WORTH READING Chuck Norris Botnet and Broadband Routers

[David Farber <dave () farber net>]

Begin forwarded message:

From: Jason Livingood <jason_livingood () cable comcast com>
Date: February 22, 2010 1:43:32 PM EST
To: Dave Farber <dave () farber net>, ip <ip () v2 listbox com>
Subject: Re: [IP] Chuck Norris Botnet and Broadband Routers

Back in 2008 I saw Dan Kaminsky demonstrate a similar home gateway device (aka home router) exploit during a 
presentation.  I recall it taking mere seconds, which was surprising to many in the audience.  See 
http://www.infoworld.com/d/security-central/web-page-can-take-over-your-router-094 for details.  

The ease with which some of these exploits can reportedly occur is most definitely concerning.  What is worrisome is 
that if your home gateway device is hacked, your gateway could be configured to point to a hacker-controlled DNS server 
and be sent off to phishing sites without the user having any knowledge and without there being any apparent infection 
on the local host that could be detected (one of many malicious uses of this level of access).

Security issues such as this is one of the topics we are trying to involve home gateway vendors in at a broadband home 
gateway effort, called “HomeGate,” at the IETF (see http://trac.tools.ietf.org/area/tsv/trac/wiki/HOMEGATE — we plan an 
April workshop, see http://event.pingg.com/HomeGateLondonMtg).  So far we’ve got rather sparse attendance numbers — 
maybe this will help to spur interest.  :-)

I also agree with the Czech researched quoted in PCW – the bot/malware problem is going to keep getting worse before it 
gets better.

Regards, 
Jason
> Begin forwarded message:
>
> > From: Gadi Evron <ge () linuxbox org>
> > Date: February 22, 2010 9:23:55 AM EST
> > To: dave () farber net <mailto:dave () farber net> 
> > Subject: Chuck Norris Botnet and Broadband Routers
> >
> > Good morning Dave. How are you?
> >
> > For IP.
> >
> >     Gadi.
> >
> >
> > Last week Czech researchers released information on a new worm which exploits CPE devices (broadband routers) by 
> > means such as default passwords, constructing a large DDoS botnet. Today this story hit international news.
> >
> > Original Czech:
> > http://praguemonitor.com/2010/02/16/czech-experts-uncover-global-virus-network
> >
> > English:
> > http://www.pcworld.com/businesscenter/article/189868/chuck_norris_botnet_karatechops_routers_hard.html
> >
> > When I raised this issue before in 2007 on NANOG, some other vetted mailing lists and on CircleID, the consensus was 
> > that the vendors will not change their position on default settings unless "something happens", I guess this is it, 
> > but I am not optimistic on seeing activity from vendors on this now, either.
> >
> > CircleID story 1:
> > http://www.circleid.com/posts/broadband_routers_botnets/
> >
> > CircleID story 2:
> > http://www.circleid.com/posts/broadband_router_insecurity/
> >
> > The spread of insecure broadband modems (DSL and Cable) is extremely wide-spread, with numerous ISPs, large and 
> > small, whose entire (read significant portions of) broadband population is vulnerable. In tests Prof. Randy Vaughn 
> > and I conducted with some ISPs in 2007-8 the results have not been promising.
> >
> > Further, many of these devices world wide serve as infection mechanisms for the computers behind them, with hijacked 
> > DNS that points end-users to malicious web sites.
> >
> > On the ISPs end, much like in the early days of botnets, many service providers did not see these devices as their 
> > responsibility -- even though in many cases they are the providers of the systems, and these posed a potential DDoS 
> > threat to their networks. As a mind-set, operationally taking responsibility for devices located at the homes of end 
> > users made no sense, and therefore the stance ISPs took on this issue was understandable, if irresponsible.
> >
> > As we can't rely on the vendors, ISPs should step up, and at the very least ensure that devices they provide to 
> > their end users are properly set up (a significant number of iSPs already pre-configure them for support purposes).
> >
> > The Czech researchers have done a good job and I'd like to thank them for sharing their research with us.
> >
> > In this article by Robert McMillan, some details are shared in English:
> >
> > ----------
> > Discovered by Czech researchers, the botnet has been spreading by taking advantage of poorly configured routers and 
> > DSL modems, according to Jan Vykopal, the head of the network security department with Masaryk University's 
> > Institute of Computer Science in Brno, Czech Republic.
> >
> > The malware got the Chuck Norris moniker from a programmer's Italian comment in its source code: "in nome di Chuck 
> > Norris," which means "in the name of Chuck Norris." Norris is a U.S. actor best known for his martial arts films 
> > such as "The Way of the Dragon" and "Missing in Action."
> >
> > Security experts say that various types of botnets have infected millions of computers worldwide to date, but Chuck 
> > Norris is unusual in that it infects DSL modems and routers rather than PCs.
> >
> > It installs itself on routers and modems by guessing default administrative passwords and taking advantage of the 
> > fact that many devices are configured to allow remote access. It also exploits a known vulnerability in D-Link 
> > Systems devices, Vykopal said in an e-mail interview.
> >
> > A D-Link spokesman said he was not aware of the botnet, and the company did not immediately have any comment on the 
> > issue.
> >
> > Like an earlier router-infecting botnet called Psyb0t, Chuck Norris can infect an MIPS-based device running the 
> > Linux operating system if its administration interface has a weak username and password, he said. This MIPS/Linux 
> > combination is widely used in routers and DSL modems, but the botnet also attacks satellite TV receivers.
> > ----------
> >
> > Read more here:
> > http://www.pcworld.com/businesscenter/article/189868/chuck_norris_botnet_karatechops_routers_hard.html
> >
> > I will post updates on this as I discover them on my blog, under this same post, here:
> > http://gadievron.blogspot.com/2010/02/chuck-norris-botnet-and-broadband.html
> >
> >     Gadi.
>
>    Archives <https://www.listbox.com/member/archive/247/=now> <https://www.listbox.com/member/archive/rss/247/> 
> <http://www.listbox.com>    




-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com