"Chuck Norris" Bot Infects Routers and DSL Adapters
Posted: Tue Feb 23, 2010 11:25 am
Πηγη:
Czech researchers have uncovered a botnet running on broadband routers and DSL adapters. Click here for the original Czech report.
The research was the work of Jan Vykopal, head of the security project of Masaryk University, along with experts from the Brno Military Academy and the Defence Ministry. They said the main purpose of the botnet was to steal the usual sensitive data: bank accounts, e-mail inboxes, etc. Vykopal added that the botnet could be used for attacking other systems.
Botnets on devices like this are not new. I wrote about a very similar one almost a year ago. Research on the threat goes back further; it was brought up in 2007 by researcher and big-game botnet hunter Gadi Evron a couple of articles on CircleID.
This bot, named "Chuck Norris" for a comment in the source code referring to the American actor, star of many action films and Walker, Texas Ranger on TV. Like "psyb0t" from a year ago it attacks devices remotely by guessing at default passwords and can infect devices based on MIPS chips running Linux. The botnet covers Europe and South America and reaches into China. In an e-mail interview with IDG's Bob McMillan, Vykopal said that the bot also exploits a known vulnerability in certain D-Link Systems devices.
Compromising a router has advantages for an attacker: by being connected directly to the broadband network you are not blocked by any security software on the PCs; users don't update software often on routers; and you are closer to the network itself. But there are disadvantages: and power-cycling the router probably removes the bot. It's technically feasible for the bot to write itself to firmware, but there's no evidence any of them are doing this. A bot at the router could also be used as an infection vector for systems inside it.
As to the claim of the bot being used to steal confidential data, how that works can be tricky. A conventional bot on the PC can just monitor the keyboard for the data, but if the session is SSL-protected then a router-based bot will only see encrypted packets. The better way to execute an attack from a bot would be to use the fact that the router is a DNS proxy for the local network and redirect users to false sites, but this can be detected by many different methods.
Evron noted in his 2007 articles that ISPs would not do anything about the problems of weak security in broadband gateway devices until they had to. Perhaps this is the time they have to do something.
http://blogs.pcmag.com/securitywatch/20 ... _route.php
