DDoS botnet hijacks thousands of routers
DDoS botnet hijacks thousands of routers

According to researcher carried out by security firm Incapsula, routers with outdated firmware and default passwords that haven't been changed since purchase have become the target of an anonymous group of hackers.

The attack was first discovered at the tail end of December last year. Almost all the routers appear to be from a single US vendor Ubiquiti. Hackers can log into the routers using a default username and password to access admin functions on the router. Secondly, these routers also allow remote access to HTTP and SSH via default ports.  

Once compromised, the hackers can infect routers with malware, such as the MrBlack malware (a.k.a. Trojan.Linux.Spike.A). The researchers looked at 13,000 samples of malware and discovered evidence of other DDoS files including Dofloo and Mayday, which are also used for DDoS attacks.

These vulnerabilities opened up the routers to eavesdropping, man-in-the-middle attacks, cookie hijack, and gave hackers the ability to gain access to other local network devices.

The compromised routers than scan for other such devices to take over, creating a “self-sustaining” botnet. This is done by executing shell scripts, searching for devices having open SSH ports which can be accessed using default credentials.

“Facilitating the infiltration, all of these under-secured routers are clustered in the IP neighbourhoods of specific ISPs that provide them in bulk to end-users. For perpetrators, this is like shooting fish in a barrel, which makes each of the scans that much more effective,” the firm said in a blog, “Using this botnet also enables perpetrators to execute distributed scans, improving their chances against commonplace blacklisting, rate-limiting and reputation-based defence mechanisms.”

Traffic was recorded from 40,269 IPs belonging to 1,600 ISPs worldwide. The IP addresses belonged to 60 command and control systems used by perpetrators to remotely direct malicious traffic. More than 85 percent of all the compromised routers are located in Thailand and Brazil, while the majority of the command and control servers are in the US (21 percent) and China (73 percent).

The researchers said that while the attack shared similarities with previous attacks by and a botnet run by a hacker group known as the Lizard Squad, Lizard Stresser and this botnet don't appear to be one and the same.

Each botnet uses a different type of malware to control the botnets, but attacks have been carried at largely the same time.

“It should be pointed out that none of these circumstantial correlations offer any hard evidence of the groups' involvement.”

“If anything, they present us with several open questions about the possible evolution of Lizard Squad's botnet resources and the existence of copycats that are following in the groups footsteps,” said the researchers.

Ken Munro, senior partner at Pen Test Partners told SCMagazineUK.com that if everything is working for a home user, they will have no incentive to go and look for patches – even if the vendor has published them – so non-disruptive attacks consequently have a much bigger attack surface to play with.

“Manufacturers need to do more work on securing such devices before they are shipped. This means being careful with things like Universal Plug n Play and administration interfaces – that is, ensure the default settings are set to a safe state, so external administration should be disabled when shipped,” said Munro.

“It's also important to be extremely security conscious when developing the router because it's much easier to get things right first time than it is to get everyone to apply updates in the field,” he added.