[nsp-sec] dlink router worm or dlink compromise leads toinfectedPCs?

Thu Mar 27 16:12:35 EDT 2008

Maybe I missed the reply or maybe Rob didn't get a chance to reply but
either way I didn't see it.

Rob, can I assume it is the busybox application they are replacing in
order add their tools/worm?
That would make sense. Most of these systems have very limited memory by
replacing elements of the busybox code and dropping some functionality
you could squeeze a worm in there. Since most people never telnet to
their home router they wouldn't notice the loss of functionality.
Busybox primarily provides the shell interface/UNIX commands for people
logged into the router. That would be easier then replacing the "OS". It
would give them a root kit like hiding functionality as any commands you
ran on the router would be parsed by busybox so it would be trivial to
mod the ps function to hide it's processes. Same with ls and other
commands you MIGHT use to diagnose issues with a router or discover a
router worm.

RM=for(1)
{manage_risk(identify_risk(product[i++]) &&
(identify_threat[product[i++]))}
Donald.Smith at qwest.com giac 

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> Sean Donelan
> Sent: Saturday, March 22, 2008 12:27 PM
> To: Rob Thomas
> Cc: nsp-security at puck.nether.net
> Subject: Re: [nsp-sec] dlink router worm or dlink compromise 
> leads toinfectedPCs?
> 
> ----------- nsp-security Confidential --------
> 
> On Sat, 22 Mar 2008, Rob Thomas wrote:
> > The bot is based at least partially on rxbot and it runs natively on
> > the compromised Dlink routers.  The Dlink routers supposedly run
> > Busybox.
> 
> >From the information you've found, does it appear to be something
> Dlink specific the miscreant is using or may it affect other devices
> (multiple brands of routers, appliances, etc) that include 
> the BusyBox 
> code?
> 
> See this link for appliances known to use BusyBox embedded code:
> http://en.wikipedia.org/wiki/BusyBox
> 
> Just trying to distinguish between Dlink and BusyBox in your previous
> report, and make sure I'm worried about the correct thing.
> 
> Thanks,
> Sean Donelan
> Akamai
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
> 
> 

This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.