Memory-Resident Malware Infects Routers
The rise of the Chuck Norris botnet


By Lucian Constantin, Web News Editor

February 22nd, 2010, 16:33 GMT


Czech security researchers warn of a worm-like piece of malware infecting Linux-based routers, DLS modems and other embedded devices. The infected devices form a botnet capable of launching Distributed Denial of Service (DDoS) attacks.

According to a report from Computerworld, the researchers have named the worm Chuck Norris, after a comment found in the malware code, which reads, "In nome di Chuck Norris," Italian for "in the name of Chuck Norris." Jan Vykopal, the head of the network security department with Masaryk University's Institute of Computer Science in Brno, the Czech Republic, explains that poorly configured devices are specifically at risk of being infected with this new threat.

According to Mr. Vykopal, the worm is resident in memory and does not survive hardware reboots. But this is unlikely to make much of a difference to the botnet, since networking devices are rarely restarted and, even if one is, it would get reinfected shortly afterwards.

The worm employs several propagation techniques including brute force attacks and exploiting vulnerabilities. Infected devices scan both the internal networks and the Internet for other potential targets and attempts to log into their administrative interface using the default credentials.

It is a well-known fact that a lot of people, particularly home users, fail to change the default passwords for their routers or cable modems. Last year, researchers from the Intrusion Detection Systems Lab at the Columbia University estimated that as many as six million vulnerable embedded network devices were connected to the Internet. Their study revealed that 41.62% of such devices were running on factory settings.

But, sometimes, ISPs are to blame just as much as home users. Back in October, we reported that Time Warner had mass-deployed tens of thousands of insecure routers to its customers. Not only that, but their set-ups also prevented users from securing the devices on their own.

According to the experts, the "Chuck Norris" botnet comprises MIPS-based devices spread across the globe, from routers to TV receivers. The army of zombie embedded systems is controlled from IRC and has crippling Denial of Service capabilities. The infected devices can also be commanded to replace the default DNS servers with some under the attacker's control.

A router-based botnet is rare, but not unprecedented. Last year in March, the team at DroneBL discovered a similar threat, which reached 80,000 clients before being destroyed by its maker. Given the striking similarities between the two, they might even be related.

Wireless Routers Running DD-WRT Vulnerable
Remotely exploitable vulnerability can give attackers root access


By Lucian Constantin, Web News Editor

22nd of July 2009, 13:52 GMT

A hacker has published details about a zero-day vulnerability found in the popular DD-WRT open source firmware for wireless routers. Exploiting the flaw is rather trivial and allows an attacker to execute arbitrary commands as root.

DD-WRT is a Linux-based firmware that can be installed on more than 200 wireless router models from a wide range of manufacturers, including big industry players such as Linksys, Netgear or D-Link. A significant number of knowledgeable users replace pre-installed router firmware with DD-WRT in order to extend the capabilities of their device.

A Bulgarian hacker going by the online handle of "gat3way" announced that all versions of the open source firmware up to V24 preSP2 contained a critical shell command injection flaw, which he described as a "weird vulnerability you're unlikely to see in 2009."

More specifically, the bug is located in DD-WRT's HTTPD daemon and, according to gat3way, it is the result of several poor architectural decisions. For example, the web interface will accept and execute commands passed directly via URLs, without requiring authentication, even if an authentication dialog does appear.

In addition, in keeping with gat3way, the HTTPD server runs as root, meaning that, by typing the http://routerIP/cgi-bin/;command, a shell command can be executed with the highest privileges. Remote attacks are not that straightforward, though, because the administration interface is not remotely accessible by default.

However, an attacker can bypass that limitation through cross-site request forgery (CSRF), and there are even ways to suppress the login dialog in order to make the attack transparent. "This means someone can even post some crafted [img] link on a forum and a dd-wrt router owner visiting the forum will get owned," gat3way warns.

According to The Register, Sebastian Gottschall, DD-WRT's founder and main developer, confirmed the vulnerability, but noted that the development team was not notified in advance of it being made public. He pointed out that the issue had been addressed in build 07-21-09-r12533 of the V24 preSP2 version.

If I knew more about computers, I might be concerned.

Whoa... a botnet on DD-WRT would be fierce!!! There's millions of those suckers out there...

Yeah and I just aquired a Linksys WRT router 2 weeks ago from my dad and it has Tomato firmware on it. I hope its not effected

My router is running DD-WRT v24-sp2 (10/22/08) mega


fuck...... I bought it with this firmware on it, don't
relish having to upgrade the firmware

The firmware upgrade isn't hard to do.
basically download new firmware.in the router menu there is firmware option. point it to the file and wait about 2 minutes for it to load.

Dudster,

I checked into the firmware update after my post, and I was
very glad to see they had the firmware update built in.

Now I need to find time to download the firmware and then
a window of opportunity to update it.

I use VOIP for my home office phone, and we stream alot of
television programs. We constantly have something accessing das interweb.

DD-wrt sure is a nice firmware ....

MG

Tomato 1.27 Sun, 2009-11-29 11:44


We'll see if a new one gets in the next few weeks