[isapros] Re: home router exploit based botnets in the news..
- From: Jim Harrison <Jim@xxxxxxxxxxxx>
- To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
- Date: Wed, 25 Mar 2009 20:58:38 -0700
..which is why the client-side script attack works so well...
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Amy Babinchak
Sent: Wednesday, March 25, 2009 6:19 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: home router exploit based botnets in the news..
It was only a matter of time. I mean all of these devices ship with the same
username and password and almost no one changes it.
thanks,
Amy Babinchak
Harbor Computer Services | 248-850-8616
Mobile 248-890-1794
Web http://www.harborcomputerservices.net
Client Blog http://smalltechnotes.blogspot.com
Tech Blog http://securesmb.harborcomputerservices.net
Buy My House: http://www.shannonrealty.com/vassar_mls_tour.html
Are you an IT Pro? http://www.thirdtier.net
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Wednesday, March 25, 2009 8:43 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: home router exploit based botnets in the news..
Nope - and other than the bot aspect, the "come from inside" attack isn't new,
either.
Will it produce the next Internet Armageddon? Maybe not, but it has the
potential to do some serious damage, depending on how they choose to mount
their attack.
Jim
________________________________________
From: isapros-bounce@xxxxxxxxxxxxx [isapros-bounce@xxxxxxxxxxxxx] On Behalf Of
Steve Moffat [steve@xxxxxxxxxx]
Sent: Wednesday, March 25, 2009 4:45 AM
To: ISAPros Mailing List
Subject: [isapros] Re: home router exploit based botnets in the news..
It's fud & you know it....:)~
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Wednesday, March 25, 2009 3:58 AM
To: ISAPros Mailing List
Subject: [isapros] Re: home router exploit based botnets in the news..
It doesn't _need_ to attack the WAN interface directly.
All you need is to convince a user on the LAN side to click a link that allows
your client-side code to hit the manglement page "silently" (y'no; social
engineering) and you're off to the races.
Not difficult at all.
JimmyJoeBobAlooba
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Greg Mulholland
Sent: Tuesday, March 24, 2009 6:04 PM
To: ISAPros Mailing List
Subject: [isapros] Re: home router exploit based botnets in the news..
I have never seen one that had the wan management interface enabled.
Greg
________________________________________
From: isapros-bounce@xxxxxxxxxxxxx [isapros-bounce@xxxxxxxxxxxxx] On Behalf Of
Jim Harrison [Jim@xxxxxxxxxxxx]
Sent: Wednesday, 25 March 2009 11:08 AM
To: ISAPros Mailing List
Subject: [isapros] Re: home router exploit based botnets in the news..
Most:
1. home users wouldn't know how to check for this state, either.
2. of those devices that ship with management interfaces also ship with
it enabled (and poorly secured) by default.
IOW, "#$^ the consumer".
JimmyJoeBobAlooba
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Steve Moffat
Sent: Tuesday, March 24, 2009 4:55 PM
To: ISAPros Mailing List
Subject: [isapros] Re: home router exploit based botnets in the news..
99% of home users wouldn't enable management over wan , ssh or ftp or
anything....due to not knowing how
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Tuesday, March 24, 2009 8:46 PM
To: ISAPros Mailing List
Subject: [isapros] Re: home router exploit based botnets in the news..
Oh yeh - that's useful for my Dad and siblings...
Still nothing worth reading from a consumer POV.
JimmyJoeBobAlooba
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Steve Moffat
Sent: Tuesday, March 24, 2009 3:40 PM
To: ISAPros Mailing List
Subject: [isapros] Re: home router exploit based botnets in the news..
Network Bluepill - stealth router-based botnet has been DDoSing dronebl for the
last couple of weeks
Below is a description of a botnet we found in the wild. However,
Update 4 -- Before you read anything else, read this
Am I Vulnerable?
You are only vulnerable if:
Y Your device is a mipsel device.
Y Your device has telnet, SSH or web-based interfaces available to the
WAN
Y Your username and password combinations are weak, OR the daemons that
your firmware uses are exploitable.
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Tuesday, March 24, 2009 7:13 PM
To: ISAPros Mailing List
Subject: [isapros] Re: home router exploit based botnets in the news..
The vendor expects them to be replaced within a year or so - why plan a
maintenance process for them?
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Amy Babinchak
Sent: Tuesday, March 24, 2009 3:00 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: home router exploit based botnets in the news..
Sure but how is the home user going to know which OS their router uses, which
brands are good, which ones aren't? Every one that I've seen has no update
mechanism.
thanks,
Amy Babinchak
Harbor Computer Services | 248-850-8616
Mobile 248-890-1794
Web http://www.harborcomputerservices.net
Client Blog http://smalltechnotes.blogspot.com
Tech Blog http://securesmb.harborcomputerservices.net
Buy My House: http://www.shannonrealty.com/vassar_mls_tour.html
Are you an IT Pro? http://www.thirdtier.net
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Tuesday, March 24, 2009 5:47 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] home router exploit based botnets in the news..
Importance: Low
Well, that didn't take long..
http://www.theregister.co.uk/2009/03/24/psyb0t_home_networking_worm/
More than 100,000 hosts invaded
By Dan Goodin in San Francisco * Get more from this author
Posted in Security, 24th March 2009 00:20 GMT
Free whitepaper - Trend Micro threat management solution
Security researchers have identified a sophisticated piece of malware that
corrals consumer routers and DSL modems into a lethal botnet.
The "psyb0t" worm is believed to be the first piece of malware to target home
networking gear, according to researchers from DroneBL, which bills itself as a
real-time monitor of abusable internet addresses. It has already infiltrated an
estimated 100,000 hosts. It has been used to carry out DDoS, or distributed
denial of service, attacks and is also believed to use deep-packet inspection
to harvest user names and passwords.
"This technique is one to be extremely concerned about because most end users
will not know their network has been hacked, or that their router is
exploited," the DroneBL researchers wrote here. "This means that in the future,
this could be an attack vector for the theft of personally identifying
information. This technique is not going away."
Vulnerable devices include any home router or modem that uses Linux Mipsel, has
an administration interface, sshd, or telnet in a DMZ, and employs a weak
password. Once the malware takes hold, it locks legitimate users out of the
device by blocking telnet, sshd, and web access. It then makes the devices part
of a botnet. The researchers said they first learned of the worm while
investigating DDoS attacks that hit DroneBL's infrastructure two weeks ago.
The worm also helps identify exploitable phyMyAdmin and MySQL servers. More
information about psyb0t is available from this research paper (PDF) published
in January
Yeh - "hardware" is secure; especially when it runs a "thin Linux".
JimmyJoeBobAlooba
From: Jim Harrison (FF EDGE CS) [mailto:Jim.Harrison@xxxxxxxxxxxxx]
Sent: Tuesday, March 24, 2009 2:44 PM
To: Jim Harrison
Subject: FW: home router exploit based botnets in the news..
Importance: Low
Jim Harrison
Forefront Edge CS
If We Can't Fix It - It Ain't Broke!
From: George Spix
Sent: Tuesday, March 24, 2009 1:07 PM
To: Product Security Discussion Forum
Subject: home router exploit based botnets in the news..
Importance: Low
ExchangeDefender Message Security: Check Authenticity
Other related posts:
