[nsp-sec] dlink router worm or dlink compromise leads toinfectedPCs?

Barry Greene (bgreene) bgreene at cisco.com
Sat Mar 22 13:51:32 EDT 2008 

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 
> The author is coding eagerly and advertising widely.  Why did 
> he write it?  To make money.  That's it.  Gotta love the 
> underground economy.
> 
> I'd expect a lot of this activity.  This one seems new, circa 
> early 2008-03.  That said, it's really no different than the 
> Cayman love back in the day, or the continued interest in 
> Cisco routers.

* Caymans was a fluke - didn't translate to economically feasible path.

* Mike Lynn was a distraction - all hype about exploit paths where were
not economically feasible exploit.

* The fun in Mexico last year (DNS) spiked interest.

* If this one takes up with a economic return to the customers of the
tool, we'll need to take note. We'll have a good two years of
exploitability before the vendor community has a chance to plug all the
holes in the problem. After that, you'll have a long tail of years for
the violated CPEs. 

Be mindful that these "Best Buy" purchased CPE companies run at such
tight margins that the normal means of spinning up a proactive response
(uses the FIRST community) will not work. These companies cannot afford
the over head of a FIRST/CERT team. When they do, it is not part of the
FIRST, since it takes too much time and money (in their POV) to get
ready for the FIRST review. So looking at a path where one of this FIRST
Teams grab this CPE exploit vector is going to be "pushing rope."

Service providers who resell this equipment would be another approach,
but I doubt it. If they customers of the malware sticks to principle #7
- stay under the threshold of pain - then the SPs will not see it cost
effective to address this issue. As long as SP management sees no impact
to SLA or help desk calls, they have no economic incentive to do
anything. 

So this whole vector could be nasty. SP to customer: "Yo customers, you
home gateway is owned by some rerow badguy in China. You need to unplug
it, throw it away and get a new one." Customer to SP: "yea right, you
are just trying to sell me your stuff. You already charge me too much
and your service sucks - I've got lousy performance."




 
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBR+VHJL/UEA/xivvmEQLJEACfVSZ4DTvtiRWi7k8cYfRhu7oJ2ywAnRrX
aQ9U85YrZQQNN1Njg1fTbNn2
=gKE1
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list