[nsp-sec] dlink router worm or dlink compromise leads toinfectedPCs?

[Smith, Donald]

It depends. On most systems if you replace the binaries a reset won't
fix that.
If you have a version of "firmware" in a compressed tarball that you
uncompress and replace all of the binaries after a reset then you should
be ok unless that tarball is compromised.

I have yet to gain access to an actual infected network element yet but
suspect they are only replacing the busybox app itself.


RM=for(1)
{manage_risk(identify_risk(product[i++]) &&
(identify_threat[product[i++]))}
Donald.Smith at qwest.com giac 

> -----Original Message-----
> From: Sean Donelan [mailto:sean at donelan.com] 
> Sent: Friday, April 11, 2008 1:45 PM
> To: Smith, Donald
> Cc: Rob Thomas; nsp-security at puck.nether.net
> Subject: Re: [nsp-sec] dlink router worm or dlink compromise 
> leads toinfectedPCs?
> 
> On Fri, 11 Apr 2008, Smith, Donald wrote:
> > One idea we are considering is telling people to check their home
> > networking devices and upgrade their firmware if needed. If 
> any of the
> > broadband providers or home network equipment vendors want 
> to provide a
> > link that explains how your customers can upgrade their 
> firmware I could
> > publish it. I can of course also just goggle around a bit 
> and find links
> > myself:)
> 
> Could a hard reset clean out enough of the graft?  Or is a firmware 
> reflash required?
> 
> sean donelan
> 20940
> akamai
> 


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.