[isapros] Re: home router exploit based botnets in the news..

From: Amy Babinchak <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx>
To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
Date: Wed, 25 Mar 2009 08:39:24 -0400

Management over the wan is often enabled by default. Manufactures do this to 
make it easier on their support staff.

thanks,

Amy Babinchak

Harbor Computer Services | 248-850-8616

Mobile 248-890-1794
Web   
http://www.harborcomputerservices.net<http://www.harborcomputerservices.net/>
Client Blog   
http://smalltechnotes.blogspot.com<http://smalltechnotes.blogspot.com/>
Tech Blog   
http://securesmb.harborcomputerservices.net<http://securesmb.harborcomputerservices.net/>

Buy My House: http://www.shannonrealty.com/vassar_mls_tour.html

Are you an IT Pro?  http://www.thirdtier.net<http://www.thirdtier.net/>

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Steve Moffat
Sent: Tuesday, March 24, 2009 7:55 PM
To: ISAPros Mailing List
Subject: [isapros] Re: home router exploit based botnets in the news..

99% of home users wouldn't enable management over wan , ssh or ftp or 
anything....due to not knowing how

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: Tuesday, March 24, 2009 8:46 PM
To: ISAPros Mailing List
Subject: [isapros] Re: home router exploit based botnets in the news..

Oh yeh - that's useful for my Dad and siblings...
Still nothing worth reading from a consumer POV.

JimmyJoeBobAlooba

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Steve Moffat
Sent: Tuesday, March 24, 2009 3:40 PM
To: ISAPros Mailing List
Subject: [isapros] Re: home router exploit based botnets in the news..

Network Bluepill - stealth router-based botnet has been DDoSing dronebl for the 
last couple of weeks<http://www.dronebl.org/blog/8>

Below is a description of a botnet we found in the wild. However,

Update 4 -- Before you read anything else, read this
Am I Vulnerable?

You are only vulnerable if:
?         Your device is a mipsel device.
?         Your device has telnet, SSH or web-based interfaces available to the 
WAN
?         Your username and password combinations are weak, OR the daemons that 
your firmware uses are exploitable.


From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: Tuesday, March 24, 2009 7:13 PM
To: ISAPros Mailing List
Subject: [isapros] Re: home router exploit based botnets in the news..

The vendor expects them to be replaced within a year or so - why plan a 
maintenance process for them?

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Amy Babinchak
Sent: Tuesday, March 24, 2009 3:00 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: home router exploit based botnets in the news..

Sure but how is the home user going to know which OS their router uses, which 
brands are good, which ones aren't? Every one that I've seen has no update 
mechanism.

thanks,

Amy Babinchak

Harbor Computer Services | 248-850-8616

Mobile 248-890-1794
Web   
http://www.harborcomputerservices.net<http://www.harborcomputerservices.net/>
Client Blog   
http://smalltechnotes.blogspot.com<http://smalltechnotes.blogspot.com/>
Tech Blog   
http://securesmb.harborcomputerservices.net<http://securesmb.harborcomputerservices.net/>

Buy My House: http://www.shannonrealty.com/vassar_mls_tour.html

Are you an IT Pro?  http://www.thirdtier.net<http://www.thirdtier.net/>

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: Tuesday, March 24, 2009 5:47 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] home router exploit based botnets in the news..
Importance: Low

Well, that didn't take long..

http://www.theregister.co.uk/2009/03/24/psyb0t_home_networking_worm/


More than 100,000 hosts invaded

By Dan Goodin in San 
Francisco<http://forms.theregister.co.uk/mail_author/?story_url=/2009/03/24/psyb0t_home_networking_worm/>
 * Get more from this 
author<http://search.theregister.co.uk/?author=Dan%20Goodin>

Posted in Security<http://www.theregister.co.uk/security/>, 24th March 2009 
00:20 GMT

Free whitepaper - Trend Micro threat management 
solution<http://go.theregister.com/tl/44/-765/white-paper-threat-management-solution.pdf?td=wptl44>

Security researchers have identified a sophisticated piece of malware that 
corrals consumer routers and DSL modems into a lethal botnet.

The "psyb0t" worm is believed to be the first piece of malware to target home 
networking gear, according to researchers from 
DroneBL<http://www.dronebl.org/>, which bills itself as a real-time monitor of 
abusable internet addresses. It has already infiltrated an estimated 100,000 
hosts. It has been used to carry out DDoS, or distributed denial of service, 
attacks and is also believed to use deep-packet inspection to harvest user 
names and passwords.

"This technique is one to be extremely concerned about because most end users 
will not know their network has been hacked, or that their router is 
exploited," the DroneBL researchers wrote here<http://www.dronebl.org/blog/8>. 
"This means that in the future, this could be an attack vector for the theft of 
personally identifying information. This technique is not going away."

Vulnerable devices include any home router or modem that uses Linux Mipsel, has 
an administration interface, sshd, or telnet in a DMZ, and employs a weak 
password. Once the malware takes hold, it locks legitimate users out of the 
device by blocking telnet, sshd, and web access. It then makes the devices part 
of a botnet. The researchers said they first learned of the worm while 
investigating DDoS attacks that hit DroneBL's infrastructure two weeks ago.

The worm also helps identify exploitable phyMyAdmin and MySQL servers. More 
information about psyb0t is available from this research paper 
(PDF)<http://www.adam.com.au/bogaurd/PSYB0T.pdf> published in January

Yeh - "hardware" is secure; especially when it runs a "thin Linux".

JimmyJoeBobAlooba

From: Jim Harrison (FF EDGE CS) [mailto:Jim.Harrison@xxxxxxxxxxxxx]
Sent: Tuesday, March 24, 2009 2:44 PM
To: Jim Harrison
Subject: FW: home router exploit based botnets in the news..
Importance: Low



Jim Harrison
Forefront Edge CS
If We Can't Fix It - It Ain't Broke!
[cid:image001.png@01C9AD25.336D8320]

From: George Spix
Sent: Tuesday, March 24, 2009 1:07 PM
To: Product Security Discussion Forum
Subject: home router exploit based botnets in the news..
Importance: Low


ExchangeDefender Message Security: Check 
Authenticity<http://www.exchangedefender.com/verify.asp?id=n2OM0hgG023772&from=amy@xxxxxxxxxxxxxxxxxxxxxxxxxx>

Follow-Ups:

[isapros] Re: home router exploit based botnets in the news..
From: Jim Harrison

References:
- [isapros] home router exploit based botnets in the news..
  - From: Jim Harrison
- [isapros] Re: home router exploit based botnets in the news..
  - From: Amy Babinchak
- [isapros] Re: home router exploit based botnets in the news..
  - From: Jim Harrison
- [isapros] Re: home router exploit based botnets in the news..
  - From: Steve Moffat
- [isapros] Re: home router exploit based botnets in the news..
  - From: Jim Harrison
- [isapros] Re: home router exploit based botnets in the news..
  - From: Steve Moffat

[isapros] Re: home router exploit based botnets in the news..

Other related posts: