Posted: Tue Mar 24, 2009 1:14 Post subject: Question on which versions are exploitable by psyb0t?
"Network Bluepill - stealth router-based botnet has been DDoSing dronebl for the last couple of weeks
We have come across a botnet worm spreading around called "psyb0t". It is notable because, according to my knowledge, it:
* is the first botnet worm to target routers and DSL modems
* contains shellcode for many mipsel devices
* is not targeting PCs or servers
* uses multiple strategies for exploitation, including bruteforce username and password combinations
* harvests usernames and passwords through deep packet inspection
* can scan for exploitable phpMyAdmin and MySQL servers
Vulnerable devices
* any linux mipsel routing device that has the router administration interface or sshd or telnetd in a DMZ, which has weak username/passwords (including openwrt/dd-wrt devices).
* possibly others
Infection strategy
Get a shell on the vulnerable device (methods vary). Once a shell is acquired, the bot does the following things:
If wget is not present, the bot looks for "busybox ftpget", and then tries falling back to a tftp client. Once it is downloaded, it launches it in the background. The following snippet is the variant it uses if it finds that wget is usable.
Are any versions less susceptible to this Botnet worm? I remotely manage DD-WRT flashed routers on different networks I have at different locations, and would hate to lose that ability. Would it be possible to have an option near the Enable/Disable SSH to change the port number in the GUI? It would at least make it a bit harder to find as you could hide it say as a SSL port (443) or something. I know you can change the default WebGUI port, which mine already are, but a quick and simple way to change the SSH port would be fantastic as a quick solution to help against this worm.
You can change the username and use a strong password. I doubt that there's really 80,000 people using custom firmwares that all configured remote access with weak login info. They don't really explain the rest of their claims. I have a feeling what really happened is a vendor left their routers open for remote access using default login info.
Posted: Tue Mar 24, 2009 5:10 Post subject: This whole thing stinks...
After looking at the binary, something's fishy. I do think that there is an worm, but I don't think that there could be anywhere near 80K DD-WRT/OpenWRT/Tomato/Whatever MIPS based routers that have weak passwords AND remote access turned on. DD-WRT goes NUTS if you try and leave the default passwords on while turning on remote admin, and it's been that way for a while.
Something else that's weird. The DroneBL guys are claiming that it's UPX packed, but, after looking at the binary, it's just a normal MIPS binary, I don't see any real packing.
What it looks like is that *IF* you're an idiot, and *IF* you leave the default passwords on your router, and *IF* you turn on remote admin on a DD-WRT/OpenWRT/Tomato router, THEN you might have a problem..
What is also possible is that there is somebody out there using a modified embedded linux in some other device that is, by default, enabling either remote telnet or remote ssh, or remote web administration. Something like that wouldn't surprise me at.. (Ask me about the "VPN Appliance" that would forward either TCP or UDP on a port, but not both...)
I'm taking a "Wait and see" stance. I think that when all the smoke clears, there will be VERY, VERY few dd-wrt and open-wrt boxes infected.
Posted: Tue Mar 24, 2009 6:30 Post subject: More info
I intentionally infected a router with the worm. At this point in time, the DNS for the control channel server (strcpy.us.to) doesn't resolve, so even if you are a "new infection", you can't join the control channel (which doesn't appear to be giving out any orders, anyway...) however, it appears that the control channel is still up and can be joined.
Also the bit about "It then takes several steps to lock anybody out of the device, including blocking telnet, sshd and web ports.
# iptables -A INPUT -p tcp --dport 23 -j DROP
# iptables -A INPUT -p tcp --dport 22 -j DROP
# iptables -A INPUT -p tcp --dport 80 -j DROP
This concludes the infection process." doesn't appear to be right..
Even after I infected my router, I was able to ssh, telnet, and get into the web interface.
After starting the udhcpd.env process, it creates a zero length file called udhcpd.mtx file in the /var/tmp directory. Udhcpd.env is still a running process and can be viewed by ps, and can be killed.
It's cute. Until somebody shows me remotely exploitable mips shellcode, tho, I'm putting this in the "not much of a threat" category.
Posted: Tue Mar 24, 2009 7:02 Post subject: Re: This whole thing stinks...
the_wanderer wrote:
What is also possible is that there is somebody out there using a modified embedded linux in some other device that is, by default, enabling either remote telnet or remote ssh, or remote web administration. Something like that wouldn't surprise me at.. (Ask me about the "VPN Appliance" that would forward either TCP or UDP on a port, but not both...)
I'm taking a "Wait and see" stance. I think that when all the smoke clears, there will be VERY, VERY few dd-wrt and open-wrt boxes infected.
I'm guessing it is probably some kind of set top box or a multimedia device where security was an afterthought.
hope you guys can create a patched dd-wrt v24 sp1 within the next few days to fix the flaws in the firmwares:)
"You can't fix stupid"
the_wanderer wrote:
What it looks like is that *IF* you're an idiot, and *IF* you leave the default passwords on your router, and *IF* you turn on remote admin on a DD-WRT/OpenWRT/Tomato router, THEN you might have a problem..
Joined: 26 Jan 2008 Posts: 13049 Location: Behind The Reset Button
Posted: Tue Mar 24, 2009 13:33 Post subject:
soulstace wrote:
hajj_3 wrote:
hope you guys can create a patched dd-wrt v24 sp1 within the next few days to fix the flaws in the firmwares:)
"You can't fix stupid"
the_wanderer wrote:
What it looks like is that *IF* you're an idiot, and *IF* you leave the default passwords on your router, and *IF* you turn on remote admin on a DD-WRT/OpenWRT/Tomato router, THEN you might have a problem..
Posted: Tue Mar 24, 2009 13:44 Post subject: Re: This whole thing stinks...
the_wanderer wrote:
After looking at the binary, something's fishy. I do think that there is an worm, but I don't think that there could be anywhere near 80K DD-WRT/OpenWRT/Tomato/Whatever MIPS based routers that have weak passwords AND remote access turned on. DD-WRT goes NUTS if you try and leave the default passwords on while turning on remote admin, and it's been that way for a while.
Something else that's weird. The DroneBL guys are claiming that it's UPX packed, but, after looking at the binary, it's just a normal MIPS binary, I don't see any real packing.
What it looks like is that *IF* you're an idiot, and *IF* you leave the default passwords on your router, and *IF* you turn on remote admin on a DD-WRT/OpenWRT/Tomato router, THEN you might have a problem..
What is also possible is that there is somebody out there using a modified embedded linux in some other device that is, by default, enabling either remote telnet or remote ssh, or remote web administration. Something like that wouldn't surprise me at.. (Ask me about the "VPN Appliance" that would forward either TCP or UDP on a port, but not both...)
I'm taking a "Wait and see" stance. I think that when all the smoke clears, there will be VERY, VERY few dd-wrt and open-wrt boxes infected.
Did I miss somewhere where it said that ALL 80-100k were DD-WRT? And read the update about UPX packing...
hope you guys can create a patched dd-wrt v24 sp1 within the next few days to fix the flaws in the firmwares:)
If something should be done to V24 sp1, then that is pulling it off the download section.
Patched against what? Read this thread again before replying, so far there is no evidence that anything is wrong with dd-wrt, that any fix is needed, or that pulling it off the download section is necessary.
It's just a news article low on details, and potentially partially incorrect.
unless you want them to make it to ignore the commands 'to drop all http,ssh,telnet'
pretty much just make a STRONG password
e.g. username isnt default (8+ characters)
password has alpha,numeric,and characters if accepted (8+ characters)
Posted: Tue Mar 24, 2009 14:19 Post subject: Something's still not adding up...
They've updated the info on the webpage, and included this statement:
"* Your username and password combinations are weak, OR the daemons that your firmware uses are exploitable.
As such, 90% of the routers and modems participating in this botnet are participating due to user-error (the user themselves or otherwise). Unfortunately, it seems that some of the people covering this botnet do not understand this point, and it is making us look like a bunch of idiots."
They're saying they've got mips shellcode, but they're not saying for what service. So until this little piece of info comes out, just wait and see.
Personally, it still has not been proved to me that it's not a "Don't leave the default passwords on your crap then turn on remote admin" problem.", which is security 101.
hope you guys can create a patched dd-wrt v24 sp1 within the next few days to fix the flaws in the firmwares:)
If something should be done to V24 sp1, then that is pulling it off the download section.
Patched against what? Read this thread again before replying, so far there is no evidence that anything is wrong with dd-wrt, that any fix is needed, or that pulling it off the download section is necessary.
It's just a news article low on details, and potentially partially incorrect.
Marc
I know.
I think the V24 sp1 should be pulled for other reasons, almost half of all user problems are due to that buggy version.