Kaspersky: Beware Chuck Norris-inspired router malware

The re-emergence of router malware designed to turn internet gateways into a botnet piece is a reminder for home and business users that PC security is just one point of vulnerability

Besides humans that don't change default passwords, the lowest hanging fruit are embedded Linux devices in routers.

The re-emergence of router malware designed to turn internet gateways into a botnet piece is a reminder for home and business users that PC security is just one point of vulnerability, according to Kaspersky Labs researchers.

Routers remain one of the weakest points in IT security, thanks to the technical knowledge required to secure the router and that they usually come with a default password that is rarely changed once in the hands of a consumer.

“The most important things to do in order to protect the router are to change the password, secure the router's settings and update the firmware to the latest version,” Kaspersky Labs researcher Marta Janus writes in a detailed analysis of router malware and vulnerabilities, published Tuesday.

While devices inside routers have been paid less attention by malware writers than Windows PCs, many users fail to realise the potential damage caused by default passwords, which attackers are using to break into systems.

An attack on a router could leak network traffic, allow an attacker to listen in on VoIP conversations, steal encryption keys, provide a backdoor to internal networks or change the site a user visits by typing a URL into the browser, otherwise knowns as changing DNS settings.    

The Psyb0t router malware discovered in 2009 was designed for Linux-based systems running MIPSel, which Janus points out is at the core of most non-mobile networking equipment.

“Attacks via MIPS devices are relatively new and have enormous potential to do significant damage,” warned Janus.

Psyb0t was just the first of a string of malware threats targeting routers that have appeared over the past four years. It preceded the default-password-seeking “Chuck Norris”, and the latest incarnation of router malware, Hydra.  

Hydra, according to Janus, was spawned out of an open source distributed denial of service (DDoS) tool that appeared in 2008, which used a built-in list of default passwords or a D-Link authentication exploit to break in to the router.

The tool relied on commands that were managed by internet relay chat (IRC), similar to Psyb0t, which added features to scanned for network devices that still used a default password and if that failed, would launch an exploit aimed at uncovering the device’s configuration file and password in plain text.   

“This vulnerability concerns several different devices, of which D-Link and Telecom are but two, and although it was fixed in newer versions users who have older hardware are still vulnerable to such attacks.” 

The command and control centre of Chuck Norris, a likely offspring due to its characteristics and the fact it attacked the same platform, was discovered to have been located in Italy in 2009.

It too attempted to gain access to the router by testing default passwords but was shut down “before any information about it appeared in the public domain”, according to Janus.

Then came Hydra in March 2010 and was named Backdoor.Linux.Tsunami by Kaspersky Labs because it was similar to an open source DDoS tool, Linux Kaiten/Tsunami.

Although it was also similar to Chuck Norris, a new feature the authors of the malware threw in were instructions to change the DNS (domain name system) settings, which would affect a device’s address book of the web.

Building defences against such attacks will take a two-pronged approach from vendors and consumers.

While consumers should change passwords and check their firmware is current, vendors needed to implement randomly-generated default passwords for each device. 

Join the CSO newsletter!

Error: Please check your email address.

Tags malware writersPC securityLinux devicesfirmwarekasperskyChuck NorrisIT Securityencryptionrouter malware

More about D-Link AustraliaetworkKasperksy LabsKasperskyKasperskyLinux

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts