Re: Chuck Norris Botnet and Broadband Routers



It's no secret that there are tons of broadband routers/modems with
exposed admin interfaces (HTTP/SSH/Telnet/whatever) using default/weak
credentials.

While the Chuck Norris botnet is interesting in that it shows that the
problem is real, it shouldn't surprise anyone who has researched the
security of broadband embedded devices.

It's also not the first time an incident of this nature has happened.
I'm sure a lot of the list readers remember the mass-phishing attack
launched November 2007 [1] against several popular 2Wire broadband
routers in Mexico. The attack was accomplished by means of changing
the router's DNS settings via a CSRF hole on the web interface.

A similar issue used to exist on the BT Home Hub and was reported in
October 2007 [2] (a month earlier) where it was possible to compromise
the router by tricking a user to visit a malicious page. The payload
[3] would then exploit an authentication bypass and CSRF vulnerability
in order to enable the "remote assistance" feature. (The intended
purpose of this feature was to allow BT engineers to remotely
troubleshoot home routers.) The attacker could then login remotely to
the router with admin privileges using a password of his choice (set
in the actual exploit payload).

And of course there is the infamous BeThere backdoor admin account
reported in February 2007 which you mentioned in your article [4].

The security of home-grade embedded devices has a long way to go. I
think that the home router hacking challenge [5] [6] confirmed this by
showing that many of these devices are affected by serious
vulnerabilities, many of which are trivially exploitable.

I couldn't agree more that ISPs do need to take responsibility and
ensure that new modem/router builds are audited for common security
issues before being distributed to their broadband customers.


ap

[1] http://www.hispasec.com/unaaldia/3313
[2] http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub/
[3] http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub-4/
[4] http://blogs.securiteam.com/index.php/archives/826
[5] http://www.gnucitizen.org/projects/router-hacking-challenge/
[6] http://marc.info/?l=bugtraq&m=120441195905480&w=2

On Mon, Feb 22, 2010 at 2:22 PM, Gadi Evron <ge@xxxxxxxxxxxx> wrote:
Last week Czech researchers released information on a new worm which
exploits CPE devices (broadband routers) by means such as default passwords,
constructing a large DDoS botnet. Today this story hit international news..

Original Czech:
http://praguemonitor.com/2010/02/16/czech-experts-uncover-global-virus-network

English:
http://www.pcworld.com/businesscenter/article/189868/chuck_norris_botnet_karatechops_routers_hard.html

When I raised this issue before in 2007 on NANOG, some other vetted mailing
lists and on CircleID, the consensus was that the vendors will not change
their position on default settings unless "something happens", I guess this
is it, but I am not optimistic on seeing activity from vendors on this now,
either.

CircleID story 1:
http://www.circleid.com/posts/broadband_routers_botnets/

CircleID story 2:
http://www.circleid.com/posts/broadband_router_insecurity/

The spread of insecure broadband modems (DSL and Cable) is extremely
wide-spread, with numerous ISPs, large and small, whose entire (read
significant portions of) broadband population is vulnerable. In tests Prof.
Randy Vaughn and I conducted with some ISPs in 2007-8 the results have not
been promising.

Further, many of these devices world wide serve as infection mechanisms for
the computers behind them, with hijacked DNS that points end-users to
malicious web sites.

On the ISPs end, much like in the early days of botnets, many service
providers did not see these devices as their responsibility -- even though
in many cases they are the providers of the systems, and these posed a
potential DDoS threat to their networks. As a mind-set, operationally taking
responsibility for devices located at the homes of end users made no sense,
and therefore the stance ISPs took on this issue was understandable, if
irresponsible.

As we can't rely on the vendors, ISPs should step up, and at the very least
ensure that devices they provide to their end users are properly set up (a
significant number of iSPs already pre-configure them for support purposes).

The Czech researchers have done a good job and I'd like to thank them for
sharing their research with us.

In this article by Robert McMillan, some details are shared in English:

----------
Discovered by Czech researchers, the botnet has been spreading by taking
advantage of poorly configured routers and DSL modems, according to Jan
Vykopal, the head of the network security department with Masaryk
University's Institute of Computer Science in Brno, Czech Republic.

The malware got the Chuck Norris moniker from a programmer's Italian comment
in its source code: "in nome di Chuck Norris," which means "in the name of
Chuck Norris." Norris is a U.S. actor best known for his martial arts films
such as "The Way of the Dragon" and "Missing in Action."

Security experts say that various types of botnets have infected millions of
computers worldwide to date, but Chuck Norris is unusual in that it infects
DSL modems and routers rather than PCs.

It installs itself on routers and modems by guessing default administrative
passwords and taking advantage of the fact that many devices are configured
to allow remote access. It also exploits a known vulnerability in D-Link
Systems devices, Vykopal said in an e-mail interview.

A D-Link spokesman said he was not aware of the botnet, and the company did
not immediately have any comment on the issue.

Like an earlier router-infecting botnet called Psyb0t, Chuck Norris can
infect an MIPS-based device running the Linux operating system if its
administration interface has a weak username and password, he said. This
MIPS/Linux combination is widely used in routers and DSL modems, but the
botnet also attacks satellite TV receivers.
----------

Read more here:
http://www.pcworld.com/businesscenter/article/189868/chuck_norris_botnet_karatechops_routers_hard.html

I will post updates on this as I discover them on my blog, under this same
post, here:
http://gadievron.blogspot.com/2010/02/chuck-norris-botnet-and-broadband.html

       Gadi.




--
pagvac | GNUCITIZEN.org
PGP Key ID: 0x6B232C7C



Relevant Pages

  • Re: [Full-disclosure] Chuck Norris Botnet and Broadband Routers
    ... While the Chuck Norris botnet is interesting in that it shows that the ... routers in Mexico. ... wide-spread, with numerous ISPs, large and small, whose entire (read ... The malware got the Chuck Norris moniker from a programmer's Italian comment ...
    (Full-Disclosure)
  • Re: [Full-disclosure] Chuck Norris Botnet and Broadband Routers
    ... While the Chuck Norris botnet is interesting in that it shows that the ... security of broadband embedded devices. ... routers in Mexico. ... The malware got the Chuck Norris moniker from a programmer's Italian comment ...
    (Full-Disclosure)
  • Chuck Norris Botnet and Broadband Routers
    ... Last week Czech researchers released information on a new worm which exploits CPE devices (broadband routers) by means such as default passwords, constructing a large DDoS botnet. ... The malware got the Chuck Norris moniker from a programmer's Italian comment in its source code: "in nome di Chuck Norris," which means "in the name of Chuck Norris." ...
    (Bugtraq)
  • Re: [Full-disclosure] Chuck Norris Botnet and Broadband Routers (Marcelo Jr)
    ... Telco routers with none or weak authentication were accessed... ... Chuck Norris Botnet and Broadband ...
    (Full-Disclosure)
  • Re: Anybody Come Across A Weird Redirect?
    ... If you haven't changed the default password on your home router, you may be in for an unwanted visit from Chuck Norris -- the Chuck Norris botnet, that is. ... Discovered by Czech researchers, the botnet has been spreading by taking advantage of poorly configured routers and DSL modems, according to Jan Vykopal, the head of the network security department with Masaryk University's Institute of Computer Science in Brno, Czech Republic. ...
    (microsoft.public.security.virus)