Adrian, thank you for sharing this with us. Gadi.
On 2/24/10 12:20 AM, Adrian P. wrote: > It's no secret that there are tons of broadband routers/modems with > exposed admin interfaces (HTTP/SSH/Telnet/whatever) using default/weak > credentials. > > While the Chuck Norris botnet is interesting in that it shows that the > problem is real, it shouldn't surprise anyone who has researched the > security of broadband embedded devices. > > It's also not the first time an incident of this nature has happened. > I'm sure a lot of the list readers remember the mass-phishing attack > launched November 2007 [1] against several popular 2Wire broadband > routers in Mexico. The attack was accomplished by means of changing > the router's DNS settings via a CSRF hole on the web interface. > > A similar issue used to exist on the BT Home Hub and was reported in > October 2007 [2] (a month earlier) where it was possible to compromise > the router by tricking a user to visit a malicious page. The payload > [3] would then exploit an authentication bypass and CSRF vulnerability > in order to enable the "remote assistance" feature. (The intended > purpose of this feature was to allow BT engineers to remotely > troubleshoot home routers.) The attacker could then login remotely to > the router with admin privileges using a password of his choice (set > in the actual exploit payload). > > And of course there is the infamous BeThere backdoor admin account > reported in February 2007 which you mentioned in your article [4]. > > The security of home-grade embedded devices has a long way to go. I > think that the home router hacking challenge [5] [6] confirmed this by > showing that many of these devices are affected by serious > vulnerabilities, many of which are trivially exploitable. > > I couldn't agree more that ISPs do need to take responsibility and > ensure that new modem/router builds are audited for common security > issues before being distributed to their broadband customers. > > > ap > > [1] http://www.hispasec.com/unaaldia/3313 > [2] http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub/ > [3] http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub-4/ > [4] http://blogs.securiteam.com/index.php/archives/826 > [5] http://www.gnucitizen.org/projects/router-hacking-challenge/ > [6] http://marc.info/?l=bugtraq&m=120441195905480&w=2 > > On Mon, Feb 22, 2010 at 2:22 PM, Gadi Evron<g...@linuxbox.org> wrote: >> Last week Czech researchers released information on a new worm which >> exploits CPE devices (broadband routers) by means such as default passwords, >> constructing a large DDoS botnet. Today this story hit international news. >> >> Original Czech: >> http://praguemonitor.com/2010/02/16/czech-experts-uncover-global-virus-network >> >> English: >> http://www.pcworld.com/businesscenter/article/189868/chuck_norris_botnet_karatechops_routers_hard.html >> >> When I raised this issue before in 2007 on NANOG, some other vetted mailing >> lists and on CircleID, the consensus was that the vendors will not change >> their position on default settings unless "something happens", I guess this >> is it, but I am not optimistic on seeing activity from vendors on this now, >> either. >> >> CircleID story 1: >> http://www.circleid.com/posts/broadband_routers_botnets/ >> >> CircleID story 2: >> http://www.circleid.com/posts/broadband_router_insecurity/ >> >> The spread of insecure broadband modems (DSL and Cable) is extremely >> wide-spread, with numerous ISPs, large and small, whose entire (read >> significant portions of) broadband population is vulnerable. In tests Prof. >> Randy Vaughn and I conducted with some ISPs in 2007-8 the results have not >> been promising. >> >> Further, many of these devices world wide serve as infection mechanisms for >> the computers behind them, with hijacked DNS that points end-users to >> malicious web sites. >> >> On the ISPs end, much like in the early days of botnets, many service >> providers did not see these devices as their responsibility -- even though >> in many cases they are the providers of the systems, and these posed a >> potential DDoS threat to their networks. As a mind-set, operationally taking >> responsibility for devices located at the homes of end users made no sense, >> and therefore the stance ISPs took on this issue was understandable, if >> irresponsible. >> >> As we can't rely on the vendors, ISPs should step up, and at the very least >> ensure that devices they provide to their end users are properly set up (a >> significant number of iSPs already pre-configure them for support purposes). >> >> The Czech researchers have done a good job and I'd like to thank them for >> sharing their research with us. >> >> In this article by Robert McMillan, some details are shared in English: >> >> ---------- >> Discovered by Czech researchers, the botnet has been spreading by taking >> advantage of poorly configured routers and DSL modems, according to Jan >> Vykopal, the head of the network security department with Masaryk >> University's Institute of Computer Science in Brno, Czech Republic. >> >> The malware got the Chuck Norris moniker from a programmer's Italian comment >> in its source code: "in nome di Chuck Norris," which means "in the name of >> Chuck Norris." Norris is a U.S. actor best known for his martial arts films >> such as "The Way of the Dragon" and "Missing in Action." >> >> Security experts say that various types of botnets have infected millions of >> computers worldwide to date, but Chuck Norris is unusual in that it infects >> DSL modems and routers rather than PCs. >> >> It installs itself on routers and modems by guessing default administrative >> passwords and taking advantage of the fact that many devices are configured >> to allow remote access. It also exploits a known vulnerability in D-Link >> Systems devices, Vykopal said in an e-mail interview. >> >> A D-Link spokesman said he was not aware of the botnet, and the company did >> not immediately have any comment on the issue. >> >> Like an earlier router-infecting botnet called Psyb0t, Chuck Norris can >> infect an MIPS-based device running the Linux operating system if its >> administration interface has a weak username and password, he said. This >> MIPS/Linux combination is widely used in routers and DSL modems, but the >> botnet also attacks satellite TV receivers. >> ---------- >> >> Read more here: >> http://www.pcworld.com/businesscenter/article/189868/chuck_norris_botnet_karatechops_routers_hard.html >> >> I will post updates on this as I discover them on my blog, under this same >> post, here: >> http://gadievron.blogspot.com/2010/02/chuck-norris-botnet-and-broadband.html >> >> Gadi. >> > > > -- Gadi Evron, g...@linuxbox.org. Blog: http://gevron.livejournal.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/