Foul-Mouthed Worm Takes Control Of Wireless ISPs Around the Globe (arstechnica.com) 36
Dan Goodin, reporting for Ars Technica (edited and condensed): ISPs around the world are being attacked by self-replicating malware that can take complete control of widely used wireless networking equipment, according to reports from customers. San Jose, California-based Ubiquiti Networks confirmed recently that attackers are actively targeting a flaw in AirOS, the Linux-based firmware that runs the wireless routers, access points, and other gear sold by the company. The vulnerability, which allows attackers to gain access to the devices over HTTP and HTTPS connections without authenticating themselves, was patched last July, but the fix wasn't widely installed. Many customers claimed they never received notification of the threat.ISPs in Argentina, Spain, Brazil have been attacked by the worm, said Nico Waisman, a research at security firm Immunity, adding that it's likely that ISPs in the U.S. and other places have also been attacked by the same malware. From the report, "Once successful, the exploit he examined replaces the password files of an infected device and then scans the network it's on for other vulnerable gear. After a certain amount of time, the worm resets infected devices to their factory default configurations, with the exception of leaving behind a backdoor account, and then disappears."
Foul-Mouthed (Score:5, Informative)
The backdoor it leaves behind has a username of "mother" and a password that almost rhymes.
Danke (Score:4, Insightful)
Re: (Score:2)
I forgot my password, could you tell me your mother's name again?
Re: (Score:1)
I forgot my password, could you tell me your mother's name again?
mum
Re: (Score:3)
Re: (Score:1)
your loss..
Re:We've hit the big time, folks! (Score:4, Informative)
This is the first time I've seen anything that was more than a proof of concept attack for Linux.
It isn't an attack for Linux, it's an attack for the OEM's web interface. The fact that the firmware is based on Linux is incidental. From the article:
The bug is the result of a file upload vulnerability in a Web administrator interface that allows at least one of the worm variants to replace the existing password file...
Re:We've hit the big time, folks! (Score:5, Informative)
You haven't been paying attention then. Linux has had all kinds of vulnerabilities over the years. You've never heard of a "rootkit"?
According to another poster here, this particular vulnerability wasn't with Linux anyway, but the router's webserver, but back to your point, there have been many successful attacks on Linux machines. However, they've all been for network-facing servers. Exploits have been found, for instance, in Apache webservers (commonly used on LAMP-stack servers), PHP, and various low-level network services on Linux servers.
Usually, when people talk about Linux being impervious to attacks in comparison to Windows, they're talking about desktop machines. You don't run an internet-facing Apache server on a desktop Linux box, in fact you generally only connect behind a firewall router, or if not (public Wi-Fi, though that certainly has some kind of firewall router that restricts which services can pass through), you normally don't have many network-facing services running, probably just openssh, if that. It's nothing at all like Windows where an infected email can help someone hack into your system, or automatically install a botnet. Or a webpage that can do the same.
There's been no shortage of security vulnerabilities for various parts of Linux systems. The key is that these are public knowledge, are usually fixed quickly, and the fixes pushed out very quickly. And also that really stupid vulnerabilities affecting desktop systems generally don't exist (like with email). But one weakness that Linux-based systems do have is where some vendor uses Linux because it's free and easy to find semi-competent help to implement, but then they don't bother to keep up on the security fixes and push those out to customers. The vulnerabilities are all publicly disclosed (unlike typical proprietary vendors that try to keep them secret), so if a vendor doesn't take advantage of the fixes and push them out, their customers then become vulnerable.
Re: (Score:2)
In many cases, they're talking about getting infected by installing some program you found somewhere on the web and didn't bother to scan, or that you got stuck with in a drive-by download. Most if not all modern Linux distros have built-in security, such as SELinux or AppArmor to prevent malicious programs from damaging your system, and the standard file permissions (includ
Re: We've hit the big time, folks! (Score:1)
Then you're definitely not paying close enough attention...
Vulnerability was patched (Score:3)
Patched almost a year ago, apparently... so... I would fault ISP admins for not having a patch cycle...
Many customers claimed they never received notification of the threat
In this day-and-age if you are not proactive in your network security, it's on you.
Re: (Score:3)
Average people setting up average home networks are on average, unable to patch anything.
Average people don't care until it is too late, and then it is too late to care. (file under "Its all over but the crying")
Really, when was the last time you checked the Vulnerability list for your home networking products? And when was the last time before that?
Re:Vulnerability was patched (Score:5, Informative)
These aren't average people, unless average people run wireless ISPs.
And these aren't regular consumer grade wireless hardware, these are carrier-grade wireless hardware.
SO yeah, you hope the system administrators at your ISP know what they're doing, applying patches and all that, like any good admin who administers their company's servers.
Re: (Score:1)
The only completely safe machine is disconnected from power and network, has no data of value on it, is fully embedded in a concrete block, and sunk in the deepest part of the ocean.
In the real world, safety is relative.
In this particular case, the vulnerability is in the proprietary web server installed in the base linux system.
Foul-mouthed? (Score:2)
Foul-Mouthed
If you're going to lead with that, you should at least explain it in the summary.
Direct quote from TFA: (Score:2)
They aren't talking about PAT'ing ports 80 and 443 to your web server. They aren't talking about machines in your corporate DMZ. They're talking about having your network equipment's management interface over HTTP/HTTPS exposed directly to the internet. I have a couple consumer-grade wifi routers that have that as an option (off by default and left that way!). Sadly (having worked for a couple ISP's in my day) I can say that some of the