lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4B846B1F.8080406@linuxbox.org>
Date: Wed, 24 Feb 2010 01:56:15 +0200
From: Gadi Evron <ge@...uxbox.org>
To: "Adrian P." <ap@...citizen.org>
Cc: funsec <funsec@...uxbox.org>, full-disclosure@...ts.grok.org.uk,
	"bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: Re: Chuck Norris Botnet and Broadband Routers

Adrian, thank you for sharing this with us.

	Gadi.


On 2/24/10 12:20 AM, Adrian P. wrote:
> It's no secret that there are tons of broadband routers/modems with
> exposed admin interfaces (HTTP/SSH/Telnet/whatever) using default/weak
> credentials.
>
> While the Chuck Norris botnet is interesting in that it shows that the
> problem is real, it shouldn't surprise anyone who has researched the
> security of broadband embedded devices.
>
> It's also not the first time an incident of this nature has happened.
> I'm sure a lot of the list readers remember the mass-phishing attack
> launched November 2007 [1] against several popular 2Wire broadband
> routers in Mexico. The attack was accomplished by means of changing
> the router's DNS settings via a CSRF hole on the web interface.
>
> A similar issue used to exist on the BT Home Hub and was reported in
> October 2007 [2] (a month earlier) where it was possible to compromise
> the router by tricking a user to visit a malicious page. The payload
> [3] would then exploit an authentication bypass and CSRF vulnerability
> in order to enable the "remote assistance" feature. (The intended
> purpose of this feature was to allow BT engineers to remotely
> troubleshoot home routers.) The attacker could then login remotely to
> the router with admin privileges using a password of his choice (set
> in the actual exploit payload).
>
> And of course there is the infamous BeThere backdoor admin account
> reported in February 2007 which you mentioned in your article [4].
>
> The security of home-grade embedded devices has a long way to go. I
> think that the home router hacking challenge [5] [6] confirmed this by
> showing that many of these devices are affected by serious
> vulnerabilities, many of which are trivially exploitable.
>
> I couldn't agree more that ISPs do need to take responsibility and
> ensure that new modem/router builds are audited for common security
> issues before being distributed to their broadband customers.
>
>
> ap
>
> [1] http://www.hispasec.com/unaaldia/3313
> [2] http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub/
> [3] http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub-4/
> [4] http://blogs.securiteam.com/index.php/archives/826
> [5] http://www.gnucitizen.org/projects/router-hacking-challenge/
> [6] http://marc.info/?l=bugtraq&m=120441195905480&w=2
>
> On Mon, Feb 22, 2010 at 2:22 PM, Gadi Evron<ge@...uxbox.org>  wrote:
>> Last week Czech researchers released information on a new worm which
>> exploits CPE devices (broadband routers) by means such as default passwords,
>> constructing a large DDoS botnet. Today this story hit international news.
>>
>> Original Czech:
>> http://praguemonitor.com/2010/02/16/czech-experts-uncover-global-virus-network
>>
>> English:
>> http://www.pcworld.com/businesscenter/article/189868/chuck_norris_botnet_karatechops_routers_hard.html
>>
>> When I raised this issue before in 2007 on NANOG, some other vetted mailing
>> lists and on CircleID, the consensus was that the vendors will not change
>> their position on default settings unless "something happens", I guess this
>> is it, but I am not optimistic on seeing activity from vendors on this now,
>> either.
>>
>> CircleID story 1:
>> http://www.circleid.com/posts/broadband_routers_botnets/
>>
>> CircleID story 2:
>> http://www.circleid.com/posts/broadband_router_insecurity/
>>
>> The spread of insecure broadband modems (DSL and Cable) is extremely
>> wide-spread, with numerous ISPs, large and small, whose entire (read
>> significant portions of) broadband population is vulnerable. In tests Prof.
>> Randy Vaughn and I conducted with some ISPs in 2007-8 the results have not
>> been promising.
>>
>> Further, many of these devices world wide serve as infection mechanisms for
>> the computers behind them, with hijacked DNS that points end-users to
>> malicious web sites.
>>
>> On the ISPs end, much like in the early days of botnets, many service
>> providers did not see these devices as their responsibility -- even though
>> in many cases they are the providers of the systems, and these posed a
>> potential DDoS threat to their networks. As a mind-set, operationally taking
>> responsibility for devices located at the homes of end users made no sense,
>> and therefore the stance ISPs took on this issue was understandable, if
>> irresponsible.
>>
>> As we can't rely on the vendors, ISPs should step up, and at the very least
>> ensure that devices they provide to their end users are properly set up (a
>> significant number of iSPs already pre-configure them for support purposes).
>>
>> The Czech researchers have done a good job and I'd like to thank them for
>> sharing their research with us.
>>
>> In this article by Robert McMillan, some details are shared in English:
>>
>> ----------
>> Discovered by Czech researchers, the botnet has been spreading by taking
>> advantage of poorly configured routers and DSL modems, according to Jan
>> Vykopal, the head of the network security department with Masaryk
>> University's Institute of Computer Science in Brno, Czech Republic.
>>
>> The malware got the Chuck Norris moniker from a programmer's Italian comment
>> in its source code: "in nome di Chuck Norris," which means "in the name of
>> Chuck Norris." Norris is a U.S. actor best known for his martial arts films
>> such as "The Way of the Dragon" and "Missing in Action."
>>
>> Security experts say that various types of botnets have infected millions of
>> computers worldwide to date, but Chuck Norris is unusual in that it infects
>> DSL modems and routers rather than PCs.
>>
>> It installs itself on routers and modems by guessing default administrative
>> passwords and taking advantage of the fact that many devices are configured
>> to allow remote access. It also exploits a known vulnerability in D-Link
>> Systems devices, Vykopal said in an e-mail interview.
>>
>> A D-Link spokesman said he was not aware of the botnet, and the company did
>> not immediately have any comment on the issue.
>>
>> Like an earlier router-infecting botnet called Psyb0t, Chuck Norris can
>> infect an MIPS-based device running the Linux operating system if its
>> administration interface has a weak username and password, he said. This
>> MIPS/Linux combination is widely used in routers and DSL modems, but the
>> botnet also attacks satellite TV receivers.
>> ----------
>>
>> Read more here:
>> http://www.pcworld.com/businesscenter/article/189868/chuck_norris_botnet_karatechops_routers_hard.html
>>
>> I will post updates on this as I discover them on my blog, under this same
>> post, here:
>> http://gadievron.blogspot.com/2010/02/chuck-norris-botnet-and-broadband.html
>>
>>         Gadi.
>>
>
>
>


-- 
Gadi Evron,
ge@...uxbox.org.

Blog: http://gevron.livejournal.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ