Feeds

back to article Router-rooting malware pwns Linux-based network devices

Security researchers have discovered a rare strain of router-rooting malware that targets network devices running either Linux or Unix. The malware, which poses as an Executable and Linkable Format (ELF) file, carries out a brute-force attack on router user name-password pairs from compromised PCs. If successful, the malware …

COMMENTS

This topic is closed for new posts.
Happy

"routers from D-Link"

Well that's Virgin stuffed then! Their nasty, little free router is already setup with "admin/password" by default so I can see some busy days at Virgin getting those sorted out.

1
0
Bronze badge

Really?

I have Virgin but I just hook in direct to the cable modem which is on the line. Anything local network can't get to that point because the wireless router I use blocks such things (why would someone on the local WAN need to touch my cable modem? Unless there's a problem with my cable modem... in which case I have to be sitting in front of it to reboot it / re-cable it / test it anyway.

Seriously does ANYONE use the bundled junk that comes with an ADSL connection? Most people I know end up popping down to PC World (yuk!) and buying a better router as one of the first things they do when they get Internet. My workplace has dual-ADSL2+ business lines from BT. One of the router's they supplied hasn't even been out of the box, the other one only to see what junk they were peddling for installation (BT OpenZone = put router back in the box). And same config there - frontline routers (in this case a load-balancing Linux PC) connect to modems that *aren't* accessible from the local net in any way.

Stupid people with stupid hardware with stupid passwords running stupid security settings and doing stupid things despite incessant warnings. Amazing how much in the world of IT can be accounted for by that select group.

1
1
Silver badge

The new routers...

...are NetGear. They're still a bit crap though.

If I didn't rely on it so much, I'd risk DD-WRT install. heck I may buy a second router so if I break it I am not stuffed.

0
0

The dlink aint too bad

Actually, my draytek couldn't cope with the 50mbit, so I stuck with the dlink and stuck dd-wrt on it. Everything is very very reliable on it, and never needs a reboot (only if I start messing with settings, etc, even this dd-wrt seems not to need reboot for most settings). So I'd say the dlink routers virgin supply are not too bad!

0
0
Unhappy

@does ANYONE use the bundled junk that comes with an ADSL connection?

but you are an I T professional

@Stupid people with stupid hardware with stupid passwords running stupid security settings and doing stupid things

you mean non IT professional general public

7
0
Go

DD-WRT

I've installed DD-WRT on the WRT54G wireless routers. Works like a charm. Won't overcome the hardware's inherent desire to lock up after a few weeks of heavy use, so manual reboots are still required. :( At least it mitigates it some (they were locking up nearly daily before).

Wonder if a Buffalo DD-WRT-based cable modem is amongst the list of targets....

0
0
Silver badge
Happy

seriously

>Seriously does ANYONE use the bundled junk that comes with an ADSL connection

My next door neighbour will be, for a start. He's just been sold a talktalk service and they sent him a nice little box pre-programmed with his username, passworm, ssid, wpa key. He won't change any of it "in case they don't like me to". And why should he? This way when it goes tits up it will be their problem.

3
0
E 2
Linux

Easy fix for that manual reboot

Just telnet or ssh into your WRT54G and set up a cron job that reboots the router periodically!

0
0
Joke

Im ok i think

So my dialup connection is safe ?

0
0
Anonymous Coward

brute forces it from an already compromised PC? *yawn*

Not really a vulnerability in the router, more a case of stupid people using weak passwords and insecure computers.

8
0
Bronze badge
Linux

Note the true common theme...

Insecure PCs running MS Windows...

7
9
Anonymous Coward

I agree,

but this is a bit of a low-blow. No real need to bring MS into this. Their software is just the vector.

1
5
Stop

Insecure PCs

Insecure PCs by no means. Idiot users. It takes a lot of effort to get malware to install on a computer (2 "run" clicks, one for the download/save, one for the "you're being an idiot, you sure you want to run this malware?" popup), not to mention finding the virus in the first place.

3
3

poses as an Executable and Linkable Format (ELF) file

So, what is it really ?

1
0
FAIL

FAIL troll...

paulc,

ELF_Tsunami is an ELF trojan that attempts to exploit or brute force the DWL-900 series routers, presumable to open ports and allow connection to the backdoor on the compromised linux box.

It won't run on windows.

4
2
Silver badge

ELF but how is it run?

True, according the Trend Micro site it is indeed a Linux executable file.

But it is unclear just how it gets on to the user's PC, and then how it is made executable and finally run. Presumably you also need a major browser flaw to allow such a range of actions to run from a poisoned web site?

1
0
Silver badge

@Coyote

The trojan is an ELF executable, presumably for whichever processor runs in the Dlink router, but the vector to get it in there would appear to be a compromised MS Windows system that then attempts to brute-force access to the router. So there are actually two components, one of which infects a windows system, and the second of which is installed on the router by the first.

6
0
Silver badge
Alert

To Coyote

You are missing the bigger picture.

It will run on the router that your Microsoft machine is plugged into which raises all sorts of security issues. A Trojan running on your router recording your traffic affects all the machines plugged into it regardless of OS.

Plus, not to mention router based web redirects to spyware laden websites WILL affect your Windows machine in time.

1
2
Anonymous Coward

It is a Windows problem

The Windows box gets compromised and then attempts a brute force attack on the router on its network and THEN that is compromised with the ELF binary. If the router has a quality password then the attempt will fail

How is this NOT a windows problem.

As mentioned below theoretically other OSs could be compromised but let's be realistic.

5
0
Dead Vulture

Parse error near "poses as an ELF file"

No, it really *is* an ELF file. ELF is just the format used by executable binary program files on Linux, so saying that it "poses as an ELF" means that you're claiming it poses as an executable program. Well, it could be doing that, if it was a shell or perl script or similar that was only pretending to be a real executable program, but according to the threat encyclopedia entry you linked to it isn't; it really is an executable binary.

4
0

Linux router routing malware

How does this router routing malware get onto the target system?

> ELF_TSUNAMI.R

> This backdoor may be dropped by other malware. It may be unknowingly downloaded by a user while visiting malicious websites.

> It connects to Internet Relay Check (IRC) servers.

> Exploits known vulnerability in the D-LINK DWL-9000AP+ Internet router

Well doh, I must stop downloading and installing unknown ELF files and allowing my servers to connect to IRC servers, whilst logged in as root ..

ref:

http://about-threats.trendmicro.com/Malware.aspx?language=us&name=ELF_TSUNAMI.R

2
1
WTF?

Reading Trend Micro announce

I wonder how some one in his right mind would trust this company ? I know, the announce is made specifically for Windows users but, come on people from Trend Micro, anyone who has a minimal knowledge of Linux/Unix will smell the (security) farce.

How should I put this to you, an ELF file does not run on Windows. In order to bring it into my Linux device, I have to download it somehow and the Linux router would not help me with this. I would need a Windows machine (yes, a Linux, Mac or *BSD will do just fine but then there would be no point for your anti-virus scanning it). Then I'll have to get a shell on my router, preferably with root privileges, put my elf there and... no Windows fans, you can't just run it just because it's an executable, you'll have to modify its file attributes in order to make it really executable.

So as you can all see, a lot of hurdles for a poor Linux malware to do its devious deeds.

6
0
Thumb Up

LMFAO!

Chuck Norris Botnet!

I bet that packs a punch!

1
0

Routers running Unix?

I have trouble believing there are any routers running Unix.

0
8
Anonymous Coward

Ignorance must indeed be bliss...

I have trouble believing that anyone would use anything BUT an embedded *NIX O/S in a router... but they do. ASUS comes to mind.

1
0
Stop

UNIX

Last time I checked, Linux is neither a certified UNIX, nor was it derived from UNIX like the BSDs. Therefore it is merely UNIX-like.

So as the OP said, I doubt consumer routers use UNIX.

0
1
Pint

BSD count?

http://m0n0.ch/wall/

http://www.pfsense.org/

http://www.openbsd.org/papers/oreilly2000/

http://www.amazon.com/Building-Firewalls-OpenBSD-PF-2nd/dp/8391665119

0
0

@ysth

Hmm let me see so they run embeded windows do they.. They run a linux kernel. it's well disguised of course but none the less it is a linux kernel. I got a d-link somewhere that died or at least ended up needing rebooting every blinking day, don't think it could handle my 8mbit upgrade.

Mind you the router I have in at the moment I think I need to hard reset it got some unnamed port forwards most odd.

0
0
Pint

@Coyote re "exploit or brute force the DWL-900 series routers,"

The original article refers to DWL900AP+. DWL-900AP+ is not a router it is an AP (there's a hint in the name, chaps). And a rather old one at that, not one I expect to find in common use in 2011 - even I've got rid of mine.

The same hardware with a different badge was also one version of the Linksys WAP11 AP - you could swap firmware between them. 11 for 11Mbit, and WEP only. It's *that* old.

There is no meaningful detail in their article about how the malware actually gets to execute its brute force attacks on the router.

From the Trend Micro page:

"It connects to Internet Relay Check (IRC) servers."

I don't think so.

The AV cowboys don't know the difference between an AP and a router, and don't know what IRC is short for.

I tried to point this out on their "satisfaction survey: comments" page but it keep losing my input.

Way to go, Trend Micro.

"I have trouble believing there are any routers running Unix."

Is a BSD a UNIX in your book? Is a Linux a UNIX in your book? A wide variety of BSD-based and Linux-based router software is available.

0
0
Gold badge
Coat

This is *so* wrong.

It's clearly a case of ELF abuse.

I know. I've had a lousy day.

0
0
Coat

ELF and Safety...

Surely?

0
0
Black Helicopters

DD-WRT

I'm one of those numpties with no programming knowledge. If I were to use DD-WRT on a Linksys WRT54G router, as my son does, would I be vulnerable?

0
0
Gold badge

Re: DD-WRT

Yes, and no, maybe.

The attack is just a brute force assault on whatever password is set for your router. As such, it wouldn't qualify as a vulnerability, were it not for the fact that most end-users probably have incredibly weak passwords on their routers. (Other commenters have noted the social reaons for this.)

To mitigate this risk, the default setting for all routers on the market (AFAIK) is to block administrative access from the internet-facing side. (There's almost no reason to let anyone configure your router from the outside!) Access is only permitted from the LAN side, where your own desktop computer is. So the point of this attack is to compromise a box on the LAN side, which is where Windows comes in, from where a brute force assault on the router password is at least possible. Then, once the router password is known, this ELF file is deployed. It's the payload, not the attack mechanism.

So you can see that if you are running Windows on the LAN side and your router is protected by a weak password and it is running something sufficiently Linux-like to allow the ELF to be dropped on it, you will be vulnerable.

But setting a decent password on your router will block the attack. Make up a really long one and write it down on a sticky label and stick it to the router. No malware can read sticky labels, but you can, so that's easily the best compromise between security and convenience.

1
0
Grenade

Just plain old Bad Design

I was impressed by mum's commodity telco. Her new ADSL modem came with a proper hard password already set and a refernce card with said password to be stored in a safe place.

It would not be hard for even the cheapest modem to make a password reset mandatory as soon as you log in to connect to your ISP.

1
0
FAIL

"Exploits known vulnerability in the D-LINK DWL-9000AP+ Internet router"

Known, but not identified by Trend?

Anyone know what Trend are really talking about here? The Trend-published info is just rubbish, and a quick search finds very little detail elsewhere.

1
0
Alert

Nearly killed me

Laughed when I saw it effected DLink - I have no respect for them anymore. Between being generally crap products, and having one of their power supplies fall apart in my hands while unplugging it (nearly killing me)... They're just not worth the effort.

0
0

web based ?

'ant this a web based program that tries to hack the modem from say last year ?

0
0
FAIL

come on retards

Come on, it's not hard to fill in the gaps.

Your windows box gets infected with malware. Said malware tries to brute force weak passwords on specific routers/ap's. If successful it uploads an Elf binary to it, presumably so it can man in the middle you and report back to an IRC server for c&c.

0
0
This topic is closed for new posts.