Chuck Norris Botnet and Broadband Routers

Gadi_Evron1 · February 22, 2010, 2:21pm

Last week Czech researchers released information on a new worm which exploits CPE devices (broadband routers) by means such as default passwords, constructing a large DDoS botnet. Today this story hit international news.

Original Czech:
http://praguemonitor.com/2010/02/16/czech-experts-uncover-global-virus-network

English:
http://www.pcworld.com/businesscenter/article/189868/chuck_norris_botnet_karatechops_routers_hard.html

When I raised this issue before in 2007 on NANOG, some other vetted mailing lists and on CircleID, the consensus was that the vendors will not change their position on default settings unless "something happens", I guess this is it, but I am not optimistic on seeing activity from vendors on this now, either.

CircleID story 1:
http://www.circleid.com/posts/broadband_routers_botnets/

CircleID story 2:
http://www.circleid.com/posts/broadband_router_insecurity/

The spread of insecure broadband modems (DSL and Cable) is extremely wide-spread, with numerous ISPs, large and small, whose entire (read significant portions of) broadband population is vulnerable. In tests Prof. Randy Vaughn and I conducted with some ISPs in 2007-8 the results have not been promising.

Further, many of these devices world wide serve as infection mechanisms for the computers behind them, with hijacked DNS that points end-users to malicious web sites.

On the ISPs end, much like in the early days of botnets, many service providers did not see these devices as their responsibility -- even though in many cases they are the providers of the systems, and these posed a potential DDoS threat to their networks. As a mind-set, operationally taking responsibility for devices located at the homes of end users made no sense, and therefore the stance ISPs took on this issue was understandable, if irresponsible.

As we can't rely on the vendors, ISPs should step up, and at the very least ensure that devices they provide to their end users are properly set up (a significant number of iSPs already pre-configure them for support purposes).

The Czech researchers have done a good job and I'd like to thank them for sharing their research with us.

In this article by Robert McMillan, some details are shared in English:

William_Pitcock · February 22, 2010, 3:17pm

What makes this any different than psyb0t, which was discovered in the
wild last year?

William

Paul_Ferguson · February 22, 2010, 3:34pm

Nothing. Good point.

- - ferg

Rabbi_Rob_Thomas · February 22, 2010, 3:50pm

Hi, team.

William Pitcock wrote:

Last week Czech researchers released information on a new worm which
exploits CPE devices (broadband routers) by means such as default
passwords, constructing a large DDoS botnet. Today this story hit
international news.

What makes this any different than psyb0t, which was discovered in the
wild last year?

Or Coldlife aka Coldbot, which dates back to circa 2004 (at least)? It
came bundled with a list of 2K+ compromised routers.

Secure your routers, folks! This includes D-Link, Juniper, and Cisco.
They're all targets, and regularly exploited.

Juniper: SSH brute force, some telnet (ugh!) brute force.
Cisco: telnet and SSH brute force, some old web bugs.

<http://www.cymru.com/gillsr/documents/junos-template.pdf>

Updates and suggestions welcome!

Compromised routers are useful for DoS, sure, but more useful as proxies
and IRC bounces. Remember the first big wave of DNS amplification
attacks against Stormpay, et al.? That same perp built a large overlay
network of tunnels between compromised routers (most of which spoke eBGP).

Concerned that your routers might be compromised? Send us a note at
team-cymru@cymru.com and we'll let you know what we've seen. We'll need
your ASN(s) or CIDR block(s).

Thanks,
Rob.

Gadi_Evron1 · February 22, 2010, 4:03pm

Last week Czech researchers released information on a new worm which
exploits CPE devices (broadband routers) by means such as default
passwords, constructing a large DDoS botnet. Today this story hit
international news.

What makes this any different than psyb0t, which was discovered in the
wild last year?

Absolutely nothing. I think it is mentioned in the PC World story though. Thanks for bringing it up.

Gadi.