Botnet Worm Targets DSL Modems and Routers 272
CoreDuo writes "The people who bring you the DroneBL DNS Blacklist services, while investigating an ongoing DDoS incident, have discovered a botnet composed of exploited DSL modems and routers. OpenWRT/DD-WRT devices all appear to be vulnerable. What makes this worm impressive is the sophisticated nature of the bot, and the potential damage it can do not only to an unknowing end user, but to small businesses using non-commercial Internet connections, and to the unknowing public taking advantage of free Wi-Fi services. The botnet is believed to have infected 100,000 hosts." A followup to the article notes that the bot's IRC control channel now claims that it has been shut down, though the ongoing DDoS attack on DroneBL suggests otherwise.
What to do about it? (Score:5, Insightful)
B. How to tell whether we are infected?
C. What to do about it if we are?
I'd guess most people, even geeks, just think of their router as a black box and don't know much about them as long as they keep on working.
Scary Targets... (Score:4, Insightful)
Okay, now this is scary.
Folks having OpenWRT/DD-WRT are usually a bit more savvy that the average user, so to see something specifically targeting such users is surprising.
And the fact it's gone this long without being noticed is even MORE frightening.
Re:Tomato (Score:3, Insightful)
> If you allow ssh access from the wide internet...
Why would you do that?
> ...and you have a weak password for root...
Why would you do that?
Re:Tomato (Score:5, Insightful)
If you allow SSH access from the wide internet and you allow passwords, you are probably still vulnerable.
Really, just use SSH with private/public keys and you'll be okay.
Old news to me (Score:4, Insightful)
Re:Hackers. (Score:3, Insightful)
That's like saying CiCi's Pizza is the best dining experience of all time. It's not really pizza, but it is edible...
Sex is like pizza... Even when it is bad, it's still pizza.
Re:Tomato (Score:5, Insightful)
If you allow ssh access from the wide internet, and you have a weak password for root, you always were vulnerable. Now the vulnerability is just being exploited in a more automated way.
Re:Tomato (Score:2, Insightful)
> If you allow ssh access from the wide internet...
Why would you do that?
Normally those routers do not have users other than root...
Re:Scary Targets... (Score:5, Insightful)
any linux mipsel routing device that has the router administration interface or sshd or telnetd in a DMZ, which has weak username/passwords (including openwrt/dd-wrt devices).
Anyone Savvy enough to want to run OpenWRT/DD-WRT should hopefully be savvy enough to have a decent password. I'm guessing by DMZ it means open slather access to the device. Open Slather + Weak Password = Your Own Stupidity
Re:What to do about it? (Score:5, Insightful)
The average Joe, who just buys a WRT54G (aka: black box) from Wal-Mart, plugs it into his cable modem, and logs into the "linksys" SSID from his laptop isn't affected by this worm, since the default configuration doesn't allow remote access from the Internet at all.
But it does allow access from the LAN side, so all that takes is one owned client connecting to that AP. It could even spread via laptops physically roaming to different hotspots (maybe not AT&T etc, but think of an independent coffee shop owner who should not have to be a networking guru).
Routers seem like a nice prize indeed. Always connected and on a public IP, and there's millions of them!. I'm surprised it's taken this long.
It's hard enough for most people to just hook one of these up, much less wipe a rootkit from it.
OpenWRT/DD-WRT devices all appear to be vulnerable (Score:5, Insightful)
I guess it's the same on DD-Wrt.
The devices that were targetted appear to have some serious flaws, here's a cite from an analysis [adam.com.au] of the malware:
"Several revisions of the NB5 modem shipped with a flaw which meant that the web configuration interface was visible from the WAN side, accepting connections and allowing users to administer the modem using the default username and password of 'admin' from outside the LAN. Furthermore, some of these modems suffered from another flaw, meaning that by default, authentication was not enabled for the web interface - meaning no username or password was required."
It really boils down to the usual find-weak-logins style of attacks, only the target platform has changed.
Re:Needs more detail (Score:5, Insightful)
1. Be granted root access to the vulnerable device.
2. Do something nasty.
describes 99% of *nix (Linux, BSD, OS X) "exploits" I've seen.
Some of it is intentional FUD, but it's still a good example of why users should be forced to learn exactly what programs are allowed to do with user and root/admin privileges.
Most folks still think of programs the way they think of physical gadgets. Users don't understand privileges, and assume that programs are by nature isolated from each other, the operating system, and the user's personal files.
It doesn't occur to them that a malfunctioning toaster could suddenly delete their car.
Re:private/public keys (Score:3, Insightful)
The commercial routers don't have this option. Um like D-link, Linksys, etc. Unfortunately they are the majority of home/small enterprise routers But this would be the trick to use.
Except anyone who's knowledgeable enough to set up a private/public key based ssh server on their router would have ditched that crippled factory default firmware in the first place and installed something more advanced like Tomato, which does have this feature.
Re:Tomato (Score:3, Insightful)
Re:Tomato (Score:1, Insightful)
Normally those routers do not have users other than root...
DD-WRT, at least, allows you to create a "Router Username" which, if I understand correctly, disables root and creates a user with root privileges with the name of your choice (maybe it just changes the root user's name?). In any case, this should prevent any kind of login with the user "root."
Let's assume you decide to change the username. If n is the number of possible passwords, to get access to your router would take on the order of n^2 attempts. If the user "root" is available, it would take only n attempts to access your router. A brute force attack requiring n^2 attempts would take months, at least. I didn't RTFA, but I expect that, if the worm even bothers trying multiple usernames, it probably limits them to "root," "admin," "administrator," and any other defaults, so just using a non-default username would make the router much more secure.
Re:And you really needed to... (Score:1, Insightful)
Well, I don't want my computers to run 24/7, but I need a low-power device that is always on so that I can log into the LAN to start the computers with WoL. OpenWRT is great, I have no telnetd or httpd and password authentication for sshd can be disabled.
Re:Run to my openWRT router and look for.. what? (Score:2, Insightful)
Good for you for being honest about it mate - I am sure there are a few other /.ers who were also compromised.
are you able to tell us the user and password and port that was compromised so we can make a judgment on how bruteforced it was .
if it is a password you use elsewhere ( ./ acc :D ) , I can understand if you won't want it published.
Re:OpenWRT/DD-WRT devices all appear to be vulnera (Score:3, Insightful)
There's lots of ways to exploit cheapo home routers, whether they're running custom firmware or stock stuff.
- Linksys firmwares have had shell execution vulnerabilities (that's how it was originally discovered that they were running Linux in the first place) as well as remote access vulnerabilities (where turning it off didn't actually work), among others.
- Many of the custom firmwares (DD-WRT in particular) are vulnerable to rather trivial XSS attacks. Yes, visit the wrong webpage with malicious javascript and your router can get owned.
- Not to mention the large number of routers with default passwords out there...
A mildly clever script could gain a large foothold quite fast, without even having to resort to password guessing.
Re:Tomato (Score:1, Insightful)
> If you allow ssh access from the wide internet...
Why would you do that?
[...]
But there is no reason on earth to use SSH with password authentication. Ever.
Except if you want to do something useful with your boxes. Like access them. From anywhere. With anything.
So, block IRC at all firewalls (Score:3, Insightful)
This is not just flamebait, but a serious policy: IRC has been a popular protocol for years, but with the advent of more secure and less abused protocols, there is no modern excuse for permitting IRC through any network or system firewalls. That helps cut the painful-to-monitor control channel.
In fact, most corporate and institutional firewalls should only allow a few registered and useful protocols through their breaches, such as HTTP, HTTPS, SMTP, and SSH, and even those can often be funneled to a small set of securable servers. Yes, it interferes with the random-service-of-the-moment that some folks demand as their right. If they want such rights, they can pay the cost of running a host isolated by more secure firewalls and software management, outside the more trusted internal environment: folks should not expect both easy sharing of resources, and external access.
Re:So, block IRC at all firewalls (Score:3, Insightful)
WIRC is not inherently insecure (or secure.. it's just a chat protocol), and is a popular means of talking with other admins for example. I use it for development purposes every day.
There's absolutely nothing to stop $virus_of_the_week using port 80 instead of port 6667. You're solving nothing by blocking a port like that.
Re:Tomato (Score:2, Insightful)
Wouldn't it be substantially easier to just set a really strong SSH password and use key-based auth if you need to configure your router remotely?
Stop making sense. (Score:2, Insightful)
Wouldn't it be substantially easier to just set a really strong SSH password and use key-based auth if you need to configure your router remotely?
You're interrupting the flow of this conversation.
You may need to down a few pints before posting in this topic. Or at least this particular thread.