Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Botnet Networking

Lizard Stresser DDoS-for-Hire Service Built On Hacked Home Routers 65

tsu doh nimh writes: The online attack service launched late last year by the same criminals who knocked Sony and Microsoft's gaming networks offline over the holidays is powered mostly by thousands of hacked home Internet routers, reports Brian Krebs. From the story: "The malicious code that converts vulnerable systems into stresser bots is a variation on a piece of rather crude malware first documented in November by Russian security firm Dr. Web, but the malware itself appears to date back to early 2014. As we can see in that writeup, in addition to turning the infected host into attack zombies, the malicious code uses the infected system to scan the Internet for additional devices that also allow access via factory default credentials, such as 'admin/admin,' or 'root/12345.' In this way, each infected host is constantly trying to spread the infection to new home routers and other devices accepting incoming connections (via telnet) with default credentials.
This discussion has been archived. No new comments can be posted.

Lizard Stresser DDoS-for-Hire Service Built On Hacked Home Routers

Comments Filter:
  • by Anonymous Coward

    Factory passwords is what separates humans from the beasts.

    • Or the lazy. I replace and reset my routers often enough that remembering to change the defaults can get tedious. Things like this remind me to be more careful. I guess the big thing is how to tell if you're infected and remove it if you need to.
      • Or the lazy. I replace and reset my routers often enough that remembering to change the defaults can get tedious. Things like this remind me to be more careful.

        My router is the same way, having to reset it every few days, in fact it's down now and I've firewall protection alone, while not having access to Netflix.

        When I get around to resetting it once again (a 7 second process + reboot time), I'll load a .cfg file I saved when it was working just fine, alone with it's different password.

        I'd replace it with my ASUS RT-AC66U Router but it's a bear to do using the 30-30-30 second hard reset every time it's not being seen; I gave up the last time, and I read here it's

  • Why a default? (Score:1, Interesting)

    by Anonymous Coward

    Why do all routers of the same model need to come with the same initial credentials?

    • by Anonymous Coward on Friday January 09, 2015 @03:52PM (#48777869)

      Because it would be an exceptionally onerous burden to bear to, say, randomly generate a password that gets printed on a piece of paper that ships with the router.

      We are not gods, after all.

    • A better question is why routers are accepting incoming connections by default. I see no problem with lax security on a home network when the only way to access a device on the network is if you're in the network, in which case a simple admin/password default is, in my opinion, OVERKILL--you shouldn't even need credentials to manage it.
      • by DarkOx ( 621550 )

        Right because its completely impossible you could ever visit a site with some malicious site that runs a little JS to build a form on the fly and submit forged request to your internal router if it were completely unauthenticated.

        Don't be stupid, while its a good control to only allow these things to be managed from the inside, and you probably don't need to go overboard you DO need at least a username and password and you DO need to change the defaults!

        • Re:Why a default? (Score:5, Insightful)

          by Fwipp ( 1473271 ) on Friday January 09, 2015 @04:23PM (#48778123)

          I'd like to see the router simply refuse to communicate with the outside world until that username/password combo is changed. You can print the default user/password right on the device, so when you forget the password you can simply reset to factory settings - and trying to access any site will instead redirect you to a "Hey, change this password!" notice.

      • by richy freeway ( 623503 ) on Friday January 09, 2015 @04:14PM (#48778033)

        I'll just leave this here : http://www.cbits.co.uk/ourblog... [cbits.co.uk]

      • by Anonymous Coward

        Some credentials are always necessary.

        How else do you expect to keep your network secure if anyone on the local network ( read that household ) can modify it ?

    • Re:Why a default? (Score:5, Insightful)

      by vux984 ( 928602 ) on Friday January 09, 2015 @04:13PM (#48778021)

      Why do all routers of the same model need to come with the same initial credentials?

      It makes printing the manual and setup instructions easier.

      It makes writing any 'plug-in-and-configure' style utilities easier.

      It makes providing support easier.

      It saves a step of changing the password for each unit after its made and flashed, documenting the new password, and including a printout of that new password in the shipping materials.

      • If 2Wire (the worst fucking router manufacturer on the planet) and ATT (if not the worst, in a close race with Comcast) can manage it, ANYONE can!
      • by Anonymous Coward

        Routers are configured with an individual MAC address (which is stored in the configuration flash partition and printed on the label on the bottom of the device), so configuring a random default password and printing that on the bottom of the device is hardly extra work. AFAIK all router manufacturers currently do this. In the past, some manufacturers derived the wireless LAN key and the device password from the MAC address, which was a stupid idea and led to exploits. Devices with static default passwords

        • by vux984 ( 928602 )

          Routers are configured with an individual MAC address

          They actually usually have several.

          (which is stored in the configuration flash partition)

          The NICs themselves have the MAC flashed into their own firmware. So the 'problem' there is already solved by the upstream vendor.

          The router firmware typically just reads the addresses from the NICs, unless you've overridedden it.

          This is why you can flash a router with new firmware, including overriding and resetting all configuration and it doesn't lose its MAC.

          and

          • by tlhIngan ( 30335 )

            The NICs themselves have the MAC flashed into their own firmware. So the 'problem' there is already solved by the upstream vendor.

            The router firmware typically just reads the addresses from the NICs, unless you've overridedden it.

            This is why you can flash a router with new firmware, including overriding and resetting all configuration and it doesn't lose its MAC.

            That's almost never the case, actually.

            Maybe on a PC NIC card it has an EEPROM that has the MAC and default startup information, but never on a rou

            • by vux984 ( 928602 )

              That's almost never the case, actually.

              You know after I posted, I actually suspected there was no way modern consumer routers would have still have dedicated eeprom or even just prom for the network interfaces.

              I expect the higher end stuff (and the modular stuff of course) still has its own. (as do standalone NICs for PCs PCI, USB, etc).

              But I have no doubt you are completely right with modern consumer grade routers etc.

              Thanks for the correction.

  • Dark side (Score:5, Funny)

    by ArcadeMan ( 2766669 ) on Friday January 09, 2015 @03:52PM (#48777863)

    the malicious code uses the infected system to scan the Internet for additional devices that also allow access via factory default credentials, such as 'admin/admin,' or 'root/12345.'

    Dark Helmet: So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! That's the kind of thing an idiot would have on his luggage!

    • Re: (Score:3, Funny)

      by Anonymous Coward

      the malicious code uses the infected system to scan the Internet for additional devices that also allow access via factory default credentials, such as 'admin/admin,' or 'root/12345.'

      Dark Helmet: So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! That's the kind of thing an idiot would have on his luggage!

      President Skroob: Did it work? Where's the king?
      Dark Helmet: It worked, sir. We have the combination.
      President Skroob: Great. Now we can take every last breath of fresh air from Planet Druidia. What's the combination?
      Colonel Sandurz: 1-2-3-4-5
      President Skroob: 1-2-3-4-5?
      Colonel Sandurz: Yes!
      President Skroob: That's amazing. I've got the same combination on my luggage.

    • This is the most relevant topic I've read all day.

  • by Anonymous Coward

    Get some hardware, install pfSense, configure, never worry about this shit again.

    • Or m0n0wall, or Untangle, or ddwrt, or.... Shit, anything. Of course changing the fucking password works too, and is easier.
  • by Anonymous Coward

    "In this way, each infected host is constantly trying to spread the infection to new home routers and other devices" ... there used to be a name for this, oh, it's on the tip of my tongue. W.. W.. Wor..

    • Re: W W W (Score:2, Funny)

      by Anonymous Coward

      Oh! I know this one!

      World Wide Web, right?

  • by nuckfuts ( 690967 ) on Friday January 09, 2015 @04:31PM (#48778203)
    Most home routers I've dealt with don't enable remote administration by default. Allowing administration from outside one's LAN seems like a more serious problem than using a default password.
  • "The botnet is not made entirely of home routers; some of the infected hosts appear to be commercial routers at universities and companies, and there are undoubtedly other devices involved."

    What would be the name of the Operating System that these other devices run on?

In the long run, every program becomes rococco, and then rubble. -- Alan Perlis

Working...