VikingBob
join:2004-06-05
Ste Anne, MB
 ·MTS
|  Worm Breeds Botnet From Home Routers, Modems
More at »www.theregister.co.uk/2009/03/24···ng_worm/
Security researchers have identified a sophisticated piece of malware that corals consumer routers and DSL modems into a lethal botnet.
The "psyb0t" worm is believed to be the first piece of malware to target home networking gear, according to researchers from DroneBL, which bills itself as a real-time monitor of abusable internet addresses. It has already infiltrated an estimated 100,000 hosts. It has been used to carry out DDoS, or distributed denial of service, attacks and is also believed to use deep-packet inspection to harvest user names and passwords.
"This technique is one to be extremely concerned about because most end users will not know their network has been hacked, or that their router is exploited," the DroneBL researchers wrote here. "This means that in the future, this could be an attack vector for the theft of personally identifying information. This technique is not going away." |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL | This apparently depends on the user have never changed the administrative access password for the router.
Unfortunately, there are millions of naive users who have never changed that password. |
|
SUMware
Premium
join:2002-05-21
3 edits | reply to VikingBob
Psyb0t: varying the angle of attack
ESET Threat Blog
March 23rd, 2009 - quote:
This bot looks interesting, though, in that it doesn’t seem to target PCs (at least, not for recruiting as drones): instead, it targets routers and DSL modems, containing shellcode for a number of mipsel devices (that is, devices running on an architecture supported by some flavours of embedded linux), and including some wrinkles that would make it difficult for a home user to get back control of their router, even if they became aware of the problem.
This is by no means a brand-new idea: Nenolod* released a paper on the potential attack in 2006 (see link below), and I reviewed an interesting conference paper submission a year or so ago (unfortunately, I can’t remember the source, so I don’t know if it was accepted or published!) that covered similar ground from a more formal standpoint. And it’s far from the first attack to target devices that aren’t normally thought of as computers - one that springs to mind is a long-gone PostScript Trojan that could render some Apple printers to all intents and purposes unusable.
(This attack doesn’t make the device unusable - there’s no potential profit in that - but if it manages to take hold of your router/modem, it will try to lock you out so that you can’t easily remove it.)
However, the site estimates that somewhere in the region of 100,000 systems are affected (or were): if Dronebl is anywhere near the right ballpark, that looks like a serious exploration of the concept.
I suspect that it’s a concept (or a real attack) that we’ll see more of: for an attacker, it makes a lot of sense to use systems that the average home user never even thinks about, and that are available 24/7.
Now is probably the time to think about checking the device that connects your home PC to the world for weak username/password combinations.
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
[emphasis added]
* Your Router, Plausible Home to a Stealth Rootkit [pdf] |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
 ·Callcentric
 ·RoadRunner Cable
·AT&T CallVantage
1 edit | reply to VikingBob
More detail
See
»dronebl.org/blog/8
For more detail.
Also topic in Linksys forum
»Linux embedded devices being used in botnet
If the router administration is open to DMZ or internet and has weak passwords, then it is vulnerable.
If they are somehow able to get the application on a system inside the network, then you better have strong passwords for your admin access.
EDIT - added -
Looks like my practice of using randomly assigned nonstandard port numbers for telnet, http or https access would also foil this attack in its present state of development.
--
The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis |
|
SUMware
Premium
join:2002-05-21
| quote:
Disinfection Instructions
We have been getting asked a lot about disinfection instructions.
To disinfect, simply powercycle your device and take appropriate action to lock it down, including the latest firmware updates, and using a secure password.
|
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| reply to VikingBob
Re: Worm Breeds Botnet From Home Routers, Modems
It was simply a matter of time as the topic has been discussed in the past on DSLReports. In short always a good idea to change default passwords on everything.
Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool |
|
TheJoker
Premium,VIP,MVM
join:2001-04-26
Alexandria, VA | I don't believe this was the first. I believe some versions of the Wareout infection would change the DNS settings in some routers if the default password had not been changed.
--
Proud ASAP member since 2005 |
|
Stumbles
join:2002-12-17
Port Saint Lucie, FL | reply to nwrickert
It also seems you need to have ssh or telnet in the DMZ. |
|
Anonymous_
Anonymous
Premium
join:2004-06-21
127.0.0.1
clubs:
·RoadRunner Cable
·Time Warner Cable
·Time Warner VOIP
1 edit | reply to SUMware
Re: Psyb0t: varying the angle of attack
said by SUMware  :(This attack doesn’t make the device unusable - there’s no potential profit in that - but if it manages to take hold of your router/modem, it will try to lock you out so that you can’t easily remove it.) very easy
jtag
format full flash (or wholeflash) reinstall (new CFE) new OS then your done |
|
SUMware
Premium
join:2002-05-21
1 edit | reply to VikingBob
Re: Worm Breeds Botnet From Home Routers, Modems
From eWeek
2009-03-24 - said by Larry Seltzer :
Linux seems to be a great platform for these little embedded devices. It's small enough that it can fit in economical hardware, portable enough that you can put it on almost any processor and platform, and it's got great networking tools. This particular bot runs on Linux Mipsel devices ("Mipsel" is the port of Debian Linux on MIPS processors). But it's not hard to see the same thing happening to any sufficiently large population of Internet-facing devices based on Linux or any other platform. I'm especially curious about DVRs now.
The bot will not persist if the router is power-cycled, but who does that on purpose? I also wouldn't discount the possibility that such a bot could be built to flash itself into an EPROM or some other persistent memory, and then the device is probably unsalvageable. Such an attack would be highly model-specific.
The problem with routers is that they're "set and forget" devices. Often they're designed to just work out of the box with no configuration at all. Users won't change the default admin password, they won't check if security options are turned on, and the last thing they would ever do is check to see if there's a firmware upgrade that fixes a serious vulnerability in the router. Who even realizes that these things are little computers?
It's also easy to imagine a router botnet being built off of a Windows botnet. Once you have control of a system inside the network, it's easy to start probing the device at 192.168.1.1 (or, in fact, whatever the address of the local gateway device is) with the same sort of dictionary attack used by psyb0t. With some effort you could actually build a cross-platform bot with a standard series of interfaces.
The initial research shows that the psyb0t botnet has at least 100,000 nodes in it, and this is from devices, according to the reports, that don't have much presence in the West. This paper on the botnet discusses the hardware in more detail, including information about the vulnerabilities exploited in them. According to the paper:
Modems with similar hardware configurations (unknown brands) from Italy, Brazil, Ecuador, Russia, Ukraine, Turkey, Peru, Malaysia, Columbia, India and Egypt (and likely more countries) also seem to be affected, and are spreading the bot. There are, and have been for many years, Linux-based embedded devices popular in the US and Europe and they must have their own vulnerabilities. I'm expecting malware authors to be inspired by this to build similar networks. Consider this list of Linux router or firewall distributions as a starting point.
What can you do for your own devices? Apply the latest firmware and make sure they have non-trivial admin passwords. And if there's an option for remote administration, make sure it's turned off.
[some emphasis added] |
|
EUS
Kill cancer
Premium
join:2002-09-10
Montreal, QC
clubs:
·ELECTRONICBOX
| reply to VikingBob
This issue has been posted elsewhere on this site, but my commment is; I can think of no reason someone would want their primary security device to be accessable by WAN.
--
~ Project Hope ~ |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
·AT&T Midwest
| This issue has been posted elsewhere on this site, but my commment is; I can think of no reason someone would want their primary security device to be accessable by WAN. One reason I have seen, is that the router and home network is being managed by the son who lives halfway across the country. Still, I think setting up VPN access or SSH access would be better even in that case.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.7 |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
·Callcentric
·RoadRunner Cable
·AT&T CallVantage
| reply to SUMware
quote:
The bot will not persist if the router is power-cycled, but who does that on purpose? I also wouldn't discount the possibility that such a bot could be built to flash itself into an EPROM or some other persistent memory, and then the device is probably unsalvageable. Such an attack would be highly model-specific.
It seems that if telnet and http access is feasible, so is tftp, the common vehicle for uploading firmware.
Sure, it's model specific, but they could target (for example) the large populations of older level Linky BEFSR41s and other common boxes used by nontechnical folks who bought them years back, did a minimal plug and go, and never looked for firmware updates.
I doubt they'd target third party firmware. I'd think that those who are savvy enough to employ DDWRT and other third party apps would also be savvy enough to secure their routers.
--
The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis |
|
KWIKY
join:2003-09-18
Broomfield, CO
| reply to SUMware
Re: Psyb0t: varying the angle of attack
Yeah, I just read about this one. Quite interesting seeing as how it's the first of it's kind. Judging from what I've read this exploit would need to have remote access enabled in the form of sshd/telnet,etc in order to work. Going by that logic I would think this wouldn't be very widespread because every router I've ever seen does not have remote connection enabled. Unless the exploit enables remote connection then I don't see how this could exploit lots of people? I mean in order to compromise the router/modem you'll need access to it and how's that possible if it doesn't have remote administration enabled? |
|
sh3llc0d3
@dpr2.com | reply to VikingBob
Re: Worm Breeds Botnet From Home Routers, Modems
So does this worm utilize MIPS shellcode? I tried to find some good MIPS shellcode a while back but couldn't and I didn't have the skillz to make some. Interesting. |
|
koma3504
Advocate
Premium
join:2004-06-22
North Richland Hills, TX
| reply to SUMware
Re: More detail
said by SUMware : quote:
Disinfection Instructions
We have been getting asked a lot about disinfection instructions.
To disinfect, simply powercycle your device and take appropriate action to lock it down, including the latest firmware updates, and using a secure password.
Well that is only a temp. fix because the ISP's lock the end user out of the enhanced fetures or all toghether.
Example Ambit modems for cable have a built in firewall and parental controls But Charter says that it is a security risk to give those to the end user.
2wire devices has enhanced fetures as well which we are not allowed to have. Speedstream modems have a firewall in them as well and are locked out of those as well as motorolla modems. All the ISP supplied devices have backdoors in them.
If those did not exist and the end user had total control of the device at the front of their home network this would be a non-issue.
SO the ISP's only have their self to blame for this attack vector.
--
† Koma †
If YOu Don't Think It's Possable!! It's Acually A Reality!!The best way to predict the future is to invent it. Alan Kay!!
Ya Don't Know The signal Till Ya Ride It!!
Voice Break's There's Trouble!!!! |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
·Callcentric
·RoadRunner Cable
·AT&T CallVantage
1 edit | said by koma3504 :Well that is only a temp. fix because the ISP's lock the end user out of the enhanced fetures or all toghether. I have those ISPs who provide routers to my SOHO Customers put 'em in stupid mode (bridge/modem only). We use our own routers that *we* control, not the ISP. If they don't want to take away the router feature, daisychain a router behind theirs anyway. That way *you* have control of the internet-facing access point of your network.
--
The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis |
|
ConfusedCabler
@boeing.com
| This is probably a stupid question but I'm confused ... I have a cable modem supplied by Time Warner. I thought that I could not change the password or anything else on that modem. Is that true? I have changed all the settings and passwords in my router but nothing on the modem.
TIA |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
·Callcentric
·RoadRunner Cable
·AT&T CallVantage
1 edit | I also have Time Warner at home. Business class comes with Time Warner's own router, last one I installed was a Time Warner controlled Cisco. I had Time Warner put it in bridge mode and put our own router behind it.
As for passwords, you can access your modem by going to »192.168.100.1/ - no password needed.
All your Surfboard cable modem does is provide an un-firewalled connection from the internet to your router. If you manually assign DNS settings in your router, it will override your modem's DHCP provided DNS settings.
You can look at logs, see status and signal levels, and reboot the modem. the DHCP server on your modem won't override the settings in your router.
Time Warner has more control of the modem, which usually is limited to firmware upgrades that happen in the middle of the night for me.
--
The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis |
|
koma3504
Advocate
Premium
join:2004-06-22
North Richland Hills, TX
| On a CBN bussiness account on Charter they lock you out of being able to access the modem period.
And until I had Charter Hard code OPENDNS in my ambit modem.
Charter DNS was infact taking over as it was hard coded in the modem it self it did not matter that i had Other dns config elswhere.
Just a FYI
--
† Koma †
If YOu Don't Think It's Possable!! It's Acually A Reality!!The best way to predict the future is to invent it. Alan Kay!!
Ya Don't Know The signal Till Ya Ride It!!
Voice Break's There's Trouble!!!! |
|
