Botnet Worm Targets DSL Modems and Routers 272
CoreDuo writes "The people who bring you the DroneBL DNS Blacklist services, while investigating an ongoing DDoS incident, have discovered a botnet composed of exploited DSL modems and routers. OpenWRT/DD-WRT devices all appear to be vulnerable. What makes this worm impressive is the sophisticated nature of the bot, and the potential damage it can do not only to an unknowing end user, but to small businesses using non-commercial Internet connections, and to the unknowing public taking advantage of free Wi-Fi services. The botnet is believed to have infected 100,000 hosts." A followup to the article notes that the bot's IRC control channel now claims that it has been shut down, though the ongoing DDoS attack on DroneBL suggests otherwise.
Tomato (Score:3, Interesting)
How Can I Determine If My D-Link Router is Linux- (Score:1, Interesting)
based?
Run to my openWRT router and look for.. what? (Score:2, Interesting)
I actually RTFA, logged into my router, and I'm still not sure what to look for to see if we've been compromised.
What exactly are we looking for?
first post!
-edfardos
Admin interface open on the WAN side? (Score:5, Interesting)
Needs more detail (Score:5, Interesting)
Ok, TFA states
Get a shell on the vulnerable device (methods vary).
How will this supposed worm manage to login to the box? Brute force? Properly configured Linux will block login attempts for quite a while after several failures. SSH? Can't be compromised within a reasonable time. Telnet? Not supported on all routers I know.
The article doesn't go into the essential details, so I call FUD until proven otherwise.
And you really needed to... (Score:4, Interesting)
... administer your home router over the Internet? Who does that? If you don't have an open port, even on these boxen, how could you be attacked?
But, it seems to me that this is more likely an attack on stock Linksys boxen that re-flashes with a special DD-WRT designed to "phone home." Yes, DD-WRT/OpenWRT are also vulnerable if they have weak passwords, but the bulk is more likely the former.
(Disclaimer: My home router runs HyperWRT & is not listed in DroneBL.)
Rumpelstiltskin. (Score:1, Interesting)
This has put a new twist on the story of Rumpelstiltskin.
Don't set the password to a simple name you plan on say while talking to yourself and gloating.
Re:What to do about it? (Score:5, Interesting)
I'd guess that most people, even geeks, don't run dd-wrt, tomato, or openwrt on their router unless they've got a pretty good clue about what's going on.
Really?
1. The article claims between 80,000 - 100,000 infected routers.
2. Neither DD-WRT nor OpenWRT allow connections from the outside world by default.
3. The worm brute-forces passwords.
From this we can conclude that there are at least 80-100K geeks who opened their connections to the outside world and used weak passwords. This does not sound like people with a "pretty good clue" to me.
Re:What to do about it? (Score:3, Interesting)
I recall reading a while ago about a javascript exploit that would attempt to log in to your router using the default admin login/password. It had a list of a few hundred different defaults to try. If it got in, it would mess with your DNS.
I'm not sure what came of that..
Re:Hackers. (Score:3, Interesting)
Re:Tomato (Score:4, Interesting)
That would be nice, but it is not easy to do. The Linux distros that run on embedded routers are mostly set up to have only a single, root, user. DD-WRT is definitely this way, and I think Tomato is as well. It might be possible to rebuild it with multiple users but that is definitely not how it's designed right now.
Personally what I'd recommend is not having any of the router's management interfaces exposed to the WAN side of things, for any reason, ever. If you think you might need to administer the router remotely, set up a hardened system inside the LAN somewhere, forward a nonstandard port to sshd on it, and then log into that machine and do SOCKS port-forwarding to connect to the router. This is how I run my home network and it takes literally only a second or two longer to connect to the router this way, versus if I had it directly accessible.
Re:Scary Targets... (Score:2, Interesting)
You'd be surprised. It's easy enough for someone with just a bit of knowledge to read an article that raves about custom firmware, download said firmware, and flash the router. Plus, DD-WRT is configured rather poorly by default (doesn't everyone want telnet?) and is vulnerable to a rather elementary XSS exploit [milw0rm.com].
The XSS exploit can be prevented by logging out of the router when you're done, but here's the catch -- DD-WRT provides no logout button/link/etc. I recall someone suggesting it on the mailing list, and it earned them a good-ol' fanboy flaming. The solution, of course, is to close your browser -- but again, there are plenty of users out there who don't know that.
I predicted this a few years ago (Score:3, Interesting)
Re:Admin interface open on the WAN side? (Score:2, Interesting)
Who has their router set to allow access to the admin interface from the wan side?
Me. I use Tomato so that I can log in remotely from work and then use WoL to boot my computer, server and NAS remotely in order to access any files I might need but it still allows me to shut my machines down when not needed in order to keep my electricity bill low.
I do however use an 18 digit password that uses mixed-case, numbers and special characters to make the likelihood of a brute force attack being successful to almost nil. I also regularly change my passwords which I know (having been in the IT field for 10 years) that most people do not.
It all comes down to using tried and true security practices in my opinion. If you use simple common sense you can avoid most of these issues outright.
1) Use long passwords with mixed case, numbers and special characters.
2) Change those passwords regularly.
3) Do not use the same password for different site logins.
4) Keep your router firmware up to date (though that would not have helped in this particular case apparently).
5) I would also add that you stay away from installing applications not obtained directly from the software vendor that wrote them (read warez). You have no idea what that copy of Windows XP Super-Ultimate Gold might be installing in addition.
6) Stay away from websites that are heavily laden with nefarious advertising such as porn, etc.
Common sense really.
Re:Admin interface open on the WAN side? (Score:3, Interesting)
You don't need external router access for that. Setup a port that when given a specific string, like 'wakeup' automatically sends a WOL to the computer, and does nothing else. Worst a hacker can do then is wake your computer up.
Re:Hackers. (Score:3, Interesting)
Re:Wait Till They Get Verizon Routers Rooted (Score:3, Interesting)
Really? you cant avoid that update?
Why was I able to turn it off along with disabling the crappy "router" function in the westell modems?
you CAN avoid it, you have to know what you are doing.
Re:Tomato (Score:2, Interesting)
Assuming ssh is usable. My ISP gave me a router that despite letting me set various port forwarding, refuses to honor them, so remote access to any of the machines just does not seem to work the way I would like. I do have ssh on my network machines, but they are keys, password, whitelist protected on uncommon port while only supporting version 2 connections.
Most likely you aren't programming it right, because it has a retarded programming interface. For example, you might have to open firewall holes for forwarded ports, even though it's excruciatingly obvious that you want to let in anything for which you've set up forwarding rules.
ISP routers are the cheapest crap imaginable. If you have Verizon, they'll likely give you a Westell specially built to be extra-crappy (or worse yet an Actiontec). You can usually make them do what you want with hundreds of hours of trial and error, but you may as well throw away the manual and don't bother calling tech support. Write down the configuration that works, when you find it, because the box will reach it's MTBF about the same time you find the insanely baroque combination of options that will make it do what you need.
Of course, if you have Comcast they probably won't even give you a router - they'll just plug the Internet right into your soon-to-be-worm-hosting-machine. And if you have any problems, the first thing their tech support will tell you is to turn off your firewall.
Re:Needs more detail (Score:3, Interesting)
It doesn't occur to them that a malfunctioning toaster could suddenly delete their car.
That is an incredibly insightful comment. That makes so clear what it is that people do not get about computers. This implies that that sandboxing needs to be taken to the next level. A VM for every app, perhaps?