DDoS botnet hijacks thousands of routers

News by Rene Millman

Tens of thousands of poorly-configured home and business routers have been infected with malware and recruited into a massive botnet.

Also in:

According to researcher carried out by security firm Incapsula, routers with outdated firmware and default passwords that haven't been changed since purchase have become the target of an anonymous group of hackers.

The attack was first discovered at the tail end of December last year. Almost all the routers appear to be from a single US vendor Ubiquiti. Hackers can log into the routers using a default username and password to access admin functions on the router. Secondly, these routers also allow remote access to HTTP and SSH via default ports.  

Once compromised, the hackers can infect routers with malware, such as the MrBlack malware (a.k.a. Trojan.Linux.Spike.A). The researchers looked at 13,000 samples of malware and discovered evidence of other DDoS files including Dofloo and Mayday, which are also used for DDoS attacks.

These vulnerabilities opened up the routers to eavesdropping, man-in-the-middle attacks, cookie hijack, and gave hackers the ability to gain access to other local network devices.

The compromised routers than scan for other such devices to take over, creating a “self-sustaining” botnet. This is done by executing shell scripts, searching for devices having open SSH ports which can be accessed using default credentials.

“Facilitating the infiltration, all of these under-secured routers are clustered in the IP neighbourhoods of specific ISPs that provide them in bulk to end-users. For perpetrators, this is like shooting fish in a barrel, which makes each of the scans that much more effective,” the firm said in a blog, “Using this botnet also enables perpetrators to execute distributed scans, improving their chances against commonplace blacklisting, rate-limiting and reputation-based defence mechanisms.”

Traffic was recorded from 40,269 IPs belonging to 1,600 ISPs worldwide. The IP addresses belonged to 60 command and control systems used by perpetrators to remotely direct malicious traffic. More than 85 percent of all the compromised routers are located in Thailand and Brazil, while the majority of the command and control servers are in the US (21 percent) and China (73 percent).

The researchers said that while the attack shared similarities with previous attacks by and a botnet run by a hacker group known as the Lizard Squad, Lizard Stresser and this botnet don't appear to be one and the same.

Each botnet uses a different type of malware to control the botnets, but attacks have been carried at largely the same time.

“It should be pointed out that none of these circumstantial correlations offer any hard evidence of the groups' involvement.”

“If anything, they present us with several open questions about the possible evolution of Lizard Squad's botnet resources and the existence of copycats that are following in the groups footsteps,” said the researchers.

Ken Munro, senior partner at Pen Test Partners told SCMagazineUK.com that if everything is working for a home user, they will have no incentive to go and look for patches – even if the vendor has published them – so non-disruptive attacks consequently have a much bigger attack surface to play with.

“Manufacturers need to do more work on securing such devices before they are shipped. This means being careful with things like Universal Plug n Play and administration interfaces – that is, ensure the default settings are set to a safe state, so external administration should be disabled when shipped,” said Munro.

“It's also important to be extremely security conscious when developing the router because it's much easier to get things right first time than it is to get everyone to apply updates in the field,” he added.

“It may be possible to sell a managed service, where a user purchases the router, which then regularly checks for updates with the manufacturer – but you would need to make the auto-update explicit so the user is aware of this.”

Shahar Tal, malware and vulnerability research manager at Check Point told SC: “For hardware like routers, the patch propagation cycle for fixing vulnerabilities in embedded software is incredibly slow, often taking years before updates are available, and usually relies on the user applying the patch manually as they are not downloaded automatically.  This gives attackers a large window of opportunity.”

“Like we saw with the ‘Misfortune Cookie' flaw that was identified in over 12 million routers worldwide, in late 2014, hackers can exploit these vulnerabilities to control devices and plant further exploits.  So organisations need to ensure they have a two-way firewall installed on all computers on their network, to block malicious activity from a hacked router, and should also consider adding privacy to browsing by using HTTPS connections to encrypt all browser activity,” said Tal.

James Maude, security engineer at Avecto told SC that the problem is vendors are not learning from previous mistakes.

“In 1988 the Morris Worm infected computers and exploited remote connections and weak credentials. Now, in 2015 we really should have addressed these issues.”

“Often vendors rely on security through obscurity and hope that no one will notice their implementations let alone exploit them. Some even commit the sin of rolling their own crypto libraries and authentication methods rather than using proven technologies. This is a dangerous game to play and with the growing number of internet connected devices, vendors are playing Russian roulette with end users security."

Rafe Pilling, principal security consultant at Dell SecureWorks added that the economics of delivering a low cost service or product at scale made security the victim of cost and convenience.

“Routers are deployed with weak or default credentials making them particularly easy.  In addition administration interfaces, which allow the devices to be managed or reconfigured, are made available to the internet, possibly to make it easier for the legitimate service provider to access them or possibly just due to lax hardening procedures,” he said.

“It is considered bad practice to make any devices administration interface internet accessible and in situations where this in unavoidable, access should be protected by an additional layer of authentication such as having to authenticate to a firewall before being allowed access to the devices administration interface.”

Szilard Stange, director at Opswat told SC that users should regularly check vendors' web pages for new firmware releases and install these updates as soon as possible.

“In parallel, every customer should carefully review device configurations and stop unused services, turn on encryption if possible and change all passwords to a strong one.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events