[IP] Summary of what I know so far about the Linksys botnet and/or worm

Sat Apr 12 17:30:57 UTC 2014

Sounds like:

https://isc.sans.edu/forums/diary/Linksys+Worm+TheMoon+Summary+What+we+know+so+far/17633

g

On Sat, 12 Apr 2014 00:32:55 -0400
Joly MacFie <joly at punkcast.com> wrote:

> Any comments?
> 
> ---------- Forwarded message ----------
> From: Dave Farber <dave at farber.net>
> Date: Fri, Apr 11, 2014 at 8:13 PM
> Subject: [IP] Summary of what I know so far about the Linksys botnet
> and/or worm
> To: ip <ip at listbox.com>
> 
> 
> 
> 
> ---------- Forwarded message ----------
> From: *Brett Glass* <brett at lariat.net>
> Date: Wednesday, February 12, 2014
> Subject: Summary of what I know so far about the Linksys botnet
> and/or worm To: "Eugene H. Spafford" <spaf at acm.org>,
> "dave at farber.net" <dave at farber.net> Cc: security at linksys.com
> 
> 
> Gene, Dave:
> 
> Here is what I know so far about the Linksys router exploit that I've
> been observing in the wild today.
> 
> * The exploit has affected Linksys E1000 and E1200 routers that have
> public IP addresses on our network. Those which we've shielded behind
> carrier-grade NAT (the majority) have not been compromised.
> 
> * The routers are rapidly scanning blocks of IP addresses for Web
> servers on ports 80 and 8080. This choice of ports seems to indicate
> that they are looking for other routers of their ilk to infect. It's
> unclear whether, once they find a vulnerable router, they infect it
> themselves or report its IP address back to a botmaster for later
> infection. I suspect the latter, though, because infection would
> require flashing the router with a modified firmware image that would
> be model-specific and there is not room in a router for multiple
> images. It's also likely that a central server is coordinating the
> scans.
> 
> * All of the E1000s that have been affected have the last version of
> firmware that was made for this now-discontinued model. The affected
> E1200s have firmware version 1.0.03 (the last one published for
> hardware version 1) or 2.0.04 (not the latest for hardware version 2,
> but close; there's now a 2.0.06. I do not know if 2.0.06 stops the
> exploit because we have no E1200s running it with public IPs). We
> have not seen any E900s infected, even though the E900 and the E1200
> use the same hardware.
> 
> * None of the infected routers had default or easily guessable
> passwords, suggesting that the backdoor or security hole through
> which the exploit was performed did not require guessing a password.
> 
> * Re-flashing routers and resetting them to factory defaults SEEMS to
> clear the malware, but of course one cannot be 100% sure that it does
> not protect itself from re-flashing.
> 
> * These routers use Broadcom chipsets and Wind River's RTOS operating
> system, and it wasn't swapped for a Linux-based one, so the creators
> of the malware must be skilled in development for this OS -- or at
> least sufficiently skilled to modify the firmware.
> 
> At this point, it appears that those who implemented this exploit is
> still building an "army" and has not used it for anything yet.
> However, there are so many millions of these routers in the field,
> with so many private networks behind them, that there's no telling
> just how much havoc they could wreak if they were set to invasion of
> privacy, DoS attacks, etc.
> 
> I haven't been able to get in touch with anyone at Linksys to talk
> about this. Their support techs are all in remote call centers in
> far-flung corners of the world, and I have not been able to get them
> to escalate.
> 
> --Brett Glass
> 
> 
> 
> 
>    Archives <https://www.listbox.com/member/archive/247/=now>
> <https://www.listbox.com/member/archive/rss/247/125534-14f1b966> |
> Modify<https://www.listbox.com/member/?member_id=125534&id_secret=125534-f26397ec>Your
> Subscription | Unsubscribe
> Now<https://www.listbox.com/unsubscribe/?member_id=125534&id_secret=125534-8937d9ee&post_id=20140411201339:49F005E2-C1D7-11E3-AB53-859A868D5D56>
> <http://www.listbox.com>
> 
> 
> 

-- 