[nsp-sec] dlink router worm or dlink compromise leads to infectedPCs?

Rob Thomas robt at cymru.com
Sat Mar 22 13:08:05 EDT 2008 

Hi, Don.

This analysis brought to you accompanied by the fine music of Artie  
Shaw and Django Reinhardt.  :)

> After looking at netflow not all of these appear to be involved in  
> the dlink compromise.

We've located the author and here is what we've learned thus far.   
Take it with a grain of salt.

This is based (at least partly) on a new-ish bot and a mod discussed  
on the unkn0wn.eu web site.  We're unable to reach that site  
presently, though the Google cache has a nice snapshot of the main page:

    <http://64.233.167.104/search?q=cache:wduLnrcaBtIJ:unkn0wn.eu/ 
index.php%3Fshow%3Daffiliates+http://unkn0wn.eu/ 
&hl=en&ct=clnk&cd=1&gl=us>

The web site is down due to some Apache problems the miscreants are  
unable to solve.  Technology stinks for us all, it seems.  ;)

Supposedly the Dlink exploit is also available on milw0rm, though it  
isn't clear that these are the same.  The author is dodging that  
question from the masses of eager miscreants.

The author of this bot is selling it for US $200, with all payments  
made through WU (Western Union).  He is selling it vigorously and  
plans to release it to the wider underground soon.  Be ready.

The bot is based at least partially on rxbot and it runs natively on  
the compromised Dlink routers.  The Dlink routers supposedly run  
Busybox.

    <http://www.busybox.net/about.html>

The author lauds the ash shell, wget, and other available commands on  
the vulnerable Dlink routers.  The author very specifically refers to  
his bot as a "nix" (Unix) bot.

The bot has only three capabilities (at present):

    1. Scan
    2. DDoS
    3. Clone flood IRC servers

Some of the miscreants are asking the author to add sniffing  
capability.  Ugh.

Oh, the author thinks that 84.77.0.0/16 is some sort of honeynet.  He  
has at least 1000 compromised Dlink routers there.  He's adding  
between 800 and 1000 bots per hour at present.

The author is coding eagerly and advertising widely.  Why did he  
write it?  To make money.  That's it.  Gotta love the underground  
economy.

I'd expect a lot of this activity.  This one seems new, circa early  
2008-03.  That said, it's really no different than the Cayman love  
back in the day, or the continued interest in Cisco routers.

Thanks,
Rob.
-- 
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);

More information about the nsp-security mailing list