Kaspersky: Beware Chuck Norris-inspired router malware
- — 17 August, 2011 13:07
Besides humans that don't change default passwords, the lowest hanging fruit are embedded Linux devices in routers.
The re-emergence of router malware designed to turn internet gateways into a botnet piece is a reminder for home and business users that PC security is just one point of vulnerability, according to Kaspersky Labs researchers.
Routers remain one of the weakest points in IT security, thanks to the technical knowledge required to secure the router and that they usually come with a default password that is rarely changed once in the hands of a consumer.
“The most important things to do in order to protect the router are to change the password, secure the router's settings and update the firmware to the latest version,” Kaspersky Labs researcher Marta Janus writes in a detailed analysis of router malware and vulnerabilities, published Tuesday.
While devices inside routers have been paid less attention by malware writers than Windows PCs, many users fail to realise the potential damage caused by default passwords, which attackers are using to break into systems.
An attack on a router could leak network traffic, allow an attacker to listen in on VoIP conversations, steal encryption keys, provide a backdoor to internal networks or change the site a user visits by typing a URL into the browser, otherwise knowns as changing DNS settings.
The Psyb0t router malware discovered in 2009 was designed for Linux-based systems running MIPSel, which Janus points out is at the core of most non-mobile networking equipment.
“Attacks via MIPS devices are relatively new and have enormous potential to do significant damage,” warned Janus.
Psyb0t was just the first of a string of malware threats targeting routers that have appeared over the past four years. It preceded the default-password-seeking “Chuck Norris”, and the latest incarnation of router malware, Hydra.
Hydra, according to Janus, was spawned out of an open source distributed denial of service (DDoS) tool that appeared in 2008, which used a built-in list of default passwords or a D-Link authentication exploit to break in to the router.
The tool relied on commands that were managed by internet relay chat (IRC), similar to Psyb0t, which added features to scanned for network devices that still used a default password and if that failed, would launch an exploit aimed at uncovering the device’s configuration file and password in plain text.
“This vulnerability concerns several different devices, of which D-Link and Telecom are but two, and although it was fixed in newer versions users who have older hardware are still vulnerable to such attacks.”
The command and control centre of Chuck Norris, a likely offspring due to its characteristics and the fact it attacked the same platform, was discovered to have been located in Italy in 2009.
It too attempted to gain access to the router by testing default passwords but was shut down “before any information about it appeared in the public domain”, according to Janus.
Then came Hydra in March 2010 and was named Backdoor.Linux.Tsunami by Kaspersky Labs because it was similar to an open source DDoS tool, Linux Kaiten/Tsunami.
Although it was also similar to Chuck Norris, a new feature the authors of the malware threw in were instructions to change the DNS (domain name system) settings, which would affect a device’s address book of the web.
Building defences against such attacks will take a two-pronged approach from vendors and consumers.
While consumers should change passwords and check their firmware is current, vendors needed to implement randomly-generated default passwords for each device.