New Virus Targets DSL Modems and Routers

There is some scary security news out today as reports of a DSL and Cable Hardware Router based Botnet hits the Internet.

DroneBL reports that new exploit for MIPS based router processors and their Linux based embedded OS systems are being systematically turned into Bots. This attack is using code inserted using a modified UPX packing (to get by deep scanning antivirus applications) and using a form of brute force attack on usernames and passwords.

DroneBL states that not all hardware routers are susceptible to this attack. It seems to be mainly ones that keep the default username and password, and allow for remote management or remote SSH (from outside the internal network) an indication of infection is a blocking of ports 22, 23 and 80.

A quick way to rid yourself of this infection if you have it is to reset to factory defaults and update to the latest firmware. After doing this change your default admin and user passwords and make sure that Remote Management is disabled.

Read more here

You are only vulnerable if:

Your device is a mipsel (MIPS running in little-endian mode, this is what the worm is compiled for) device.

Your device also has telnet, SSH or web-based interfaces available to the WAN, and your username and password combinations are weak, OR the daemons that your firmware uses are exploitable.

As such, 90% of the routers and modems participating in this botnet are participating due to user-error (the user themselves or otherwise). Unfortunately, it seems that some of the people covering this botnet do not understand this point, and it is making us look like a bunch of idiots.

Any device that meets the above criteria is vulnerable, including those built on custom firmware such as OpenWRT and DD-WRT. If the above criteria is not met, then the device is NOT vulnerable.