Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Botnet Worm Targets DSL Modems and Routers

kdawson posted more than 5 years ago | from the new-vector dept.

Security 272

CoreDuo writes "The people who bring you the DroneBL DNS Blacklist services, while investigating an ongoing DDoS incident, have discovered a botnet composed of exploited DSL modems and routers. OpenWRT/DD-WRT devices all appear to be vulnerable. What makes this worm impressive is the sophisticated nature of the bot, and the potential damage it can do not only to an unknowing end user, but to small businesses using non-commercial Internet connections, and to the unknowing public taking advantage of free Wi-Fi services. The botnet is believed to have infected 100,000 hosts." A followup to the article notes that the bot's IRC control channel now claims that it has been shut down, though the ongoing DDoS attack on DroneBL suggests otherwise.

cancel ×

272 comments

Tomato (3, Interesting)

Merritt.kr (1120467) | more than 5 years ago | (#27306071)

Glad I recently switched my router to Tomato. Works better than DD-WRT, too.

Hackers. (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#27306155)

Was the best movie of all time.

Re:Hackers. (2, Funny)

palegray.net (1195047) | more than 5 years ago | (#27306231)

That's like saying CiCi's Pizza is the best dining experience of all time. It's not really pizza, but it is edible...

Re:Hackers. (2, Insightful)

houstonbofh (602064) | more than 5 years ago | (#27306425)

That's like saying CiCi's Pizza is the best dining experience of all time. It's not really pizza, but it is edible...

Sex is like pizza... Even when it is bad, it's still pizza.

Re:Hackers. (1)

Nutria (679911) | more than 5 years ago | (#27307011)

Even when it is bad, it's still pizza.

Some pizza crust is so bad it's inedible...

Re:Hackers. (1)

anagama (611277) | more than 5 years ago | (#27307079)

ever have mayo and corn pizza in Japan?

Re:Hackers. (1)

palegray.net (1195047) | more than 5 years ago | (#27307267)

Better question: did the fact that you ate it in Japan make it taste different? :)

Re:Tomato (2, Informative)

snowraver1 (1052510) | more than 5 years ago | (#27306157)

I'm pretty sure that Tomato is in the same boat. According to the Tomato FAQ, Tomato is Linux based, and according to TFA Embedded Linux devices seem to be the target.

Re:Tomato (5, Informative)

zombietangelo (1394031) | more than 5 years ago | (#27306183)

TFA states:

any linux mipsel routing device that has the router administration interface or sshd or telnetd in a DMZ, which has weak username/passwords (including openwrt/dd-wrt devices)

This does not exclude Tomato, especially if your router is set up as mentioned or you have weak passwords.

Re:Tomato (5, Informative)

Repton (60818) | more than 5 years ago | (#27306213)

If you allow ssh access from the wide internet, and you have a weak password for root, you are probably still vulnerable..

Re:Tomato (3, Insightful)

John Hasler (414242) | more than 5 years ago | (#27306257)

> If you allow ssh access from the wide internet...

Why would you do that?

> ...and you have a weak password for root...

Why would you do that?

Re:Tomato (2, Insightful)

Anonymous Coward | more than 5 years ago | (#27306487)

> If you allow ssh access from the wide internet...

Why would you do that?

Normally those routers do not have users other than root...

Re:Tomato (3, Informative)

xiong.chiamiov (871823) | more than 5 years ago | (#27306891)

You don't have to enable remote ssh access to manage your router, unless you really need to administrate it remotely.

Re:Tomato (1)

Repton (60818) | more than 5 years ago | (#27307145)

<shrug> Ask one of the 80,000 who got infected :-)

Re:Tomato (1)

X0563511 (793323) | more than 5 years ago | (#27307403)

> If you allow ssh access from the wide internet...

Why would you do that?

My usage case:

SSH in, tunnel to localhost:80 for web admin.

Would it be better to leave the HTTP/HTTPS world-exposed? Probably not.

Note that with a strong root password and usage of a non-standard port will help keep the bots away. Even better if you disable password authentication for SSH and use a key instead.

Re:Tomato (5, Insightful)

Anonymous Coward | more than 5 years ago | (#27306331)

If you allow SSH access from the wide internet and you allow passwords, you are probably still vulnerable.

Really, just use SSH with private/public keys and you'll be okay.

private/public keys (1)

bobbonomo (997543) | more than 5 years ago | (#27306803)

The commercial routers don't have this option. Um like D-link, Linksys, etc. Unfortunately they are the majority of home/small enterprise routers But this would be the trick to use.

Re:private/public keys (2, Insightful)

tobiasly (524456) | more than 5 years ago | (#27307093)

The commercial routers don't have this option. Um like D-link, Linksys, etc. Unfortunately they are the majority of home/small enterprise routers But this would be the trick to use.

Except anyone who's knowledgeable enough to set up a private/public key based ssh server on their router would have ditched that crippled factory default firmware in the first place and installed something more advanced like Tomato, which does have this feature.

Re:private/public keys (0, Troll)

Darkk (1296127) | more than 5 years ago | (#27307291)

I take it you never worked with an enterprise class router like the SonicWall NSA 3500 which supports the CA type keys for web access protection?

Problem is some network admins don't take the time to set up the firewalls correctly to prevent this sorta thing from happening. I always create rules in the remote firewall to only accept 443 port connections from our static IP address and use strong passwords. The firewalls out in the field been running without problems.

And I do check the logs frequency for any kind of intrusion problems.

I also run PfSense firewall at home and it's working great for me. It even supports the SSH connection via keys.

Re:Tomato (0)

Anonymous Coward | more than 5 years ago | (#27306961)

I don't know why anyone would even allow SSH into your router from the WAN side. That's crazy. Routers often use funky versions of SSH and stuff, I don't consider them secure if you allow any access to the router itself from the WAN.

If you really need to access the router from the outside then forward a port (like SSH) to a secure machine on the inside and then connect to the router from that machine.

Re:Tomato (1)

zonky (1153039) | more than 5 years ago | (#27307055)

There are of course OpenVPN or other options in some of the *.WRT's as well.

Re:Tomato (0)

Anonymous Coward | more than 5 years ago | (#27307203)

I don't know why anyone would even allow SSH into your router from the WAN side. That's crazy. Routers often use funky versions of SSH and stuff, I don't consider them secure if you allow any access to the router itself from the WAN.

Some of us do have to manage routers across town and across the country.

If you really need to access the router from the outside then forward a port (like SSH) to a secure machine on the inside and then connect to the router from that machine.

And if the secure machine is down, then what?

A better solution is an IPsec vpn to the router from the wan, then login with ssh.

Re:Tomato (3, Informative)

tobiasly (524456) | more than 5 years ago | (#27307041)

If you allow SSH access from the wide internet and you allow passwords, you are probably still vulnerable.

Really, just use SSH with private/public keys and you'll be okay.

Another alternative is to close port 22 and use a non-standard, high-numbered port instead. Not as secure but most automated attacks don't scan all 65536 ports looking for an open one. If I disable passwords I'm always afraid that the one time I really need to get into my LAN will be the one time I don't have my private keys with me.

Re:Tomato (4, Insightful)

Yossarian45793 (617611) | more than 5 years ago | (#27306429)

If you allow ssh access from the wide internet, and you have a weak password for root, you are probably still vulnerable.

If you allow ssh access from the wide internet, and you have a weak password for root, you always were vulnerable. Now the vulnerability is just being exploited in a more automated way.

Re:Tomato (1)

doon (23278) | more than 5 years ago | (#27306893)

If you allow root to login via ssh from $internet with a password (Regardless of strength). You've probably got issues... Seriously, Port knocking + moving the default ssh port + Public key to a non priv'ed account with a great password (for sudo access), and you are probably a bit better off. Now I have no idea if these devices can do any/all of that, as I have no interest in deploying them to find out.

Re:Tomato (4, Informative)

Krizdo4 (938901) | more than 5 years ago | (#27306245)

Glad I recently switched my router to Tomato. Works better than DD-WRT, too.

Why does this article make you glad you switched?
The same thing that makes OpenWRT/DD-WRT vulnerable seems to be part of Tomato.

FTFA
"any linux mipsel routing device that has the router administration interface or sshd or telnetd in a DMZ, which has weak username/passwords (including openwrt/dd-wrt devices)."

From Tomato Features list:
"CLI (using BusyBox) with access via TELNET or SSH (using Dropbear)"

Re:Tomato (3, Informative)

644bd346996 (1012333) | more than 5 years ago | (#27307135)

By default, Tomato doesn't allow remote (from WAN port) administration. I don't know about the other WRT firmwares, but Tomato at least is secure from this exploit by default.

Re:Tomato (-1, Troll)

Anonymous Coward | more than 5 years ago | (#27307117)

Linux sucks anyways. The new generation of exploits is all aimed to Linuxeses Flavoreseses flaws.
So, I keep a router with proprietary software as my border gateway to the Internet, and then all the Linux crap goes inside of the network. If Linux was not free I don't think people will use it for anything.

How Can I Determine If My D-Link Router is Linux- (1, Interesting)

Anonymous Coward | more than 5 years ago | (#27306087)

based?

Re:How Can I Determine If My D-Link Router is Linu (1)

gmuslera (3436) | more than 5 years ago | (#27306185)

The problem, more than linux based, is if have fixed/easy/guessable user/password for it to get into. And if well you could be responsible for that kind of info, what if is not your router/dsl modem, but from the company that gives you connectivity? What if they weren't so creative with the password of the device?

Re:How Can I Determine If My D-Link Router is Linu (1)

Darkk (1296127) | more than 5 years ago | (#27307321)

I'd imagine the password would be either "password" or "123456"

Re:How Can I Determine If My D-Link Router is Linu (5, Informative)

The_PHP_Jedi (1320371) | more than 5 years ago | (#27306291)

The subject text box isn't the "write-the-beginning-of-the-message-until-space-runs-out-and-then-use-the-big-textarea-under-it" field. The big textarea under it is there for a clear reason.

Just sayin'.

Th (-1, Troll)

Anonymous Coward | more than 5 years ago | (#27306687)

anks. Boy that reply really helped me out! You're right. This way is much better because now you have to view the post to figure out that what I'm writing is unimportant. By the way, what is that "tell parent poster to bite me" check box all about? I'm just askin.

I attempted to come up with a witty "first post" (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#27306091)

But I thought too hard and lost the opportunity. I wear the AC hat with shame.

Tomato (3, Funny)

Anonymous Coward | more than 5 years ago | (#27306131)

Don't forget, Tomatoes get worms too!

Run to my openWRT router and look for.. what? (2, Interesting)

Anonymous Coward | more than 5 years ago | (#27306149)

I actually RTFA, logged into my router, and I'm still not sure what to look for to see if we've been compromised.

What exactly are we looking for?

first post!
-edfardos

Re:Run to my openWRT router and look for.. what? (3, Informative)

Repton (60818) | more than 5 years ago | (#27306171)

Considering that TFA says one of the things the bot does is lock you out, I suggest that if you can log in, you are fine :-)

Re:Run to my openWRT router and look for.. what? (1)

indi0144 (1264518) | more than 5 years ago | (#27306379)

so making a hard reset would clean the router?

I was about to upgrade my router to a Linux based one, now I'll wait a little.

What we see now is a trend into making every web connected appliance a part of a botnet. Will this be the end of scams like antivirus 2009? since any botnet it's more profitable in theory.

Re:Run to my openWRT router and look for.. what? (1)

bobbonomo (997543) | more than 5 years ago | (#27307201)

A Linux based router with public/private keys would do the trick. Well I guess 'till someone breaks that too. DD-WRT has this ability but, when you do turn it on, it does not disable the user/password thing (last time I looked). A -p or something on the sshd command needs to be added.

Re:Run to my openWRT router and look for.. what? (2, Informative)

snowraver1 (1052510) | more than 5 years ago | (#27306189)

If you are logged in using standard SSH port settings, then you should be okay. According to TFA, the worm adds the following rules:

# iptables -A INPUT -p tcp --dport 23 -j DROP
# iptables -A INPUT -p tcp --dport 22 -j DROP
# iptables -A INPUT -p tcp --dport 80 -j DROP

If you telnet/ssh connections are working, and you can get to the web page, then you should be okay.

Re:Run to my openWRT router and look for.. what? (1)

TheSHAD0W (258774) | more than 5 years ago | (#27307225)

It doesn't block 8080? That means you can use the web interface from outside. Maybe.

Re:Run to my openWRT router and look for.. what? (1)

xmff (1489321) | more than 5 years ago | (#27306737)

What exactly are we looking for?

ls -lh /var/tmp/udhcpc.env

And while you're at it, maybe recheck your password :)

Re:Run to my openWRT router and look for.. what? (1)

Darkk (1296127) | more than 5 years ago | (#27307327)

Look at the info from the above link....I pasted it in here for you:

http://dronebl.org/blog/8 [dronebl.org]

What to do about it? (5, Insightful)

GrahamCox (741991) | more than 5 years ago | (#27306161)

A. How do we know whether our kit is vulnerable?
B. How to tell whether we are infected?
C. What to do about it if we are?

I'd guess most people, even geeks, just think of their router as a black box and don't know much about them as long as they keep on working.

Re:What to do about it? (1)

Yossarian45793 (617611) | more than 5 years ago | (#27306289)

If you RTFA you'll see that you're only vulnerable if you have a weak password. I guess the worm uses password guessing as the "exploit" to take over your router.

Re:What to do about it? (2, Informative)

nenolod (546272) | more than 5 years ago | (#27307045)

Actually, the worm also exploits some vulnerabilities in the HTTP servers in some of these models.

Re:What to do about it? (5, Informative)

adolf (21054) | more than 5 years ago | (#27306345)

A. Is your password "admin," "root," "password," or some other such simplistic shit? Can you log into it remotely? If so, you're vulnerable.
B. Does SSH still connect? Can you get to your router's web page? If so, it's not infected.
C. It's a router, not something of any great intrinsic value. Nuke the firmware and start over. (Reset, boot_wait, JTAG - lots of ways to nuke a new firmware into these things without having network access to them. Listed previously are some good terms to Google for.)

I'd guess that most people, even geeks, don't run dd-wrt, tomato, or openwrt on their router unless they've got a pretty good clue about what's going on.

On the other hand: The average Joe, who just buys a WRT54G (aka: black box) from Wal-Mart, plugs it into his cable modem, and logs into the "linksys" SSID from his laptop isn't affected by this worm, since the default configuration doesn't allow remote access from the Internet at all.

Re:What to do about it? (5, Funny)

John Hasler (414242) | more than 5 years ago | (#27306505)

> ...the default configuration doesn't allow remote access from the Internet at all.

True. The crackers have to use the bot that controls his pc and the default password that he didn't change.

Re:What to do about it? (2, Interesting)

Repton (60818) | more than 5 years ago | (#27307233)

I recall reading a while ago about a javascript exploit that would attempt to log in to your router using the default admin login/password. It had a list of a few hundred different defaults to try. If it got in, it would mess with your DNS.

I'm not sure what came of that..

Re:What to do about it? (5, Insightful)

seanadams.com (463190) | more than 5 years ago | (#27306651)

The average Joe, who just buys a WRT54G (aka: black box) from Wal-Mart, plugs it into his cable modem, and logs into the "linksys" SSID from his laptop isn't affected by this worm, since the default configuration doesn't allow remote access from the Internet at all.

But it does allow access from the LAN side, so all that takes is one owned client connecting to that AP. It could even spread via laptops physically roaming to different hotspots (maybe not AT&T etc, but think of an independent coffee shop owner who should not have to be a networking guru).

Routers seem like a nice prize indeed. Always connected and on a public IP, and there's millions of them!. I'm surprised it's taken this long.

It's hard enough for most people to just hook one of these up, much less wipe a rootkit from it.

Re:What to do about it? (5, Interesting)

chill (34294) | more than 5 years ago | (#27306771)

I'd guess that most people, even geeks, don't run dd-wrt, tomato, or openwrt on their router unless they've got a pretty good clue about what's going on.

Really?

1. The article claims between 80,000 - 100,000 infected routers.
2. Neither DD-WRT nor OpenWRT allow connections from the outside world by default.
3. The worm brute-forces passwords.

From this we can conclude that there are at least 80-100K geeks who opened their connections to the outside world and used weak passwords. This does not sound like people with a "pretty good clue" to me.

Re:What to do about it? (1)

Darkk (1296127) | more than 5 years ago | (#27307369)

I run DD-WRT on my WRT54G as a wireless access point. Two things I did first was change the default username and password. And disable web-admin access via the wireless if they ever break my WPA2 encryption.

Pretty safe to me.

Re:What to do about it? (1)

MichaelSmith (789609) | more than 5 years ago | (#27306907)

A. Is your password "admin," "root," "password," or some other such simplistic shit?

OpenVMS has a nice feature:

set password/generate

It sets the password then tells you what the password is. Personally on linux and BSD I use

echo $RANDOM$RANDOM

...then set the password to the resulting string.

Re:What to do about it? (0)

Anonymous Coward | more than 5 years ago | (#27307357)

Personally on linux and BSD I use


echo $RANDOM$RANDOM

...then set the password to the resulting string.

That seems to only make numbers 0-9...not very secure.

Re:What to do about it? (0)

Anonymous Coward | more than 5 years ago | (#27307239)

I'm more worried about the modem. I don't control that.

Re:What to do about it? (1)

noidentity (188756) | more than 5 years ago | (#27307339)

It's a router, not something of any great intrinsic value. Nuke the firmware and start over. (Reset, boot_wait, JTAG - lots of ways to nuke a new firmware into these things without having network access to them. Listed previously are some good terms to Google for.)

I'm just curious; if the malware alters the flash memory, how can you trust the reflash functionality? Is there some kind of unmodifiable boot ROM that the boot_wait functionality runs from, i.e. it works even if you rewrite every byte of the flash with zero?

Re:What to do about it? (1)

Krizdo4 (938901) | more than 5 years ago | (#27306377)

A. Telnet or SSH listening to the internet + weak username/password
B. Configuration access via port 22 (SSH), 23 (TELNET), and 80 (HTTP) are all blocked (assuming you normally would use one of these.
C. Reflash your device (tftp method probably). Pick a secure password.

Re:What to do about it? (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#27306663)

A. How do we know whether our kit is vulnerable?
B. How to tell whether we are infected?
C. What to do about it if we are?

I'd guess most people, even geeks, just think of their router as a black box and don't know much about them as long as they keep on working.

Yes, folks, this is the kind of post that gets modded as "+5 Insightful" on Slashdot these days. Sad, but tue.

Easy fix (5, Funny)

Anonymous Coward | more than 5 years ago | (#27306217)

Not a big deal, you can just:

ssh to your router
ifconfig eth0 down

All fixed, not vulnerable anymore.

Re:Easy fix (1)

Darkk (1296127) | more than 5 years ago | (#27307379)

Ummm...then it doesn't really fix the problem..just annoyed buncha users! LOL

Re:Easy fix (1)

TinBromide (921574) | more than 5 years ago | (#27307397)

woosh

Scary Targets... (3, Insightful)

IonOtter (629215) | more than 5 years ago | (#27306253)

Okay, now this is scary.

Folks having OpenWRT/DD-WRT are usually a bit more savvy that the average user, so to see something specifically targeting such users is surprising.

And the fact it's gone this long without being noticed is even MORE frightening.

Re:Scary Targets... (0)

Anonymous Coward | more than 5 years ago | (#27306413)

Perhaps because all the savvy users picked good passwords and didn't allow WAN access to config ports.

Re:Scary Targets... (2)

pushing-robot (1037830) | more than 5 years ago | (#27306455)

If you let anyone on the internet ssh into your linux boxes, and your root password is "admin" or somesuch, why is it surprising that someone will eventually exploit you?

This virus does not target "savvy users". Like most viruses, it targets idiots.

Re:Scary Targets... (1)

Foodie (980694) | more than 5 years ago | (#27307109)

The problem is that these are slightly more savvy idiots. :)

Re:Scary Targets... (5, Insightful)

Techman83 (949264) | more than 5 years ago | (#27306533)

TFA:

any linux mipsel routing device that has the router administration interface or sshd or telnetd in a DMZ, which has weak username/passwords (including openwrt/dd-wrt devices).

Anyone Savvy enough to want to run OpenWRT/DD-WRT should hopefully be savvy enough to have a decent password. I'm guessing by DMZ it means open slather access to the device. Open Slather + Weak Password = Your Own Stupidity

Re:Scary Targets... (1)

lumenistan (1165199) | more than 5 years ago | (#27306547)

The choice of words in this post is interesting.

Instead of being scared or frightened, check if you have a vulnerable device in a vulnerable configuration. If you do, change the password, or better yet, flash the firmware. Monitor your other systems for signs of compromise. Fix any issues you find in the manner that makes the most sense.

I don't see where the implications of this botnet are any more or less scary than any other botnet based on the affected population. I imagine for most OpenWRT users, their device is their main gateway to the internet and once they have the device configured the way they want, they don't have much of a need to mess with it unless their needs change, and out of sight, out of mind.

We have enough manufactured fear being thrown at us as it is.

This is my opinion, please feel free to disagree.

Re:Scary Targets... (0)

Anonymous Coward | more than 5 years ago | (#27306573)

No, what's scary is that the security on many of these things is so damn sloppy that the worm could actually do something to them.

Weak passwords on exposed SSH login on the DMZ?

WTF? You'd put that configuration into service?

Re:Scary Targets... (0)

Anonymous Coward | more than 5 years ago | (#27306913)

Oh, I knew it was happening, I even saw it in my router logs a week ago. I just didn't care because I don't allow remote login. It piqued my interest, and I have to admit I was a little suprised. But, I didn't see the point in banging the drums, since everyone generally ignores me when I tell them they're vulnerable. I guess if you point something out enough, people stop listening. It is sort of like the boy who cried wolf, except there really are wolves and people want to stop being reminded they're being eaten alive.

Preventative workaround (2, Informative)

XanC (644172) | more than 5 years ago | (#27306275)

Configure the device for IPv6, over a tunnel or whatever. The worm blocks your control ports using iptables, but not apparently ip6tables.

Re:Preventative workaround (1)

Krizdo4 (938901) | more than 5 years ago | (#27306443)

If you're relying on this particular worm not blocking ip6, why don't you just enable ssh on a second, high numbered port.

Re:Preventative workaround (3, Informative)

ristretto_dreams (1420209) | more than 5 years ago | (#27307123)

errr, yeah, if you want to kill an ant with a nuke.

Or just change your password from the default and set ssh/web/telnet administration to local segment only.

Did you read the article?

Admin interface open on the WAN side? (5, Interesting)

Mondo1287 (622491) | more than 5 years ago | (#27306279)

Who has their router set to allow access to the admin interface from the wan side? This is certainly not done by default. Is there some sort of browser hijack involved with this to gain access to the inside of the network?

Re:Admin interface open on the WAN side? (1)

kyjl (965702) | more than 5 years ago | (#27307315)

I've yet to see a router - enterprise, consumer or otherwise - that does enable that out-of-box and frankly it would be STUPID as SHIT to do that. But it does have it's uses.

My Tomato'd WRT54GL originally had outside web access via SSL as my roomie didn't have a laptop and he wanted to do work over at his girlfriend's place often. The ports were already ready to go for SSH and whatnot, just he left his Mac to go to sleep after 30 minutes or some such nonsense. He'd log in to the router, WOL, wait a minute, then he'd be ready to go. While we don't get metered for power usage (on-campus apartments, WOO!) it saved some power.

After he got his MBP and scrapped the iMac he never had a use for remote access but I never bothered to turn it off. Now that I found out about this worm I turned it off fast as Hell.

Needs more detail (5, Interesting)

lordtoran (1063300) | more than 5 years ago | (#27306319)

Ok, TFA states

Get a shell on the vulnerable device (methods vary).

How will this supposed worm manage to login to the box? Brute force? Properly configured Linux will block login attempts for quite a while after several failures. SSH? Can't be compromised within a reasonable time. Telnet? Not supported on all routers I know.

The article doesn't go into the essential details, so I call FUD until proven otherwise.

Re:Needs more detail (2, Informative)

Krizdo4 (938901) | more than 5 years ago | (#27306527)

Ok, TFA states

Get a shell on the vulnerable device (methods vary).

How will this supposed worm manage to login to the box? Brute force? Properly configured Linux will block login attempts for quite a while after several failures. SSH? Can't be compromised within a reasonable time. Telnet? Not supported on all routers I know.

The article doesn't go into the essential details, so I call FUD until proven otherwise.

From the article:

any linux mipsel routing device that has the router administration interface or sshd or telnetd in a DMZ, which has weak username/passwords (including openwrt/dd-wrt devices).

Telnet is used at least on OpenWRT after you first flash it but before you set a root password.

No consumer router I've used blocked repeated failed password attempts be default.

A bug in the web interface for the default Linksys allowed people to load the OpenWrt by sending shell commands to turn on boot wait. Just do the same but insert malicious shell code instead with the default password.

Re:Needs more detail (1)

v1 (525388) | more than 5 years ago | (#27306557)

one would assume it does a slow throttled attempt, starting with the true idiot passwords like "admin", "administrator", "root", "password" etc. Those four alone probably get you into 10% of those routers

Re:Needs more detail (1)

Plekto (1018050) | more than 5 years ago | (#27306725)

One would assume it does a slow throttled attempt, starting with the true idiot passwords like "admin", "administrator", "root", "password" etc. Those four alone probably get you into 10% of those routers.

The number of clients that I used to run into doing consulting that had no password set on their machines at all on any level was about 10-20%. They buy it and plug it in and that's that. Then the insanity starts as they are often connected to a DSL or cable connection 24/7 without any real protection.

Re:Needs more detail (0)

Anonymous Coward | more than 5 years ago | (#27306633)

For default OpenWRT, Telnet is only enabled for a brief time from a LAN port. It is disabled on wireless and WAN.

Re:Needs more detail (1)

AHuxley (892839) | more than 5 years ago | (#27306721)

Like root, admin?
username is blank?

Re:Needs more detail (5, Insightful)

pushing-robot (1037830) | more than 5 years ago | (#27306755)

1. Be granted root access to the vulnerable device.

2. Do something nasty.

describes 99% of *nix (Linux, BSD, OS X) "exploits" I've seen.

Some of it is intentional FUD, but it's still a good example of why users should be forced to learn exactly what programs are allowed to do with user and root/admin privileges.

Most folks still think of programs the way they think of physical gadgets. Users don't understand privileges, and assume that programs are by nature isolated from each other, the operating system, and the user's personal files.

It doesn't occur to them that a malfunctioning toaster could suddenly delete their car.

Old news to me (3, Insightful)

GaryOlson (737642) | more than 5 years ago | (#27306391)

I commented on this exact subject about 18 months ago. [slashdot.org] Amused to see the security industry finally catching up.

Re:Old news to me (1)

snowraver1 (1052510) | more than 5 years ago | (#27306653)

That's pretty awesome. Hats off to you good sir!

Re:Old news to me (0)

Anonymous Coward | more than 5 years ago | (#27306659)

you were ahead of everyone else cos you got pwn3d? that's fucking rich.

Re:Old news to me (1)

maxume (22995) | more than 5 years ago | (#27306887)

Did you have a reasonable password set? The security industry has known that weak passwords are an issue for a lot longer than 18 months (though I do doubt that most cheapo routers have much support for anything like rate limiting, or alarms).

Re:Old news to me (2, Informative)

GaryOlson (737642) | more than 5 years ago | (#27307289)

Yes, I had complex and increasingly long passwords set -- the last password was 22 characters long with mixed case and special characters. And, configuring the router from the WAN was disabled.

And you really needed to... (4, Interesting)

m6ack (922653) | more than 5 years ago | (#27306683)

... administer your home router over the Internet? Who does that? If you don't have an open port, even on these boxen, how could you be attacked?

But, it seems to me that this is more likely an attack on stock Linksys boxen that re-flashes with a special DD-WRT designed to "phone home." Yes, DD-WRT/OpenWRT are also vulnerable if they have weak passwords, but the bulk is more likely the former.

(Disclaimer: My home router runs HyperWRT & is not listed in DroneBL.)

Tightening up security (0)

Anonymous Coward | more than 5 years ago | (#27306691)

I'm glad I saw this story. Even though I'd been using a fairly strong password, I've now disabled password login via SSH and am forcing key based authentication.

Copying the key to my cell phone; I always have it with me, so I'll always have the means to connect to my router for SSH tunneling, whatever.

Also, I put a password on the key. It could be overkill, but it's not any less convenient to do so and adds a little more security to the whole process.

OpenWRT/DD-WRT devices all appear to be vulnerable (5, Insightful)

xmff (1489321) | more than 5 years ago | (#27306705)

How so? At least on OpenWrt, SSH and Webif aren't even exposed to the wan side without manually changing the iptables rules first.

I guess it's the same on DD-Wrt.

The devices that were targetted appear to have some serious flaws, here's a cite from an analysis [adam.com.au] of the malware:

"Several revisions of the NB5 modem shipped with a flaw which meant that the web configuration interface was visible from the WAN side, accepting connections and allowing users to administer the modem using the default username and password of 'admin' from outside the LAN. Furthermore, some of these modems suffered from another flaw, meaning that by default, authentication was not enabled for the web interface - meaning no username or password was required."

It really boils down to the usual find-weak-logins style of attacks, only the target platform has changed.

Re:OpenWRT/DD-WRT devices all appear to be vulnera (1)

LingNoi (1066278) | more than 5 years ago | (#27306833)

I got DD-wrt and I am pretty everything is off by default when you first install.

Re:OpenWRT/DD-WRT devices all appear to be vulnera (1)

nenolod (546272) | more than 5 years ago | (#27307081)

That analysis is old.

And, it only targets DD-WRT/OpenWRT/Tomato routers configured in the way described in the article.

Re:OpenWRT/DD-WRT devices all appear to be vulnera (1)

xmff (1489321) | more than 5 years ago | (#27307107)

So the conclusion is "worm can infect machines with weak logins - now runs on mipsel too". :) Thanks for the info.

Rumpelstiltskin. (2, Interesting)

aXi (6533) | more than 5 years ago | (#27306757)

This has put a new twist on the story of Rumpelstiltskin.
Don't set the password to a simple name you plan on say while talking to yourself and gloating.

mod 0p (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#27306783)

shall we? OK! surveys show That that has lost about a project the project to OpenBSD wanker Theo a BSD over other survival prospects visit lizard - In other

One word... (1)

GooDieZ (802156) | more than 5 years ago | (#27306819)

m0n0wall

maybe savvy users use bsd instead...

Re:One word... (0)

Anonymous Coward | more than 5 years ago | (#27306903)

Maybe savvy users don't use weak passwords with ssh exposed to wan? Even fancy m0n0wall would be just a toy then...

Worried, then safe (0)

Anonymous Coward | more than 5 years ago | (#27306901)

I own a wrt54gl running ddwrt. I was initially worried, but double checked. I use a secure username and non-trivial password (not a word and number/letter combination), and also don't allow remote administration. Done.

Current anti-virus defs fail to pick up this nasty (-1)

Anonymous Coward | more than 5 years ago | (#27306977)

My copy of Norton Anti-virus For Routers fails to pick up psyb0t even with the most current router definitions.

The helpdesk tech did say that if I was willing to add 4 gig of memory, that Vista for Routers is not affected by this bot.

Wait Till They Get Verizon Routers Rooted (3, Informative)

darkmeridian (119044) | more than 5 years ago | (#27307147)

The modem/router that Verizon provided for their DSL service had the firmware remotely upgraded. There is no way to avoid these updates. I hope it is secure. If someone roots that process, it will be the mother of all DDOS attacks.

DSL in bridge mode (1)

baomike (143457) | more than 5 years ago | (#27307377)

Can I feel smug that I use a dsl modem in bridge mode to a slack box (dual home) using iptables for NAT?
I am hoping...

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...