To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- Gadi, There have long been exploits for numerous types of routers whether they be remote administration hacks, or in most cases, simple DoS packets. After reading the security article you posted about the Deutsche Telekom Speedport w700v, I fail to see in anyway how this relates to botnets.
Im not sure if you are talking about making routers into bots, or attacking machines behind the routers, so I will simply address both. Bot Routers: First, routers are nortiously easy to DoS ( http://www.devhardware.com/forums/networking-34/linksys-router-dos-vulnerability-4078.html , http://www.securiteam.com/securitynews/5NP0P1FJ5Q.html , many many more...) but when it comes to running an code from them, it is simply not practicle. To do so, you would need to rewrite the firmware such as DD-WRT does (http://www.dd-wrt.com/dd-wrtv2/index.php). Sure you could use it to tunnel past security to see machines inside, but the effort involved to take over a machine is simply not feasable. Second, the link to such "exploited routers" ( http://blogs.securiteam.com/index.php/archives/826 ) is nothing more than a configuration login the same way an http administration is done. Such access does not allow running of code, and thus becomes useless unless you are trying to get to machines behind it, which as I stated, is a waste of time from a botnet point of view. Lastly, botnets are created for the purpose of self replication and expansion, they are used in mass for many different types of things. You dont want to loose bots. Anytime a computer is infected, linux, windows, bsd, a good bot will be very difficult to entirely delete. Routers from an administration standpoint are very easy to either upgrade in firmware, or if that has been disabled, replace all together. Computers Behind Routers: If you can change the administration to allow say a vpn through the firewall/router to the inside network, then what? The machines you are trying to make into bots might be all workstations with no vulns, and you have wasted your time with a trivial router. Sure if you are trying to hack into a corporation, this vpn would be a GREAT start, however, botnets do not target, their purpose is to infect as fast and secretivly as possible. Why go through all this trouble when you could spoof an email and send them all to an recent IE vuln site and infect instead? This router problem is definetly nothing to take lightly within the corportate and private setting. From the purpose of botnets however, it seems trivial as bots dont setup vpns to infect, they dont search for router hacks because they arnt trying to hack routers. They dont do more than they have to infect a host. Just my two cents, ( sorry im new and if I came off like an ass it was not the purpose ) And for the record, I would LOVE to see a PoC for routers as bots =] sitexec On 5/11/07, Gadi Evron <[EMAIL PROTECTED]> wrote: > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > ---------- > In this post I'd like to discuss the threat widely circulated insecure > broadband routers pose today. We have touched on it before. > > Today, yet another public report of a vulnerable DSL modem type was posted > to bugtraq, this time about a potential WIRELESS flaw with broadband > routers being insecure at Deutsche Telekom. I haven't verified this one > myself but it refers to "Deutsche Telekom Speedport w700v broadband > router": > http://seclists.org/bugtraq/2007/May/0178.html > > If you all remember, there was another report a few months ago about a UK > ISP named BeThere with their wireless router being accessible from the > Internet and exploitable, as another example: > http://blogs.securiteam.com/index.php/archives/826 > > Two issues here: > 1. Illegitimate access to broadband routers via wireless communication. > 2. Illegitimate access to broadband routers via the WAN. > > I'd like to discuss #2. > > Some ISPs which provide such devices (as in the example of #2 above) use > them as bridges only, preventing several attack vectors (although not > all). Many others don't. Most broadband ISPs have a vulnerable user-base > on some level. > > Many broadband ISPs around the world distribute such devices to their > clients. > > Although the general risk is well known, like with many other security > issues many of us remained mostly quiet in the hope of avoiding massive > exploitation. As usual, we only delayed the inevitable. I fear that the > lack of awareness among some ISPs for this "not yet widely exploited > threat" has resulted in us not being PROACTIVE and taking action to secure > the Internet in this regard. What else is new, we are all busy with > yesterday's fires to worry about tomorrow's. > Good people will REACT and solve the problem when it pops up in > wide-exploitation, but what we may potentially be facing is yet another > vector for massive infections and the creation of eventual bot armies on > yet another platform. > > My opinion is, that with all these public disclosures and a ripe pool of > potential victims, us delaying massive exploitation of this threat may not > last. I believe there is currently a window of opportunity for service > providers to act and secure their user-base without rushing. Nothing in > security is ever perfect, but actions such as changing default passwords > and preventing connections from the WAN to these devices would be a good > step to consider if you haven't already. > > My suggestion would be to take a look at your infrastructure and what your > users use, and if you haven't already, add some security there. You > probably have a remote login option for your tech support staff which you > may want to explore - and secure. That's if things were not left at their > defaults. > > Then, I'd also suggest scanning your network for what types of broadband > routers your users make use of, and how many of your clients have port 23 > or 80 open. Whether you provide with the devices or not, many will be > using different ones set to default which may pose a similar threat. Being > aware of the current map of vulnerable devices of this type in your > networks can't hurt. > > It is not often that we can predict which of the numerous threats out > there that we do not address currently, is going to become exploited > next. If you can spare the effort, I'd strongly urge you to explore this > front and be proactive on your own networks. > > The previous unaddressed threat which most of us chose to ignore was > spoofing. We all knew of it for a very long time, but some of us believed > it did not pose a threat to the Internet or their networks for no other > reason than "it is not currently being exploited" and "there are enough > bots out there for spoofing to not be necessary". I still remember the > bitter argument I had with Randy Bush over that one. This is a rare > opportunity, let's not waste it. > > We are all busy, but I hope some of you will have the time to look into > this. > > I am aware of and have assisted several ISPs, who spent some time and > effort exploring this threat and in some cases acting on it. If anyone can > share their experience on dealing with securing their infrastructure in > this regard publicly, it would be much appreciated. > > Thanks. > > Gadi Evron. > > _______________________________________________ > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > All list and server information are public and available to law enforcement > upon request. > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
