[nsp-sec] dlink router worm or dlink compromise leads to infectedPCs?

Smith, Donald Donald.Smith at qwest.com
Fri Apr 11 15:22:33 EDT 2008 

Not only dlinks are involved now. us-robotics, HUAWEI MT800 and others
are being seen.
Telnet, SNMP and http are being used in the compromises depending on
what the system has open.
One us-robotics system that was compromised was running busybox. I am
pretty sure they have a trojaned/root kitted busybox. It is available as
source code and wouldn't be hard to root kit. I will be doing a updated
sans diary on this later today. 

One idea we are considering is telling people to check their home
networking devices and upgrade their firmware if needed. If any of the
broadband providers or home network equipment vendors want to provide a
link that explains how your customers can upgrade their firmware I could
publish it. I can of course also just goggle around a bit and find links
myself:)


RM=for(1)
{manage_risk(identify_risk(product[i++]) &&
(identify_threat[product[i++]))}
Donald.Smith at qwest.com giac 

> -----Original Message-----
> From: Smith, Donald 
> Sent: Thursday, March 27, 2008 2:49 PM
> To: 'Rob Thomas'
> Cc: 'nsp-security at puck.nether.net'
> Subject: RE: [nsp-sec] dlink router worm or dlink compromise 
> leads to infectedPCs?
> 
> Sorry this took so long to respond to. I have been really 
> busy lately with sms spam and several other things:)
> 
> 
> RM=for(1)
> {manage_risk(identify_risk(product[i++]) && 
> (identify_threat[product[i++]))}
> Donald.Smith at qwest.com giac 
> 
> > -----Original Message-----
> > From: Rob Thomas [mailto:robt at cymru.com] 
> > Sent: Saturday, March 22, 2008 11:08 AM
> > To: Smith, Donald
> > Cc: nsp-security at puck.nether.net
> > Subject: Re: [nsp-sec] dlink router worm or dlink compromise 
> > leads to infectedPCs?
> > 
> > Hi, Don.
> > 
> > This analysis brought to you accompanied by the fine music 
> of Artie  
> > Shaw and Django Reinhardt.  :)
> > 
> > > After looking at netflow not all of these appear to be 
> involved in  
> > > the dlink compromise.
> > 
> > We've located the author and here is what we've learned thus far.   
> > Take it with a grain of salt.
> > 
> > This is based (at least partly) on a new-ish bot and a mod 
> discussed  
> > on the unkn0wn.eu web site.  We're unable to reach that site  
> > presently, though the Google cache has a nice snapshot of the 
> > main page:
> > 
> >     <http://64.233.167.104/search?q=cache:wduLnrcaBtIJ:unkn0wn.eu/ 
> > index.php%3Fshow%3Daffiliates+http://unkn0wn.eu/ 
> > &hl=en&ct=clnk&cd=1&gl=us>
> > 
> > The web site is down due to some Apache problems the 
> miscreants are  
> > unable to solve.  Technology stinks for us all, it seems.  ;)
> > 
> > Supposedly the Dlink exploit is also available on milw0rm, 
> though it  
> > isn't clear that these are the same.  The author is dodging that  
> > question from the masses of eager miscreants.
> Based on what I am seeing the milw0rm exploits are related. 

This should have said NOT related:(

> Those are all http based while the compromises I have seen 
> depended on snmp and telnet.
> 
> > 
> > The author of this bot is selling it for US $200, with all 
> payments  
> > made through WU (Western Union).  He is selling it vigorously and  
> > plans to release it to the wider underground soon.  Be ready.
> > 
> > The bot is based at least partially on rxbot and it runs 
> natively on  
> > the compromised Dlink routers.  The Dlink routers supposedly run  
> > Busybox.
> 
> Busybox is a monolithich application not really an os.
> It is run on top of embeded linux so he is correct that his 
> worm is an nix worm.
> I have played with it a few times myself as some of our DSL 
> modems run embeded linux + busybox.
> Busybox was NOT coded with security in mind and there are 
> many flaws in the code:(
> 
> 
> > 
> >     <http://www.busybox.net/about.html>
> > 
> > The author lauds the ash shell, wget, and other available 
> > commands on  
> > the vulnerable Dlink routers.  The author very specifically 
> > refers to  
> > his bot as a "nix" (Unix) bot.
> > 
> > The bot has only three capabilities (at present):
> > 
> >     1. Scan
> >     2. DDoS
> >     3. Clone flood IRC servers
> > 
> > Some of the miscreants are asking the author to add sniffing  
> > capability.  Ugh.
> > 
> > Oh, the author thinks that 84.77.0.0/16 is some sort of 
> > honeynet.  He  
> > has at least 1000 compromised Dlink routers there.  He's adding  
> > between 800 and 1000 bots per hour at present.
> > 
> > The author is coding eagerly and advertising widely.  Why did he  
> > write it?  To make money.  That's it.  Gotta love the underground  
> > economy.
> > 
> > I'd expect a lot of this activity.  This one seems new, 
> circa early  
> > 2008-03.  That said, it's really no different than the Cayman love  
> > back in the day, or the continued interest in Cisco routers.
> > 
> > Thanks,
> > Rob.
> > -- 
> > Rob Thomas
> > Team Cymru
> > http://www.cymru.com/
> > ASSERT(coffee != empty);
> > 
> > 
> > 
> > 
> > 


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.

More information about the nsp-security mailing list