Stories
Slash Boxes
Comments

SoylentNews is people

posted by robind on Friday February 14 2014, @01:39AM   Printer-friendly [Skip to comment(s)]
from the entry-level dept.

AudioGuy writes:

"Researchers say they have uncovered an ongoing attack that infects home and small-office wireless routers from Linksys with self-replicating malware, most likely by exploiting a code-execution vulnerability in the device firmware.

The worm works by injecting vulnerable devices with a URL-encoded shell script that carries out the same seek-and-hijack behavior. The exploit may also change some routers' domain name system server to 8.8.8.8 or 8.8.4.4, which are IP addresses used by Google's DNS service. Compromised routers remain infected until they are rebooted. Once the devices are restarted, they appear to return to their normal state. People who are wondering if their device is infected should check for heavy outbound scanning on port 80 and 8080, and inbound connection attempts to miscellaneous ports below 1024.

This blog post at Sans contains more technical details including a way to test if you have a vulnerable device."

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Insightful) by mechanicjay on Friday February 14 2014, @11:36AM

    by mechanicjay (7) <{mechanicjay} {at} {soylentnews.org}> on Friday February 14 2014, @11:36AM (#73) Homepage Journal
    Okay, I get it, but is "- inbound connection attempts to misc ports 1024." an indicator of anything? I get that's the delivery mechanism, but have you looked at your firewall logs lately? Everyone is constantly getting probed by something at this point.
    --
    My VMS box beat up your Windows box.
    • (Score: 1) by ragequit on Friday February 14 2014, @05:25PM

      by ragequit (44) on Friday February 14 2014, @05:25PM (#77) Journal
      On average I get my first scan about 5 min after getting a connection.
      --
      The above views are fabricated for your reading pleasure.
    • (Score: 1) by Foobar Bazbot on Friday February 14 2014, @06:13PM

      by Foobar Bazbot (37) on Friday February 14 2014, @06:13PM (#87) Journal

      Okay, I get it, but is "- inbound connection attempts to misc ports 1024." an indicator of anything? I get that's the delivery mechanism, but have you looked at your firewall logs lately? Everyone is constantly getting probed by something at this point.

      Well, actually I haven't looked at firewall logs for anything internet-facing in a long time. But I assume those probes are mainly targeted at the well-known ports for common services. TFA says the propagation connections of this malware are on random (seems to imply uniformly-distributed) ports <1024, though "misc" certainly doesn't communicate that distinction. These patterns should be distinguishable after you collect enough data.

      But it really doesn't matter; TFS says this infection doesn't survive a reboot, so if I had a vulnerable model of router in a vulnerable configuration (i.e. remote admin enabled), my steps would be:

      1. Fix the configuration.
      2. Reboot the router.
      3. Shoot myself in the head, making the world a better place. (Seriously, I don't know any question to which "expose a consumer router's web administration page to the WAN interface" is the right answer)

      At no point did I actually need to check whether it was currently infected; rebooting it regardless of infection status is easier than checking the logs and trying to infer infection status, and then possibly rebooting anyway.

  • (Score: 1) by cculpepper on Friday February 14 2014, @06:41PM

    by cculpepper (46) on Friday February 14 2014, @06:41PM (#90)

    Wonder why it changes the to DNS to Google's DNS server? Maybe to improve performance so people are less likely to throw away infected/ susceptable routers?

    • (Score: 1) by mrbluze on Friday February 14 2014, @08:17PM

      by mrbluze (49) on Friday February 14 2014, @08:17PM (#95) Journal

      Wonder why it changes the to DNS to Google's DNS server? Maybe to improve performance so people are less likely to throw away infected/ susceptable routers?

      Or maybe Google's DNS server is more forgiving.

      --
      Do it yourself, 'cause no one else will do it yourself.
    • (Score: 1) by toygeek on Saturday February 15 2014, @12:23AM

      by toygeek (28) on Saturday February 15 2014, @12:23AM (#127) Homepage
      Many ISP's use DNS to block known bots. Perhaps Google is less diligent in this manner? I do not know if that is the case and I'm too lazy to look it up.
      --
      There is no Sig. Okay, maybe a short one. http://miscdotgeek.com
  • (Score: 1) by applesmasher on Friday February 14 2014, @09:53PM

    by applesmasher (53) on Friday February 14 2014, @09:53PM (#116)

    Of course it looks as if it goes away after a reboot. They can't hide it completely, but they can make you think that you've made it go away.

    The reboot just fixes it in place, and then your own router is part of PRISM, reporting directly through dark channels to the NSA!

    Wake up, sheeple!

    --
    Ever seen an apple hit by a .22WMR?
  • (Score: 1) by Khyber on Saturday February 15 2014, @03:49AM

    by Khyber (54) on Saturday February 15 2014, @03:49AM (#130) Journal
    Of course, it seems my two more recent wireless router purchases were less than ideal. It might be time to turn an old laptop into a wireless router running BSD or Linux.
    --
    Destroying Semiconductors With Style Since 2008, and scaring you ill-educated fools since 2013.
    • (Score: 1) by sgleysti on Saturday February 15 2014, @05:09AM

      by sgleysti (56) on Saturday February 15 2014, @05:09AM (#138)
      Your sig is incredibly appropriate, given what you said in ##altslashdot