[nsp-sec] dlink router worm or dlink compromise leads toinfectedPCs?

[Smith, Donald]

The netflow I have seems to indicate a 2stage attack.
Try telnet if that doesn't work try snmp then try telnet again.
There may be another explanation but I believe the old snmp password
reset/read vulnerability is being used to gain access via telnet. 

They COULD be modifying the routers firmware but I suspect they use the
compromised router to direct pc's behind it to a client side exploit
site to load a tool to continue the spread. 
The reason I believe that is it would be much harder to replace the
firmware successfully in a high percentage of the routers. While
possible it is just not that easy. So that part is pure theory no
evidence one way or the other.


RM=for(1)
{manage_risk(identify_risk(product[i++]) &&
(identify_threat[product[i++]))}
Donald.Smith at qwest.com giac 

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> Chris Morrow
> Sent: Saturday, March 22, 2008 7:17 PM
> To: Rob Thomas
> Cc: nsp-security at puck.nether.net
> Subject: Re: [nsp-sec] dlink router worm or dlink compromise 
> leads toinfectedPCs?
> 
> ----------- nsp-security Confidential --------
> 
> 
> 
> On Sat, 22 Mar 2008, Rob Thomas wrote:
> 
> > ----------- nsp-security Confidential --------
> > Based on what we've found, I'd be worried about Dlink and 
> not worried
> > (yet) about Busybox.
> 
> because the bot compromises a host behind to compromise the 
> busybox via 
> the web-management interface??
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
> 
> 


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.