back to article Worm breeds botnet from home routers, modems

Security researchers have identified a sophisticated piece of malware that corrals consumer routers and DSL modems into a lethal botnet. The "psyb0t" worm is believed to be the first piece of malware to target home networking gear, according to researchers from DroneBL, which bills itself as a real-time monitor of abusable …

COMMENTS

This topic is closed for new posts.

Page:

  1. PReDiToR
    Alert

    How novel

    An attack vector that takes advantage of weak passwords? Who would have thought it?

    SRSLY. When will people learn that "password" is not the same as "Pa$sW0rD, is ... $eCuRe" ?

    Password Hasher (Firefox extension) makes seriously strong passwords. Up to 26 characters. Put "router" in as the site tag, your own unsalted phrase and out the other end you get a magnificent password that you don't actually have to remember; you can always recreate it from the two pieces of information you know.

  2. Kanhef
    Boffin

    weak passwords by default

    The standard username on home routers is 'admin'; on some it can't even be changed. The default password is almost always either 'password' or 'admin'. Most people will not change this. Clearly there is a problem here. It would be much better to use the router model as the username and serial number for the password. As long as the login page/prompt doesn't divulge anything about itself, the name/password space is too large for a brute-force attack to be effective.

  3. Adam Azarchs
    Stop

    Re: Password Hasher

    yes, and as soon as enough people start using password hasher, the password crackers will start running their passwords through the same hasher. It is, after all, just a hash. Much better to use a random password (as opposed to a hash, which only appears random to humans) and an app like PasswordSafe. Or better yet, public key login, which can be made arbitrarily secure by simply lengthening the key (modulo client security concerns. Yes, the private key password is still a concern, but if the attacker has access to the private key file you've already got problems).

  4. Anonymous Coward
    Anonymous Coward

    Password/admin

    Yes the passwords for most routers are not changed but then the web interface is usually, by default, only accessible from the users side and the telnet etc interfaces are usually disabled by default. In the 'default' case not sure still how so many are taken over?

  5. Eugene Goodrich
    Paris Hilton

    What is non-obvious to us may be stark relief to hackers

    "As long as the login page/prompt doesn't divulge anything about itself..."

    Typically the login pages/prompts spill out the make, model, and even hardware revision of the device. And even if they didn't, attackers can work it out by how many bytes are in the page, how long the page takes to load, what the self-signed SSL cert looks like, and if necessary how the device responds to a carefully-selected smattering of invalid requests.

    We must assume bad guys know exactly what they're attacking. Or, the scripts they run do.

    It's not all doom and gloom, of course. Manufacturers hardened payphones and put ignition locks on cars; they can give home routers belts and suspenders as soon as they're sufficiently bothered. (Actually, most routers I've seen won't allow configuration from the WAN interface by default anyway. The customer has to be going in and turning that on, presumably at their ISP's tech support's direction...)

    Paris because she, too, divulges things about herself.

  6. Flocke Kroes Silver badge

    Kernel update time

    Many years ago when Windows zombies tried to brute force my machines, I wrote a small script to block access from any IP address for 10 minutes that failed 3 ssh logins in a minute. The dictionary-like attack stood no chance because my team used decent password (according to cracklib). The real purpose of the script was to reduce the amount of wasted bandwidth.

    These days, there are kernel modules to make the script superfluous. I am surprised modern routers do not use them.

    It would be nice if I could send an IP address to my ISP, and have it blocked there.

  7. Lee
    Stop

    This is not news...stop it.

    I've never heard of this type of attack before. Welcome to the Internet.

    "HEY, THE SKY IS FALLING. BUY MY SOFTWARE! (which has bugs)"

  8. TeeCee Gold badge
    Thumb Down

    @Kanhef

    "......serial number for the password."

    Really? Can it be that you've already forgotten the BT Home Hub fiasco? You know, where they did exactly this and forgot that a simple WLAN query in clear would get the thing to tell you what its serial number was (AFAIR a little beyond the necessary for WiFi spec, but certainly within the spirit of it)?

    "....router model as username....."

    Yup, obscure that. Given that a) a large number of models already use it as the SSID and b) again, the spec says that a WiFi access point should disclose the type of equipment in use when queried (which is where BT went the extra mile).

  9. Frank

    @Kanhef re. weak passwords

    "..the name/password space is too large for a brute-force attack to be effective."

    Using these two items as the 'out of the box' name/password combo is indeed a lot better than using 'admin/system' for every router sold. However, the namespace of your suggested combination is very much smaller than the english dictionary and is nicely structured to enable hackers to create a simple algorithm for a structured attack. People need to be educated to change the passwords.

    Made up words with numbers in them are best for home use and can be written neatly on a piece of paper and stuck to the bottom of the router. (You make the final three characters easily remembered and leave them off the written password so the kids can't crack it). This is all you need in a domestic setup.

  10. General A. Annoying
    Thumb Down

    Not only passwords...

    but usernames that can't be changed in some cases. (my router was 'admin' for both u/n & p/w, how nuts is that?)

  11. David Edwards
    Thumb Up

    Sky were good

    I was impressed that sky put a unique and secure password on the router when they shipped it, with a sticker on the bottom. Fairly idiot proof.

  12. Ash
    Flame

    Again...

    The problem is user education.

    I say those who get hacked should get fined. "OH NOEZ I JUZT WANTID MYSPASS DUN PUT MEZ IN JAILZORZ!!2!!11" isn't a defense. They need educating, and they just don't want to learn.

    Maybe making them culpable is the only way.

  13. Andraž Levstik

    @Adam Azarchs

    Considering it's a salted hash it's not that easy ;)

  14. Richard Kay
    Boffin

    hardware authenticators

    Software password security will only get you so far before the limited capacity of human password memory is insufficient for brute force password guessing techniques. Locking out a guesser temporarily after a certain number of bad guesses helps, but this adds complexity. The solution has to be a standardised protocol for hardware authenticators so that everyone can carry their own around on a keyring and plug it into a USB or use Bluetooth. This will use public key cryptography and an embedded secret key within a tamper resistant device which no-one needs to know.

    With enough support behind a fully open protocol the cost comes down to where every security application can implement it and everyone can carry one. If the key device can recognise the fingerprint of the owner so much the better.

  15. Anonymous Coward
    Anonymous Coward

    Salted? Hashed? Why bother?

    Why not some random characters, written on a Post-It not stuck to the modem? We're mostly talking home routers here, not businesses. Until they write a worm which can read my handwriting on the outside of the box what more do you need?

    Dunno what the protocol is where these modems/routers are, but Sky here used to (may still do) issue routers with an admin password which they didn't tell you - but was widely known. As a result, users couldn't secure the router (well, unless they asked Google what the password was) but any hacker would have had no trouble getting into it. And the WEP (or WPA, can't remember) was also pre-set to SKYXXXX where XXXX were the last four digits of the serial number. Not that hard to brute-force!

  16. Conor Turton

    Easily defeated

    Reading up on it, one merely has to untick the box to allow remote administration and then as long as local access can't be gained (via unsecured wifi for example) , then there's no chance of this happening.

  17. Anonymous Coward
    Anonymous Coward

    re. weak passwords by default

    The only problem with this scheme is that it would require the manufacturers to go through a process where they read the serial number from the device and input the serial number as the password into the device firmware before flashing it. This would potentially add a lot of cost (relatively speaking) to cheap devices.

    The idea of using model numbers won't work either as it only makes the default password slightly harder to guess than "password".

  18. Lionel Baden

    lol

    well i would say 40% of home routers are still

    admin

    admin

    But gj on setting up an attack from the actual routers :)

    i want my old adsl modem back :) much better than these fancy shmancy i try to do everything apart from making toast !

    Actually i would like a router that can make toast ! then it wouldnt look out of place in the kitchen !!

  19. Estariel

    Which stuff?

    Any chance we can hear which makes of modem, or which ISP/cable companies are affected?

  20. Anonymous Coward
    Anonymous Coward

    Customer PC

    I repaired a customer's PC last week - when I switched it on and watched the firewall logs, it tried the following against the default gateway address (caught by our firewall: IP addresses anonymised). Most of these appear to be router exploits.

    ==> /var/log/squid/access.log <==

    GET http://192.168./setup.htm - DIRECT/192.168.33.1 text/html

    GET http://192.168./st_device.html - DIRECT/192.168.33.1 text/html

    GET http://192.168./SysInfo.htm - DIRECT/192.168.33.1 text/html

    GET http://192.168./Status.htm - DIRECT/192.168.33.1 text/html

    GET http://192.168./setup.cgi? - DIRECT/192.168.33.1 text/html

    GET http://192.168./con_wel.htm - DIRECT/192.168.33.1 text/html

    GET http://192.168./ - DIRECT/192.168.33.1 text/html

    GET http://192.168./BAS_ether_h.htm - DIRECT/192.168.33.1 text/html

    GET http://192.168./index.asp - DIRECT/192.168.33.1 text/html

    GET http://192.168./index.php - DIRECT/192.168.33.1 text/html

    GET http://192.168./SetupDHCP.htm - DIRECT/192.168.33.1 text/html

    GET http://192.168./login.htm - DIRECT/192.168.33.1 text/html

    GET http://192.168./ - DIRECT/192.168.33.1 text/html

    GET http://192.168./cgi-bin/webcm? - DIRECT/192.168.33.1 text/html

    GET http://192.168./hpppoe.htm - DIRECT/192.168.33.1 text/html

    GET http://192.168./advance/ad-admin-system.htm - DIRECT/192.168.33.1

    text/html

    GET http://192.168./install.asp - DIRECT/192.168.33.1 text/html

    GET http://192.168./hwizard.htm - DIRECT/192.168.33.1 text/html

    GET http://192.168./ - DIRECT/192.168.33.1 text/html

    GET http://192.168./help_Main.htm - DIRECT/192.168.33.1 text/html

    GET http://192.168./st_devic.html - DIRECT/192.168.33.1 text/html

    GET http://192.168./status.stm - DIRECT/192.168.33.1 text/html

    GET http://192.168./status.asp - DIRECT/192.168.33.1 text/html

    GET http://192.168./cgi-bin/webcm? - DIRECT/192.168.33.1 text/html

    GET http://192.168./start.htm - DIRECT/192.168.33.1 text/html

    GET http://192.168./Home/h_wizard.php - DIRECT/192.168.33.1 text/html

    GET http://192.168./index.html - DIRECT/192.168.33.1 text/html

    GET http://192.168./ - DIRECT/192.168.33.1 text/html

    GET http://192.168./install.asp - DIRECT/192.168.33.1 text/html

    GET http://192.168./hwizard.htm - DIRECT/192.168.33.1 text/html

    GET http://192.168./ - DIRECT/192.168.33.1 text/html

    GET http://192.168./help_Main.htm - DIRECT/192.168.33.1 text/html

    GET http://192.168./st_devic.html - DIRECT/192.168.33.1 text/html

    GET http://192.168./status.stm - DIRECT/192.168.33.1 text/html

    GET http://192.168./status.asp - DIRECT/192.168.33.1 text/html

    GET http://192.168./cgi-bin/webcm? - DIRECT/192.168.33.1 text/html

    GET http://192.168./start.htm - DIRECT/192.168.33.1 text/html

  21. g e

    Serial numbers

    Are pretty darn predictable, you'll only need to have one such router and its serial number to have the modelno (username) and a sequentially generated password by way of the serial number.

    Identify that model of router remotely (nmap will do this from its MAC over the internet?) and the rest is down to counting serial numbers till you get in...

    Not the best idea.

  22. Anonymous Coward
    Boffin

    How daft do you have to be

    How daft do router users/vendors need to be to allow logons (admin logons, ffs) from the Internet-facing side of the router, rather than from the LAN side?

    Is this really happening?

  23. Anonymous Coward
    Boffin

    That's pretty clever.

    You have to admit, that's actually pretty smart.

    Why bother compromising computers when you can compromise the network hardware itself? Leaving the average luser completely unaware that anything is amiss, at least until it's too late.

    Unlike most home computers, routers tend to be left on 24/7, presumably making for a much more reliable botnet. While I certainly don't approve of it, I take my hat off to the guys who have come up with this one.

  24. Anonymous Coward
    Anonymous Coward

    No Title

    Wouldn't the admin interface have to be accessible from the WAN side in order for this attack to work? So we are presumably looking at a relatively small number of vulnerable devices.

    Aside from the specific device detailed in the PDF how many other routers are vulnerable?

  25. Adrian Midgley

    write it on the router casing

    For this threat model, make a seriously complex unmemorable password, and write it on the label of the router.

    Cover that if you feel a need.

  26. hj

    Good thing you can check if you're infected

    By trying to log in to your router.... Personally i think it would be smarter to keep those ports open / daemons running. Can not for the life of me remember when i opened a console on my router to check which processes were running. But if i can't get in anymore, i will just reset my machine.

  27. Anonymous Coward
    Anonymous Coward

    title

    It's a work of art.

    wow...just wow

  28. Toastan Buttar
    Thumb Up

    You've got to hand it to the malware creators.

    They do write some seriously cool hacks.

  29. Toastan Buttar
    Unhappy

    @Ash

    "The problem is user education."

    Nay, nay and thrice nay ! It's been shown that ISPs which serve the home market can ship routers which are plug-and-play yet secure out-of-the-box without requiring any user involvement. Blaming consumers for not knowing how to securely tie down a router is little more than trolling.

  30. Anonymous Coward
    Anonymous Coward

    Routers should be like DECT phones

    You can usually only register a dect phone after physically pressing a button on the base station. Maybe routers should have a similar button that only allows remote access of any sort if instigated with say 5 minutes of the button being pressed.

  31. Dave Bell

    Everyone seems to do dumb things sometimes

    The default config on my old BT Voyager looks pretty decent. And I do my admin from a computer connected by ethernet. I also have various other settings tweaked at IP level, so I'm not in a crazy panic.

    I shall still check.

    It seems every company sometimes does something dumb, usually when some manager makes a pet idea stick. The trouble with the recession is that the BT/Phorm cabal are unlikely to see a better job, anywhere.. Current dumbness is sticking.

  32. Charles
    IT Angle

    Re: Not only passwords...

    Usernames aren't the big issue. After all, the UNIX world has its 'root' and contemporary Windows have their "Administrator' accounts. SOMEWHERE you need a "top user" account for the sake of logistics. 'admin' is no different. It's the password that's the big deal, but then again, we have to consider the memory retention of the average user. Scrambled passwords are hard to remember...as could be the means of recalling them. People keep telling others to use notepads or post-its or key fops...that is until they realize people can lose THEM, too. How are you going to set up a system for authenticating the legitimate owner of the device without having to rely on a rather fickle aspect of the human mind?

  33. Chris

    LAN side...

    What's the potential for a machine on the LAN side inadvertently running a script which attacks the router from there?

  34. Filippo Silver badge

    Access from WAN

    Are there actually routers that allow admin access from the WAN side? Or is this trick based on infecting a computer on the LAN first?

  35. Robert Hill
    Thumb Down

    Finally, a router exploit

    I have been worried about some type of router exploit for some time, but I always figured it would take the form of hijacked flash upgrade from the router manufacturer's website, not an external attack.

    Fortunately, Be Online has put rather strong passwords assigned by default onto each of their routers, on a sticker - so I feel pretty safe. But it is a rather strong lesson to tighten up everything...the attacks are definately getting stronger and more sophisticated....

  36. Peter Kay

    More sophisticated than URL probing

    Some of the attacks are somewhat more sophisticated than probing URLs, and can work even if the management interface is disabled on the WAN side. This is not news; what's news is that up until now it's a reasonably uncommon attack.

    The solution is to make sure the firmware is up to date, or if you're suitably paranoid, to put your router in bridging mode so the connection is terminated on a secure firewall; it then becomes quite tricky to access any admin functions on the router.

  37. Anonymous Coward
    Boffin

    @AC 09:30 re. weak passwords by default

    "The only problem with this scheme is that it would require the manufacturers to go through a process where they read the serial number from the device and input the serial number as the password into the device firmware before flashing it. This would potentially add a lot of cost (relatively speaking) to cheap devices." -- no it wouldn't.

    It is fairly standard practice in the electronics industry, when building anything with a Flash-programmed microcontroller, to load some special firmware for end-of-line testing. This doesn't do the job the widget is meant to do in real life, but merely reads the inputs and cycles the outputs. By coupling outputs back to inputs you can see if they are all functioning correctly -- not sticking at 0 or 1 -- and all operating independently -- only the output that's supposed to be on, is on. If the unit passes this test, it is then reflashed with the actual firmware as the final part of the procedure before an inspection label is printed; if the unit fails, it will be sent for manual rework, where a fixed amount of time is allotted to attempt to repair it before it is scrapped.

    It wouldn't be at all difficult to have the serial number and password updated automatically each time a unit was done.

  38. Anonymous Coward
    Coat

    Denial of service

    >Once the malware takes hold, it locks legitimate users out of the device by blocking telnet, sshd, and web access. It then makes the devices part of a botnet.

    With such a behaviour it cannot be much of a threat. The worm simply begs for a reset. A worm like that isn't worth the salt on its hash.

  39. Anonymous Coward
    Anonymous Coward

    May be connected

    We use a reasonably strong password on our router (now very strong!) but did recently observe extraordinarily high upload usage that we couldn't explain at the time. Suspect a connection to this worm in retrospect. Perhaps we weren't actually hacked, but this was just the extra traffic that attempts generated, which probably would skew towards heavier upload than download from our point of view.

  40. Anonymous Coward
    Anonymous Coward

    re Again...

    "the users are stupid and should be punished" is a recurring feature on this forum.

    How many people know (or care) what a router is? How many of those know that it's even got a password? Why on earth would anyone even think about changing it's user / pass? You might as well tell someone who's just bought a kettle to change the fuse on it because the bad guys might have compromised the original one. Then there'd be a load of techies up in arms about users not RTFM, saying they ought to be hung etc etc.

    It's a consumer durable. It's meant to work properly. It hasn't been made so you can go around bragging about how clever you are, the customer has paid good money so they can achieve their aims; get over yourselves.

    What we have here, my geekies, is a crap piece of kit and some manufacturers that need putting out of business.

  41. Nigel
    Flame

    Give us back our write-protect switches!

    When are manufacturers of embedded devices going to give us back the write-protect switch?!

    This is a consequence of penny-pinching at its worst. In the good old days, firmware always used to be protected. To re-flash a device one had to manually un-protect it, flash it, and re-protect it. With the switch shipped in "protect", any device-hacking could be un-done just by resetting or power-cycling the device. But the switch cost five cents and "confused the users". So to increase profits, and to make users who drool feel happier, they did away with it. Now, the pigeons are coming home to roost.

    It's not just bankers who should have a retrospective 90% tax applied to them. Anyone who sanctioned the removal of an essential and fool-proof safety measure to save a few cents should be taxed into poverty. Or worse. And the legislators should mandate that any device with flash-able firmware should once again be equipped with a manually operated write-protect switch.

  42. steogede
    Stop

    @Conor Turton and Re: How Daft...

    > Reading up on it, one merely has to untick the box to allow remote administration and then as long as local access can't be gained (via unsecured wifi for example) , then there's no chance of this happening. (Conor)

    > How daft do router users/vendors need to be to allow logons (admin logons, ffs) from the Internet-facing side of the router, rather than from the LAN side? (How daft)

    Virtually all routers have 'remote configuration' turned off by default (however there are some manufacturers who are stupid enough to leave it turned on by default). As AC@09:53 demonstrated, the most likely attack vector for a worm like this isn't directly over the Internet. Rather, it will first infect a PC, then infect the router from the LAN side using the obvious password which hasn't been changed because either the user or the manufacturer thinks that the LAN is safe.

    Unticking the remote administration box is a good idea, if you aren't planning to use it. However the most important thing to do (as everyone has said), is to ensure that you set a strong password. Assuming the manufacturer hasn't left any undocumented back doors, you will be much safer (you may want to check this with nmap and/or a good search engine).

  43. Anonymous Coward
    Alert

    You saw it all here first..

    Yes thats right folks, I predicted this very thing about 18 mnonths ago in these very comments on an El Reg story.... maybe some influencial are reading these comments too!

    anon 'cos it were not me who wrote this nasty...

  44. Mike Gravgaard

    Dect phone idea:

    I was thinking along the same lines - why not just have a setup button or write protect button on the bottom/side of the router and possibly whilst your at it a reset to factory defaults button on all routers.

    Mike

  45. Ken Baker
    Thumb Down

    Not so smart after all...

    Read the research paper folks:

    "Several revisions of the NB5 modem shipped with a flaw which meant that the web configuration interface was visible from the WAN side, accepting connections and allowing users to administer the modem using the default username and password of 'admin' from outside the LAN. Furthermore, some of these modems suffered from another flaw, meaning that by default, authentication was not enabled for the web interface – meaning no username or password was required."

    It wouldn't take Keanu Reeves with a cable in his head to crack that ...

  46. Si

    Locking users out of the web interface

    Seems like a bad idea by the malware authors to me as it just means you immediately know when the router has been compromised. Far better to leave it seemingly working correctly leaving the users blissfully unaware...

  47. andy gibson

    The problem IS user education

    Why blame the router manufacturers? They get it in the neck if their equipment is too hard for the average PC owner to set up, they get it in the neck from us if the passwords are too easy.

    You don't blame Ford if someone in a Fiesta ploughs into a queue of people at a bus stop.

  48. The Fuzzy Wotnot
    Thumb Down

    Hardly surprising...

    For you geek inclined, take a stroll around your local IP neighbourhood one evening with a copy of nmap, you will be amazed at what's out there! Unlocked routers, printers, anonymous FTP servers, NAS servers simply hooked up with admin/admin as the login and dozens PC's direct attached to "da net" with all ports ready for the killing, barely hanging in there with their out of fate MS firewall up, giving the illusion of security to the ill fated user on the other side!

    This is hardly news, this is just another problem caused by allowing the world and their dog to join "da net". Should be like Radio Ham, you need to prove you have a minimum of understanding before you attach to the network, if using anything more technological that a TV based browser device!

  49. Anonymous Coward
    Anonymous Coward

    WAN side...

    It's not WAN side, it's from the LAN the computer gets infected and they go from there.

    Because people don't run virus killers or the windows malware removal doo-dah on their router, the infection is safer there than on the machine.

    Come on, it's not hard is it?

  50. Anonymous Coward
    Anonymous Coward

    Grok WAN or not...

    "It's not WAN side, it's from the LAN the computer gets infected and they go from there."

    That's obvious *now*, from the *comments* (eg yours and the one re server logs etc).

    Why wasn't it obvious from the *article*?

Page:

This topic is closed for new posts.

Other stories you might like