force? Properly configured Linux will block login attempts for quite a while after several failures. SSH? Can't be compromised within a reasonable time. Telnet? Not supported on all routers I know.

The article doesn't go into the essential details, so I call FUD until proven otherwise.

From the article:

any linux mipsel routing device that has the router administration interface or sshd or telnetd in a DMZ, which has weak username/passwords (including openwrt/dd-wrt devices).

Telnet is used at least on OpenWRT after you first flash it but before you set a root password.

No consumer router I've used blocked repeated failed password attempts be default.

A bug in the web interface for the default Linksys allowed people to load the OpenWrt by sending shell commands to turn on boot wait. Just do the same but insert malicious shell code instead with the default password.

Re:Tomato

[xiong.chiamiov]

You don't have to enable remote ssh access to manage your router, unless you really need to administrate it remotely.

Re:Tomato

[tobiasly]

If you allow SSH access from the wide internet and you allow passwords, you are probably still vulnerable.

Really, just use SSH with private/public keys and you'll be okay.

Another alternative is to close port 22 and use a non-standard, high-numbered port instead. Not as secure but most automated attacks don't scan all 65536 ports looking for an open one. If I disable passwords I'm always afraid that the one time I really need to get into my LAN will be the one time I don't have my private keys with me.

Re:What to do about it?

[nenolod]

Actually, the worm also exploits some vulnerabilities in the HTTP servers in some of these models.

Re:Preventative workaround

[ristretto_dreams]

errr, yeah, if you want to kill an ant with a nuke.

Or just change your password from the default and set ssh/web/telnet administration to local segment only.

Did you read the article?

Re:Tomato

[644bd346996]

By default, Tomato doesn't allow remote (from WAN port) administration. I don't know about the other WRT firmwares, but Tomato at least is secure from this exploit by default.

Wait Till They Get Verizon Routers Rooted

[darkmeridian]

The modem/router that Verizon provided for their DSL service had the firmware remotely upgraded. There is no way to avoid these updates. I hope it is secure. If someone roots that process, it will be the mother of all DDOS attacks.

Re:Old news to me

[GaryOlson]

Yes, I had complex and increasingly long passwords set -- the last password was 22 characters long with mixed case and special characters. And, configuring the router from the WAN was disabled.

Re:Tomato

[X0563511]

dd-wrt doesn't allow admin from WAN either, unless you tell it to.

And you can tell it to do that intelligently, using SSH on a nonstandard port, enabling tunneling, and using public key auth.

Re:Tomato

[PReDiToR]

> If you allow ssh access from the wide internet...

Why would you do that?

`ssh -i ~/.ssh/myrouter.key root@my.router.ip '/usr/sbin/wol -i 192.168.0.255 00:11:22:33:44:55'`

But there is no reason on earth to use SSH with password authentication. Ever.

4096bit keys with 30+ character passphrase is my standard at the moment.

Re:Run to my openWRT router and look for.. what?

[KillzoneNET]

Apparently I'm one of the "100,000" that got infected by this botnet.

This morning my router would not connect to any websites, yet my modem when directly connected to my PC still did. I reseted the settings to default, disabled the vulnerabilities that got the idiots in and put a stronger 35 character username and password.

How did I get infected in the first place? I left on remote access. And possibly my username and password weren't that complex. Live and learn I guess.

Re:What to do about it?

[totally bogus dude]

I use pwgen for pretty much all my passwords. It has some nice options to restrict/expand the allowed set of characters, and should be a standard installable package on most distros.

Its main advantage is that it creates passwords with a mix of vowels and consonants so you get an almost word-like password. If creating a password I'll need to remember, I usually set it to create 10 or 20 and skim through for something that seems memorable to me. If creating passwords for services that I just need to enter somewhere, I'll create a 20+ character password including punctuation (-y) and make it completely random (-s), then just copy and paste.

Re:Scary Targets...

[Microlith]

DMZ = All ports not forwarded to other machines are routed to the IP specified as the "DMZ" IP.

So what we have is not simply routers getting attacked, but actual machines that are completely unprotected.

Re:Tomato

[IvyKing]

Note that with a strong root password and usage of a non-standard port will help keep the bots away. Even better if you disable password authentication for SSH and use a key instead.

Even better yet would be setting up a user acount with a non-common name and su'ing or sudo'ing to do the administrative stuff. As an example, both OpenBSD and Solaris default to blocking root access by ssh. Another nifty ssh trick is to set it up sshd to drop most connection attempts after two attempts in a minute.

Re:Admin interface open on the WAN side?

[itzfritz]

It's necessarily being exploited from the WAN; I've seen poc code that, guessing the gateway's internal ip (typically 192.168.1.1 class c), uses javascript or html trickery to attempt a GET request that modifies that router's config. ex:, on some webpage) img src='192.168.1.1/allow-external-connections.cgi' You get the idea. Dont remember where I saw it, maybe ha.ckers/sla.ckers.org..

Re:What to do about it?

[Randall311]

If your username and password are "admin", then you're deservedly fucked.

Re:What to do about it?

[Otto]

On the other hand: The average Joe, who just buys a WRT54G (aka: black box) from Wal-Mart, plugs it into his cable modem, and logs into the "linksys" SSID from his laptop isn't affected by this worm, since the default configuration doesn't allow remote access from the Internet at all.

Many Linksys routers, to pick an example, run on top of a Linux even with their default firmware. And many (most?) of these firmwares have had known vulnerabilities that give you enough to get a shell out of it. Google "Linksys ping hack" if you want to see a truly devastating back door.

On top of that, many of these had remote access bugs. I recall one where, if you knew the right URL to hit, you could make the router execute your commands even though remote access had been disabled. All disabling it really did was not make the web pages show up on remote connections. The POST requests from the forms on them still, stupidly, went through.

Most of these problems have been patched, but how many people have never updated their router firmware? I'll bet you it's a lot. And every one of those could be hit with a not-even-that-hard-to-write worm.

In this case, the guy doesn't seem all that malicious, maybe. Especially since he's only storing the exploit script in the tmp directory. He could have just as easily stuck it in the flash memory and made it quite well hidden indeed.

Re:Wait Till They Get Verizon Routers Rooted

[Anonymous Coward]

That remote upgrade is not done over IP, but over some DSL specific protocol that only exists within the specific ISP.

So while not impossible, it's far less likely.

Re:Run to my openWRT router and look for.. what?

[KillzoneNET]

Not sure what the ports it was using exactly, but telnet was definitely on. The username was still 'root' and the password was a simple word. TFA mentions the botnet has brute forcing capabilities so I imagine with only one thing to bust through, it wouldn't at all be a hard task to get into.

Funny thing is, I thought this was just a minor bug until the first thing I saw was this /. article when my router was restored.