| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 24 Feb 2010 10:12:23 -0300 From: "marcelojunior@...erig.com.br" <marcelojunior@...erig.com.br> To: full-disclosure@...ts.grok.org.uk Subject: Re: Chuck Norris Botnet and Broadband Routers (Marcelo Jr) That reminds me the last H2HC where presentation showing hundreds of Telco routers with none or weak authentication were accessed... Detail> the cost for intrusion was only a bridged wi-fi anthena... Truly I see no efforts from ISPs or Telcos in place (at least in Brazil)... > Send Full-Disclosure mailing list submissions to > full-disclosure@...ts.grok.org.uk > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.grok.org.uk/mailman/listinfo/full-disclosure > or, via email, send a message with subject or body 'help' to > full-disclosure-request@...ts.grok.org.uk > > You can reach the person managing the list at > full-disclosure-owner@...ts.grok.org.uk > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Full-Disclosure digest..." > > > Note to digest recipients - when replying to digest posts, please trim your post appropriately. Thank you. > > > Today's Topics: > > 1. Re: Chuck Norris Botnet and Broadband Routers (Adrian P.) > 2. Kojoney (SSH honeypot) remote DoS (Nicob) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 23 Feb 2010 22:20:53 +0000 > From: "Adrian P." <ap@...citizen.org> > Subject: Re: [Full-disclosure] Chuck Norris Botnet and Broadband > Routers > To: Gadi Evron <ge@...uxbox.org> > Cc: funsec <funsec@...uxbox.org>, full-disclosure@...ts.grok.org.uk, > "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com> > Message-ID: > <10e6de611002231420g263ab3fbl5b2f514474a5ceb1@...l.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > It's no secret that there are tons of broadband routers/modems with > exposed admin interfaces (HTTP/SSH/Telnet/whatever) using default/weak > credentials. > > While the Chuck Norris botnet is interesting in that it shows that the > problem is real, it shouldn't surprise anyone who has researched the > security of broadband embedded devices. > > It's also not the first time an incident of this nature has happened. > I'm sure a lot of the list readers remember the mass-phishing attack > launched November 2007 [1] against several popular 2Wire broadband > routers in Mexico. The attack was accomplished by means of changing > the router's DNS settings via a CSRF hole on the web interface. > > A similar issue used to exist on the BT Home Hub and was reported in > October 2007 [2] (a month earlier) where it was possible to compromise > the router by tricking a user to visit a malicious page. The payload > [3] would then exploit an authentication bypass and CSRF vulnerability > in order to enable the "remote assistance" feature. (The intended > purpose of this feature was to allow BT engineers to remotely > troubleshoot home routers.) The attacker could then login remotely to > the router with admin privileges using a password of his choice (set > in the actual exploit payload). > > And of course there is the infamous BeThere backdoor admin account > reported in February 2007 which you mentioned in your article [4]. > > The security of home-grade embedded devices has a long way to go. I > think that the home router hacking challenge [5] [6] confirmed this by > showing that many of these devices are affected by serious > vulnerabilities, many of which are trivially exploitable. > > I couldn't agree more that ISPs do need to take responsibility and > ensure that new modem/router builds are audited for common security > issues before being distributed to their broadband customers. > > > ap > > [1] http://www.hispasec.com/unaaldia/3313 > [2] http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub/ > [3] http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub-4/ > [4] http://blogs.securiteam.com/index.php/archives/826 > [5] http://www.gnucitizen.org/projects/router-hacking-challenge/ > [6] http://marc.info/?l=bugtraq&m=120441195905480&w=2 > > On Mon, Feb 22, 2010 at 2:22 PM, Gadi Evron <ge@...uxbox.org> wrote: > >> Last week Czech researchers released information on a new worm which >> exploits CPE devices (broadband routers) by means such as default passwords, >> constructing a large DDoS botnet. Today this story hit international news. >> >> Original Czech: >> http://praguemonitor.com/2010/02/16/czech-experts-uncover-global-virus-network >> >> English: >> http://www.pcworld.com/businesscenter/article/189868/chuck_norris_botnet_karatechops_routers_hard.html >> >> When I raised this issue before in 2007 on NANOG, some other vetted mailing >> lists and on CircleID, the consensus was that the vendors will not change >> their position on default settings unless "something happens", I guess this >> is it, but I am not optimistic on seeing activity from vendors on this now, >> either. >> >> CircleID story 1: >> http://www.circleid.com/posts/broadband_routers_botnets/ >> >> CircleID story 2: >> http://www.circleid.com/posts/broadband_router_insecurity/ >> >> The spread of insecure broadband modems (DSL and Cable) is extremely >> wide-spread, with numerous ISPs, large and small, whose entire (read >> significant portions of) broadband population is vulnerable. In tests Prof. >> Randy Vaughn and I conducted with some ISPs in 2007-8 the results have not >> been promising. >> >> Further, many of these devices world wide serve as infection mechanisms for >> the computers behind them, with hijacked DNS that points end-users to >> malicious web sites. >> >> On the ISPs end, much like in the early days of botnets, many service >> providers did not see these devices as their responsibility -- even though >> in many cases they are the providers of the systems, and these posed a >> potential DDoS threat to their networks. As a mind-set, operationally taking >> responsibility for devices located at the homes of end users made no sense, >> and therefore the stance ISPs took on this issue was understandable, if >> irresponsible. >> >> As we can't rely on the vendors, ISPs should step up, and at the very least >> ensure that devices they provide to their end users are properly set up (a >> significant number of iSPs already pre-configure them for support purposes). >> >> The Czech researchers have done a good job and I'd like to thank them for >> sharing their research with us. >> >> In this article by Robert McMillan, some details are shared in English: >> >> ---------- >> Discovered by Czech researchers, the botnet has been spreading by taking >> advantage of poorly configured routers and DSL modems, according to Jan >> Vykopal, the head of the network security department with Masaryk >> University's Institute of Computer Science in Brno, Czech Republic. >> >> The malware got the Chuck Norris moniker from a programmer's Italian comment >> in its source code: "in nome di Chuck Norris," which means "in the name of >> Chuck Norris." Norris is a U.S. actor best known for his martial arts films >> such as "The Way of the Dragon" and "Missing in Action." >> >> Security experts say that various types of botnets have infected millions of >> computers worldwide to date, but Chuck Norris is unusual in that it infects >> DSL modems and routers rather than PCs. >> >> It installs itself on routers and modems by guessing default administrative >> passwords and taking advantage of the fact that many devices are configured >> to allow remote access. It also exploits a known vulnerability in D-Link >> Systems devices, Vykopal said in an e-mail interview. >> >> A D-Link spokesman said he was not aware of the botnet, and the company did >> not immediately have any comment on the issue. >> >> Like an earlier router-infecting botnet called Psyb0t, Chuck Norris can >> infect an MIPS-based device running the Linux operating system if its >> administration interface has a weak username and password, he said. This >> MIPS/Linux combination is widely used in routers and DSL modems, but the >> botnet also attacks satellite TV receivers. >> ---------- >> >> Read more here: >> http://www.pcworld.com/businesscenter/article/189868/chuck_norris_botnet_karatechops_routers_hard.html >> >> I will post updates on this as I discover them on my blog, under this same >> post, here: >> http://gadievron.blogspot.com/2010/02/chuck-norris-botnet-and-broadband.html >> >> ? ? ? ?Gadi. >> >> > > > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists