View Full Version : Home routers under attack - archive

2007-02-16, 12:49

- http://preview.tinyurl.com/2ubp3y
February 15, 2007 ~ "If you haven't changed the default password on your home router, do so now. That's what researchers at Symantec and Indiana University are saying, after publishing the results of tests that show how attackers could take over your home router using malicious JavaScript code... Once the router has been compromised, victims can be redirected to fraudulent Web sites, the researchers say. So instead of downloading legitimate Microsoft software updates, for example, they could be tricked into downloading malware. Instead of online banking, they could be giving up sensitive information to phishers..."


2007-02-17, 11:47
More on this...

- http://news.com.com/2102-7349_3-6159938.html?tag=st.util.print
Feb 16, 2007 ~ "...Router makers already know of the problems with default passwords as well as other security concerns, they said. Linksys, for example, recommends that customers change the default password during the installation procedure, said Karen Sohl, a representative for the company, a division of Cisco Systems. "We are aware of this," she said. On its Web site*, Linksys warns users that miscreants are taking advantage of the default passwords. "Hackers know these defaults and will try them to access your wireless device and change your network settings. To thwart any unauthorized changes, customize the device's password so it will be hard to guess," the company states. Still, although Linksys' software recommends the password change, consumers can either plug in their router without running the installation disk or bypass the change screen, keeping the defaults. The company offers detailed information on how to change the router password on its Web site. Netgear and D-Link also recommend password changes.

* http://preview.tinyurl.com/2awst3


2007-02-17, 21:15

- http://www.us-cert.gov/current/archive/2007/02/16/archive.html#drvbphrmg
February 16, 2007
...The best defense against this type of attack is for home users to change their default password. The following links provide support resources for three of the more common home router vendors:

* D-Link - http://support.dlink.com/faq/view.asp?prod_id=1997

* Linksys - http://linksys.custhelp.com/cgi-bin/linksys.cfg/php/enduser/std_adp.php?p_faqid=3976

* NETGEAR - http://kbserver.netgear.com/kb_web_files/N100651.asp


2007-02-21, 12:48

- http://preview.tinyurl.com/2pw3qg
February 20, 2007 ~ "...The attack involves luring users to malicious sites where a device's default password is used to redirect them to bogus sites. Once they are at those sites, their identities could be stolen or malware could be force-fed to their computers. In an advisory* posted Thursday, Cisco listed 77 vulnerable routers in the lines sold to small offices, home offices, branch offices and telecommuters. The advisory recommended that users change the default username and password required to access the router's configuration settings, and disable the device's HTTP server feature..."

* http://www.cisco.com/warp/public/707/cisco-sr-20070215-http.shtml
Updated: Feb 15, 2007

> http://preview.tinyurl.com/yshqf


2007-02-23, 19:16

- http://www.darkreading.com/document.asp?doc_id=117988&print=true
FEBRUARY 22, 2007 ~ "...Researchers at the University of Maryland recently completed a study in which four live Linux servers were set out as bait to see how often they would be attacked. The study racked up 269,262 attempts in a 24-day period... During that time, 824 attempts were successful -- the attacker got the server's username and password. On average, that means that each of the servers was "cracked" almost 10 times a day...
Most commonly-guessed passwords in cyberspace, in order of frequency (to be avoided):
* 1. (username)
* 2. (username)123
* 3. 123456
* 4. password
* 5. 1234
* 6. 12345
* 7. passwd
* 8. 123
* 9. test
* 10. 1
...The username "root" -- which traditionally has given administrators access to multiple systems at the root level -- is by far the most frequently-guessed, with "admin" finishing a distant second..."


2007-10-03, 00:48

Default Passwords: A Hacker's Dream
- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=202101781
Sept. 26, 2007 - "...Moore said what made the hacking job so easy was that 70% of all the companies he scanned were insecure, and 45% to 50% of VoIP providers were insecure. The biggest insecurity? Default passwords. "I'd say 85% of them were misconfigured routers. They had the default passwords on them," said Moore..."


2008-01-15, 09:13
Ongoing focus...

Home routers 'vulnerable to remote take-over'
- http://www.channelregister.co.uk/2008/01/15/home_router_insecurity/
15 Jan 2008 - "...Design flaw in most home routers that allows attackers to remotely control the devices by luring an attached computer to a booby-trapped website. The weakness could allow attackers to redirect victims to fraudulent destinations that masquerade as trusted sites belonging to banks, ecommerce companies or health care organizations. The exploit works even if a user has changed the default password of the router. And it works regardless the operating system or browser the computer connected to the device is running, as long as it has a recent version of Adobe Flash installed... Routers made by Linksys, Dlink and SpeedTouch have been confirmed to be vulnerable, and other manufacturers' products are also likely susceptible to attack, the researchers said. Most routers have UPnP turned on by default. The only way to prevent the attack is to turn the feature off, something that is possible with some, but not all, devices..."

- http://www.us-cert.gov/current/archive/2008/01/15/archive.html#upnp_router_exploit
January 14, 2008

- http://isc.sans.org/diary.html?storyid=3848
Last Updated: 2008-01-15 16:55:01 UTC


2008-01-22, 18:16

Drive-by Pharming in the Wild
- http://preview.tinyurl.com/yqutaj
January 22, 2008 (Symantec Security Response Weblog) - "In a previous blog entry* posted almost a year ago, I talked about the concept of a drive-by pharming attack. With this sort of attack, all a victim would have to do to be susceptible is simply view the attacker’s malicious HTML or JavaScript code, which could be placed on a Web page or embedded in an email. The attacker’s malicious code could change the DNS server settings on the victim’s home broadband router (whether or not it’s a wireless router). From then on, all future DNS requests would be resolved by the attacker’s DNS server, which meant that the attacker effectively could control the victim’s Internet connection. At the time we described the attack concept, it was theoretical in the sense that we had not seen an example of it “in the wild.” That’s no longer the case... In one real-life variant that we observed, the attackers embedded the malicious code inside an -email- that claimed it had an e-card waiting for you at the Web site gusanito . com. Unfortunately the email also contained an HTML IMG tag that resulted in an HTTP GET request being made to a router (the make of which is a popular router model in Mexico). The GET request modified the router’s DNS settings so that the URL for a popular Mexico-based banking site (as well as other related domains) would be mapped to an attacker’s Web site. Now, anyone who subsequently tried to go to this particular banking Web site (one of the largest banks in Mexico) using the same computer would be directed to the attacker’s site instead. Anyone who transacted with this rogue site would have their credentials stolen... I would still recommend changing the default router password to something that’s more difficult to guess. For many other router models, doing so will protect you... Also, in general I’d recommend that you reset the router anyway before changing your password. This step ensures that if you have become a victim already, you can start with a clean slate..."
* http://preview.tinyurl.com/2uqwug

> http://blog.trendmicro.com/targeted-attack-in-mexico-dns-poisoning-via-modems/

- http://isc.sans.org/diary.html?storyid=3881
Last Updated: 2008-01-24 02:11:21 UTC


2008-03-09, 15:15

Defending your router, and your identity, with a password change
- http://www.cnet.com/8301-13554_1-9889160-33.html?tag=more
March 8, 2008 - "...Every router, wired or wireless, has an internal website used to make configuration changes. Accessing this internal website requires a userid/password, something totally independent of any wireless network passwords... In brief, if your router is using the default password, your computer is vulnerable to an attack where the router is re-configured. Specifically, the dangerous configuration option is the DNS server... Malicious DNS servers can result in your visiting to a website, any website, and ending up at a phony version of the site run by bad guys. If the website is that of a bank or credit card company, and you enter a userid/password, you can kiss your identity, and money, good-bye..."

- http://www.apwg.org/
Released: 3 Mar 08 - APWG Releases Dec 2007 Phishing Trends Report
(From the report - pg. 8, "Phishing-based Trojans – Redirectors")
"...Along with phishing-based keyloggers we are seeing high increases in traffic redirectors. In particular the highest volume is in malicious code which simply modifies your DNS server settings or your hosts file to redirect either some specific DNS lookups or all DNS lookups to a fraudulent DNS server. The fraudulent server replies with “good” answers for most domains, however when they want to direct you to a fraudulent one, they simply modify their name server responses. This is particularly effective because the attackers can redirect any of the users requests at any time and the end-users have very little indication that this is happening as they could be typing in the address on their own..."


2008-03-17, 11:31

Example: http://ca.com/us/securityadvisor/pest/pest.aspx?id=453119651
Latest DAT Release 03 13 2008 - "This fake codec is actually a hijacker that will change your DNS settings whether you are aquire your IP settings through DHCP or set your IP information manually. This hijacker will attempt to re-route all your DNS queries through 85.255.x.29 or 85.255.x.121 (RBN).... rogue DNS servers..."


2008-03-21, 17:20

Linksys WRT54G Security Bypass vuln - updates available
- http://secunia.com/advisories/29344/
Release Date: 2008-03-21
Impact: Security Bypass
Where: From local network
Solution Status: Vendor Patch
OS: Linksys WRT54G Wireless-G Broadband Router
...The vulnerability is reported in firmware version 1.00.9. Other versions may also be affected.
Solution: Install updated firmware versions.
WRT54G v5/v6: Install version 1.02.5.
WRT54G v8: Install version 8.00.5.
WRT54G v8.2: Install version 8.2.05 ...
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1247
Last revised: 3/11/2008
CVSS v2 Base score: 10.0 (High)
"...allows -remote- attackers to perform arbitrary administrative actions.."

Linksys WRT54G » Downloads
- http://preview.tinyurl.com/2qykkj
WRT54G v5/v6: Install version 1.02.5. (3/03/2008)
WRT54G v8: Install version 8.00.5. (1/18/2008)
WRT54G v8.2: Install version 8.2.05 (1/18/2008) ...


2008-03-22, 03:59

D-Link router based worm?
- http://isc.sans.org/diary.html?storyid=4175
Last Updated: 2008-03-21 16:44:10 UTC - "...I suspect someone is using snmp to reconfigure the router to its default password or to read it's admin password and then accessing the D-Link via telnet to modify the routers configuration or firmware. The D-Link DWL-1000AP had an snmp based password confidentiality vulnerablity reported back in 2001... I doubt this attack includes changing the firmware of the router itself to become router based self propagating worm. While possible it is more difficult then compromising one of the home systems. Given control of a device like this in the network it would be relatively simple to redirect consumer's traffic to a site with client side exploits that would compromise any computer that was not fully patched..."


2008-04-08, 13:58

- http://www.techworld.com/security/news/index.cfm?newsID=11911&pagtype=all
08 April 2008 - "...The technical details of a DNS rebinding attack are complex, but essentially the attacker is taking advantage of the way the browser uses the DNS system to decide what parts of the network it can reach... On Tuesday, OpenDNS will offer users of its free service a way to prevent this type of attack, and the company will also set up a website* that will use Kaminsky's techniques to give users a way to change the passwords of vulnerable routers. The attack "underscores the need for people to be able to have more intelligence on the DNS," Ulevitch said. Although this particular attack takes advantage of the fact that routers often use default passwords that can be easily guessed by the hacker, there is no bug in the routers themselves..."
* http://www.fixmylinksys.com/


2008-04-10, 20:25
FYI... 4.10.2008

- http://www.symantec.com/business/security_response/index.jsp
(Symantec ThreatCon / Environment / Network Activity Spotlight)
"The DeepSight Threat Analyst Team is monitoring TCP port 23 and UDP port 161. These ports have both been associated with recent reports of a new bot that is exploiting and installing itself on D-Link routers.
The bot is designed to attack only D-Link routers over port 23 (Telnet) and contains functionality to scan for TCP port 23, launch IRC clone floods, and launch DDoS attacks. The author of this malicious software is charging 200 US dollars for the software, making it likely that this malware and variants of this malware will become widespread."


2008-04-11, 23:04

Home Wireless AP Hardening in 5 Steps
- http://isc.sans.org/diary.html?storyid=4282
Last Updated: 2008-04-11 19:58:32 UTC - "... There are dangers in all consumer network hardware that require the attention of everyone that installs these devices regardless of the vendor. Taking a device out of the box, plugging it in and letting it go can expose you to "worms" or other remote-based exploitation. This stems from a similar problem with software and operating systems, namely, these things do not ship in a secure-by-default configuration.
Here are 5 easy steps to take when you get a network device / access point to harden yourself against "easy" exploitation (and this applies to ALL hardware):
1) Change the default passwords...
2) Disable remote administration...
3) Update the firmware...
4) Disable unused services...
5) Change the default settings of the device..."

(More detail at the Internet Storm Center URL above.)


2008-06-12, 07:52

- http://blog.washingtonpost.com/securityfix/2008/06/malware_silently_alters_wirele_1.html
June 11, 2008 - "...recent versions of the ubiquitous "Zlob" Trojan (also known as DNSChanger) will check to see if the victim uses a wireless or wired hardware router. If so, it tries to guess the password needed to administer the router by consulting a built-in list* of default router username/password combinations. If successful, the malware alters the victim's domain name system (DNS) records so that all future traffic passes through the attacker's network first. DNS can be thought of as the Internet's phone book, translating human-friendly names like example.com into numeric addresses that are easier for networking equipment to handle. While researchers have long warned that threats against hardware routers could one day be incorporated into malicious software, this appears to be the first time this behavior has been spotted in malware released into the wild. The type of functionality incorporated into this version of the Zlob Trojan is extremely concerning for a number of reasons. First, Zlob is among the most common type of Trojan downloaded onto Windows machines. According to Microsoft, the company's malicious software removal tool [MSRT] zapped some 14.3 million instances of Zlob-related malware from customer machines in the second half of 2007. The other, more important reason this shift is scary is that a Windows user with a machine infected with a Zlob/DNSChanger variant may succeed in cleaning the malware off an infected computer completely, but still leave the network compromised. Few regular PC users (or even PC technicians) think to look to the router settings, provided the customer's Internet connection is functioning fine... Specific, manufacturer-based video tutorials on how to secure your wireless router are available at this link**..."
* http://blog.washingtonpost.com/securityfix/zlobpass.txt

** http://onguardonline.gov/tutorials/index.html#tutorials-wireless

- http://www.trustedsource.org/blog/42/New-DNSChanger-Trojan-hacks-into-routers
June 13, 2008 - "...behavior is entirely controlled by the attackers’ DNS servers. These could even redirect existing domain names to servers hosting crafted content (Phishing) or servers dynamically modifying real content. Once your DNS settings are under control, the bad possibilities are nearly unlimited. And, even clean machines are affected once a previous infection on just one client behind the shared router successfully cracked the router login..."


2008-08-07, 21:21

- http://blog.trendmicro.com/zlob-enters-the-search-engine-market/
August 7, 2008 - "More than a year ago, Trend Micro threat researchers uncovered a network of over 900 rogue DNS (Domain Name System) servers related to the ZLOB Trojan family. We gave examples showing that these rogue DNS servers are part of click fraud and leakage of personal information. Just recently, however, we discovered that this network is now targeting four of the most popular search engines. In a large scale click fraud scheme, the ZLOB gang appears to hijack search results and to replace sponsored links with DNS “tricks”... These ZLOB Trojans we found, silently change the local DNS settings of affected systems to use two out of the abovementioned 900+ rogue DNS servers. These Trojans spread by advanced social engineering tricks; an example would be professional-looking Web sites that promise Internet users access to pornographic movies after installing malware that pose as video codecs. The number of ZLOB-related infections is huge — for the last six months of 2007, Microsoft reported more than 14,000,000 infections. It now appears that the ZLOB gang has entered the multibillion-dollar search engine market. ZLOB’s rogue DNS servers resolve several domain names of the main engines to fraudulent IP addresses. Among others, this criminal operation has even set up rogue sites of the UK and Canadian versions of one of the largest search engines. Even searches performed via the installed browser toolbar (provided by the same company) are now being hijacked by ZLOB. Another popular search engine company has been hit even harder — most, if not all, domain names of the search engine that give back search results get resolved to fraudulent Web sites by the rogue DNS servers. The primary objective of ZLOB here appears to be stealing traffic and clicks from search engines, making money along the way. Affected users are immediately redirected to sites that are not at all related to their original search queries. All sponsored search hits of the two main search engines we analyzed were hijacked by ZLOB. Clicks on sponsored links then are not credited to big search engine companies, but to the ZLOB gang instead..."


2008-09-05, 16:08

- http://www.viruslist.com/en/analysis?pubid=204792017
Sep 01 2008 - "... most widespread malicious programs... This table shows the malicious programs detected on users’ computers...
1. Trojan.Win32.DNSChanger.ech ..."

'Still around (i.e.):
- http://www.grisoft.com/ww.download-update
IAVI: / 1655 - Added detection of new variant of Win32/Virut, Worm/Brontok,
new variants of trojans DNSChanger, Dropper.Bravix, Downloader.Tiny.
September 5, 2008


2008-09-17, 13:27

- http://preview.tinyurl.com/5cg8nh
September 15, 2008 - "...Instead of scouring for anonymous proxies to stay faceless on the internet, cyber criminals are increasingly targeting unsecured Wi-FI networks to get the job done. A combination of war driving tools such as NetStumbler along with a listing of default router usernames and passwords* is all it takes to freely connect to unsecured Wi-FI networks. Especially since most Wi-Fi routers use default security settings that come pre-installed by the vendor rather than it having being configured by the end user. SOHO routers log every connection and DHCP lease but these logs are flushed once the router is rebooted. If an attacker has access to the administrative console of the router (thanks to the default password), once their nefarious actives have been carried out, a simple restart of the router will erase all tracks. The extent to which an unsecured Wi-Fi connection can be abused is purely left to imagination of the attacker..."
* http://www.routerpasswords.com/

:fear: :fear:

2008-09-28, 19:17

- http://voices.washingtonpost.com/securityfix/2008/09/wiglenet_the_411_on_wireless_a.html
September 26, 2008 - "...Why is changing the default settings on wireless access point a big deal? Because there are plenty of Web sites that list the default user names and passwords built into every brand of router out there... For instance, if I were looking for an exposed wireless network, I'd probably start by searching the local zip code for the default SSID assigned to many popular routers. After all, these would most likely be the networks powered by users who yanked their shiny new routers straight out of the box and plugged them right into the user's modem without modifying a thing..."
* http://wigle.net/gps/gps/main/ssidstats


2009-03-24, 13:06

Router-based botnet...

- http://isc.sans.org/diary.html?storyid=6061
Last Updated: 2009-03-24 13:13:59 UTC - "...document (pdf - dated January 11th, 2009) by Terry Baume* goes into detail about how a specific brand of DSL Modem (Netcomm NB5) can be compromised with malicious code that turns the device into a IRC based Bot - named PSYB0T 2.5L. While discovered several months ago, some recent entries on the DroneBL blog that (among further detail into "PSYB0T") state "We came across this botnet as part of an investigation into the DDoS attacks against DroneBL's infrastructure...". It certainly appears that PSYB0T may be alive and kicking! Some further insight into the possibility that this Bot is still evolving (Now Version 2.9L, 3 months later) has been presented on the TeamFurry blog**..."
* http://www.adam.com.au/bogaurd/
** http://www.teamfurry.com/wordpress/2009/03/23/botnet-running-on-mips-cpu-devices/

- http://www.dronebl.org/blog/8
"You are only vulnerable if:
• Your device is a mipsel device.
• Your device has telnet, SSH or web-based interfaces available to the WAN
• Your username and password combinations are weak, OR the daemons that your firmware uses are exploitable.
As such, 90% of the routers and modems participating in this botnet are participating due to user-error (the user themselves or otherwise)... Any device that meets the above criteria is vulnerable, including those built on custom firmware such as OpenWRT and DD-WRT. If the above criteria is not met, then the device is NOT vulnerable.

How can I tell if I have been infected?
Ports 22, 23 and 80 are blocked as part of the infection process (but NOT as part of the rootkit itself, running the rootkit itself will not alter your iptables configuration). If these ports are blocked, you should perform a hard reset on your device, change the administrative passwords, and update to the latest firmware. These steps will remove the rootkit and ensure that your device is not reinfected...
Mar-24-2009 ...botnet itself is still active..."

- http://www.theregister.co.uk/2009/03/24/psyb0t_home_networking_worm/
24 March 2009

- http://www.eset.com/threat-center/blog/?p=810
March 23, 2009 - "...targets routers and DSL modems..."


2009-07-23, 02:27

DD-WRT vuln...
- http://isc.sans.org/diary.html?storyid=6853
Last Updated: 2009-07-22 20:43:54 UTC - "... new vulnerability in DD-WRT that was being reported in the Register at:
http://www.theregister.co.uk/2009/07/21/critical_ddwrt_router_vuln/ .
DD-WRT runs on routers by Linksys, D-Link Buffalo, ASUS and well as other routers. The complete list can be found at:
This vulnerability will allow an attacker to run programs with root priviledges on a vulnerable router. More information can be found on the DD-WRT Forum at:
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=55173&postdays=0&postorder=asc&start=0 "


2009-10-23, 13:09

SMC router vuln - unpatched
- http://www.wired.com/threatlevel/2009/10/time-warner-cable/
October 20, 2009 - "A vulnerability in a Time Warner cable modem and Wi-Fi router deployed to 65,000 customers would allow a hacker to remotely access the device’s administrative menu over the internet, and potentially change the settings to intercept traffic, according to a blogger who discovered the issue. Time Warner acknowledged the problem to Threat Level on Tuesday, and says it’s in the process of testing replacement firmware code from the router manufacturer, which it plans to push out to customers soon... The vulnerability lies with Time Warner’s SMC8014 series cable modem/Wi-Fi router combo, made by SMC. The device is one of several options Time Warner offers to customers who don’t want to install their own modem and router to use with the company’s broadband service..."

- http://www.f-secure.com/weblog/archives/00001799.html
October 23, 2009


2009-11-23, 20:41

2wire Gateway router/modem - update available
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3962
Last revised: 11/18/2009 - "The management interface on the 2wire Gateway 1700HG, 1701HG, 1800HW, 2071, 2700HG, and 2701HG-T with software before 5.29.52 allows remote attackers to cause a denial of service (reboot)...
CVSS v2 Base Score: 7.8 (HIGH) ...

- http://webvuln.com/advisories/2wire.remote.denial.of.service.txt
Solution Status: Vendor issued firmware patches; Providers are in charge of applying the patches...
WORKAROUND: Disable Remote Management in Firewall -> Advanced Settings...

- http://www.us-cert.gov/cas/bulletins/SB09-327.html#high
November 23, 2009