[nsp-sec] dlink router worm or dlink compromise leads to infectedPCs?

Smith, Donald Donald.Smith at qwest.com
Thu Mar 27 16:48:37 EDT 2008 

Sorry this took so long to respond to. I have been really busy lately
with sms spam and several other things:)


RM=for(1)
{manage_risk(identify_risk(product[i++]) &&
(identify_threat[product[i++]))}
Donald.Smith at qwest.com giac 

> -----Original Message-----
> From: Rob Thomas [mailto:robt at cymru.com] 
> Sent: Saturday, March 22, 2008 11:08 AM
> To: Smith, Donald
> Cc: nsp-security at puck.nether.net
> Subject: Re: [nsp-sec] dlink router worm or dlink compromise 
> leads to infectedPCs?
> 
> Hi, Don.
> 
> This analysis brought to you accompanied by the fine music of Artie  
> Shaw and Django Reinhardt.  :)
> 
> > After looking at netflow not all of these appear to be involved in  
> > the dlink compromise.
> 
> We've located the author and here is what we've learned thus far.   
> Take it with a grain of salt.
> 
> This is based (at least partly) on a new-ish bot and a mod discussed  
> on the unkn0wn.eu web site.  We're unable to reach that site  
> presently, though the Google cache has a nice snapshot of the 
> main page:
> 
>     <http://64.233.167.104/search?q=cache:wduLnrcaBtIJ:unkn0wn.eu/ 
> index.php%3Fshow%3Daffiliates+http://unkn0wn.eu/ 
> &hl=en&ct=clnk&cd=1&gl=us>
> 
> The web site is down due to some Apache problems the miscreants are  
> unable to solve.  Technology stinks for us all, it seems.  ;)
> 
> Supposedly the Dlink exploit is also available on milw0rm, though it  
> isn't clear that these are the same.  The author is dodging that  
> question from the masses of eager miscreants.
Based on what I am seeing the milw0rm exploits are related. Those are
all http based while the compromises I have seen depended on snmp and
telnet.

> 
> The author of this bot is selling it for US $200, with all payments  
> made through WU (Western Union).  He is selling it vigorously and  
> plans to release it to the wider underground soon.  Be ready.
> 
> The bot is based at least partially on rxbot and it runs natively on  
> the compromised Dlink routers.  The Dlink routers supposedly run  
> Busybox.

Busybox is a monolithich application not really an os.
It is run on top of embeded linux so he is correct that his worm is an
nix worm.
I have played with it a few times myself as some of our DSL modems run
embeded linux + busybox.
Busybox was NOT coded with security in mind and there are many flaws in
the code:(


> 
>     <http://www.busybox.net/about.html>
> 
> The author lauds the ash shell, wget, and other available 
> commands on  
> the vulnerable Dlink routers.  The author very specifically 
> refers to  
> his bot as a "nix" (Unix) bot.
> 
> The bot has only three capabilities (at present):
> 
>     1. Scan
>     2. DDoS
>     3. Clone flood IRC servers
> 
> Some of the miscreants are asking the author to add sniffing  
> capability.  Ugh.
> 
> Oh, the author thinks that 84.77.0.0/16 is some sort of 
> honeynet.  He  
> has at least 1000 compromised Dlink routers there.  He's adding  
> between 800 and 1000 bots per hour at present.
> 
> The author is coding eagerly and advertising widely.  Why did he  
> write it?  To make money.  That's it.  Gotta love the underground  
> economy.
> 
> I'd expect a lot of this activity.  This one seems new, circa early  
> 2008-03.  That said, it's really no different than the Cayman love  
> back in the day, or the continued interest in Cisco routers.
> 
> Thanks,
> Rob.
> -- 
> Rob Thomas
> Team Cymru
> http://www.cymru.com/
> ASSERT(coffee != empty);
> 
> 
> 
> 
> 


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.

More information about the nsp-security mailing list