lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4B8525B7.8020707@superig.com.br>
Date: Wed, 24 Feb 2010 10:12:23 -0300
From: "marcelojunior@...erig.com.br" <marcelojunior@...erig.com.br>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Chuck Norris Botnet and Broadband Routers
	(Marcelo Jr)

That reminds me the last H2HC where presentation showing hundreds of 
Telco routers with none or weak authentication were accessed...
Detail> the cost for intrusion was only a bridged wi-fi anthena...
Truly I see no efforts from ISPs or Telcos in place (at least in Brazil)...
> Send Full-Disclosure mailing list submissions to
> 	full-disclosure@...ts.grok.org.uk
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://lists.grok.org.uk/mailman/listinfo/full-disclosure
> or, via email, send a message with subject or body 'help' to
> 	full-disclosure-request@...ts.grok.org.uk
>
> You can reach the person managing the list at
> 	full-disclosure-owner@...ts.grok.org.uk
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Full-Disclosure digest..."
>
>
> Note to digest recipients - when replying to digest posts, please trim your post appropriately. Thank you.
>
>
> Today's Topics:
>
>    1. Re: Chuck Norris Botnet and Broadband Routers (Adrian P.)
>    2. Kojoney (SSH honeypot) remote DoS (Nicob)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 23 Feb 2010 22:20:53 +0000
> From: "Adrian P." <ap@...citizen.org>
> Subject: Re: [Full-disclosure] Chuck Norris Botnet and Broadband
> 	Routers
> To: Gadi Evron <ge@...uxbox.org>
> Cc: funsec <funsec@...uxbox.org>, full-disclosure@...ts.grok.org.uk,
> 	"bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
> Message-ID:
> 	<10e6de611002231420g263ab3fbl5b2f514474a5ceb1@...l.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> It's no secret that there are tons of broadband routers/modems with
> exposed admin interfaces (HTTP/SSH/Telnet/whatever) using default/weak
> credentials.
>
> While the Chuck Norris botnet is interesting in that it shows that the
> problem is real, it shouldn't surprise anyone who has researched the
> security of broadband embedded devices.
>
> It's also not the first time an incident of this nature has happened.
> I'm sure a lot of the list readers remember the mass-phishing attack
> launched November 2007 [1] against several popular 2Wire broadband
> routers in Mexico. The attack was accomplished by means of changing
> the router's DNS settings via a CSRF hole on the web interface.
>
> A similar issue used to exist on the BT Home Hub and was reported in
> October 2007 [2] (a month earlier) where it was possible to compromise
> the router by tricking a user to visit a malicious page. The payload
> [3] would then exploit an authentication bypass and CSRF vulnerability
> in order to enable the "remote assistance" feature. (The intended
> purpose of this feature was to allow BT engineers to remotely
> troubleshoot home routers.) The attacker could then login remotely to
> the router with admin privileges using a password of his choice (set
> in the actual exploit payload).
>
> And of course there is the infamous BeThere backdoor admin account
> reported in February 2007 which you mentioned in your article [4].
>
> The security of home-grade embedded devices has a long way to go. I
> think that the home router hacking challenge [5] [6] confirmed this by
> showing that many of these devices are affected by serious
> vulnerabilities, many of which are trivially exploitable.
>
> I couldn't agree more that ISPs do need to take responsibility and
> ensure that new modem/router builds are audited for common security
> issues before being distributed to their broadband customers.
>
>
> ap
>
> [1] http://www.hispasec.com/unaaldia/3313
> [2] http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub/
> [3] http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub-4/
> [4] http://blogs.securiteam.com/index.php/archives/826
> [5] http://www.gnucitizen.org/projects/router-hacking-challenge/
> [6] http://marc.info/?l=bugtraq&m=120441195905480&w=2
>
> On Mon, Feb 22, 2010 at 2:22 PM, Gadi Evron <ge@...uxbox.org> wrote:
>   
>> Last week Czech researchers released information on a new worm which
>> exploits CPE devices (broadband routers) by means such as default passwords,
>> constructing a large DDoS botnet. Today this story hit international news.
>>
>> Original Czech:
>> http://praguemonitor.com/2010/02/16/czech-experts-uncover-global-virus-network
>>
>> English:
>> http://www.pcworld.com/businesscenter/article/189868/chuck_norris_botnet_karatechops_routers_hard.html
>>
>> When I raised this issue before in 2007 on NANOG, some other vetted mailing
>> lists and on CircleID, the consensus was that the vendors will not change
>> their position on default settings unless "something happens", I guess this
>> is it, but I am not optimistic on seeing activity from vendors on this now,
>> either.
>>
>> CircleID story 1:
>> http://www.circleid.com/posts/broadband_routers_botnets/
>>
>> CircleID story 2:
>> http://www.circleid.com/posts/broadband_router_insecurity/
>>
>> The spread of insecure broadband modems (DSL and Cable) is extremely
>> wide-spread, with numerous ISPs, large and small, whose entire (read
>> significant portions of) broadband population is vulnerable. In tests Prof.
>> Randy Vaughn and I conducted with some ISPs in 2007-8 the results have not
>> been promising.
>>
>> Further, many of these devices world wide serve as infection mechanisms for
>> the computers behind them, with hijacked DNS that points end-users to
>> malicious web sites.
>>
>> On the ISPs end, much like in the early days of botnets, many service
>> providers did not see these devices as their responsibility -- even though
>> in many cases they are the providers of the systems, and these posed a
>> potential DDoS threat to their networks. As a mind-set, operationally taking
>> responsibility for devices located at the homes of end users made no sense,
>> and therefore the stance ISPs took on this issue was understandable, if
>> irresponsible.
>>
>> As we can't rely on the vendors, ISPs should step up, and at the very least
>> ensure that devices they provide to their end users are properly set up (a
>> significant number of iSPs already pre-configure them for support purposes).
>>
>> The Czech researchers have done a good job and I'd like to thank them for
>> sharing their research with us.
>>
>> In this article by Robert McMillan, some details are shared in English:
>>
>> ----------
>> Discovered by Czech researchers, the botnet has been spreading by taking
>> advantage of poorly configured routers and DSL modems, according to Jan
>> Vykopal, the head of the network security department with Masaryk
>> University's Institute of Computer Science in Brno, Czech Republic.
>>
>> The malware got the Chuck Norris moniker from a programmer's Italian comment
>> in its source code: "in nome di Chuck Norris," which means "in the name of
>> Chuck Norris." Norris is a U.S. actor best known for his martial arts films
>> such as "The Way of the Dragon" and "Missing in Action."
>>
>> Security experts say that various types of botnets have infected millions of
>> computers worldwide to date, but Chuck Norris is unusual in that it infects
>> DSL modems and routers rather than PCs.
>>
>> It installs itself on routers and modems by guessing default administrative
>> passwords and taking advantage of the fact that many devices are configured
>> to allow remote access. It also exploits a known vulnerability in D-Link
>> Systems devices, Vykopal said in an e-mail interview.
>>
>> A D-Link spokesman said he was not aware of the botnet, and the company did
>> not immediately have any comment on the issue.
>>
>> Like an earlier router-infecting botnet called Psyb0t, Chuck Norris can
>> infect an MIPS-based device running the Linux operating system if its
>> administration interface has a weak username and password, he said. This
>> MIPS/Linux combination is widely used in routers and DSL modems, but the
>> botnet also attacks satellite TV receivers.
>> ----------
>>
>> Read more here:
>> http://www.pcworld.com/businesscenter/article/189868/chuck_norris_botnet_karatechops_routers_hard.html
>>
>> I will post updates on this as I discover them on my blog, under this same
>> post, here:
>> http://gadievron.blogspot.com/2010/02/chuck-norris-botnet-and-broadband.html
>>
>> ? ? ? ?Gadi.
>>
>>     
>
>
>
>   

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ