Persistent router botnets on the horizon, researcher says at Defcon

Tool released at Defcon makes firmware backdooring easier for certain router models

Security researcher Michael Coppola demonstrated how small and home office (SOHO) routers can be compromised and turned into botnet clients by updating them with backdoored versions of vendor-supplied firmware.

Coppola, who is a security consultant at Virtual Security Research (VSR), gave a crash course in router firmware backdooring -- a complicated process that requires reverse engineering skills -- at the Defcon hacker conference on Sunday.

During the talk he also released a tool called the Router Post-Exploitation Framework (rpef) that automates the firmware backdooring process for several popular router models from different vendors.

The devices supported by rpef include: Netgear WGR614, WNDR3700 and WNR1000; Linksys WRT120N; TRENDnet TEW-651BR and TEW-652BRP; D-Link DIR-601 and Belkin F5D7230-4.

Only specific versions of these routers can be backdoored with the framework and some require more testing. However, the list of supported devices will be extended in the future.

Rpef can add several payloads to the router firmware: a root bind shell, a network sniffer or a botnet client that connects to a predefined IRC (Internet Relay Chat) server where it can receive different commands from the attacker, including one to launch a denial-of-service attack.

Writing the backdoored firmware onto a device -- a process also known as flashing -- can be done through the Web-based administration interfaces of most routers and a remote attacker can abuse this feature in several ways.

One method is to scan the Internet for routers that make their Web-based administration interface accessible remotely. This is not the default setting in many routers today, but a lot of devices configured like this are available on the Internet.

Once these devices have been identified, the attacker could attempt to use the default vendor-supplied password, brute force the password or exploit authentication bypass vulnerabilities to get in. There are websites that specialize in tracking and documenting router default administrative credentials and vulnerabilities.

"I've done port scans and there are huge netblocks with thousands of IP addresses of open routers that are listening remotely to the Internet with default passwords," Coppola said.

However, even when the Web interface is not exposed to the Internet, there are ways to flash them with rogue firmware remotely.

In a presentation at the Black Hat security conference on Thursday, security researchers Phil Purviance and Joshua Brashars, who work for security consultancy firm AppSec Consulting, showed how known JavaScript attacks can be combined with new HTML5-based techniques to flash the DD-WRT Linux-based custom firmware on a user's router when he visits a malicious website.

There are already JavaScript-based scripts available that can enumerate local network devices through a victim's browser and even determine the type, make and model of those devices -- a technique known as device fingerprinting.

Determining the victim's internal network IP address cannot be done with JavaScript alone, but plug-in based content like Java can be used for this purpose, Purviance and Brashars said.

Once a router has been identified, the attacker can attempt to access its Web interface through the victim's browser by using default credentials or by launching a cross-site request forgery (CSRF) attack that piggybacks on the victim's active session.

If the victim logged into the router's Web interface with the same browser in the past and their session cookie is still active, the attacker can simply direct the victim's browser to perform an action in the router's interface without the need for authentication.

A lot of routers, especially older ones that haven't been updated with new firmware, don't have CSRF protection.

Purviance and Brashars demonstrated how new browser features like XMLHttpRequest Level 2 (XHR2), Cross-Origin Resource Sharing (CORS) and HTML5 File API, can be used to download a rogue firmware file to the user's browser and then flash the router with it without any user interaction. This was not possible in the past with JavaScript and older browser technologies, the two researchers said.

Their demonstration used DD-WRT, which has the downfall of resetting the router's user-defined settings and can be discovered easily because it has a different interface.

However, their attack can easily be combined with the backdoored firmware produced by Coppola's tool. Instead of DD-WRT, one can upload a backdoored firmware and it will look exactly the same as the original one, Coppola said.

Even the user-defined settings can be retained. Most routers offer the option to retain settings when performing a firmware update, Coppola said. Those settings are stored on a separate memory chip called NVRAM (non-volatile random-access memory) that doesn't get overwritten when you flash the firmware, he said.

"There's a lot of opportunity for people to make massive botnets just from routers," Coppola said. "I actually do think that this is going to start emerging and I don't mean that in a sensational way."

Router-based botnets are not just a concept. Back in 2009, DroneBL, an organization that tracks the IP addresses of infected computers, discovered a worm that was infecting routers and DSL modems running the mipsel Debian distribution.

In 2011, researchers from antivirus vendor Trend Micro came across a similar piece of malware that was spreading in Latin America and was targeting D-Link routers.

In both cases, the malware was using brute force attacks and default credentials to compromise the routers and install a temporary botnet client that was being removed when the routers rebooted.

With the backdoored firmware created by Coppola's tool, the infection persists when the device is restarted and the rootkit-type malware running on the device is actually hidden.

The reason why router botnets are not yet common is that the proper tools to create them didn't exist, Coppola said. A separate tool presented at Defcon on Friday called the Firmware Reverse Engineering Konsole (FRAK) really increases the level of analysis that people can do on firmware, he said.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts