Chuck Norris Botnet and Broadband Routers

Gadi Evron ge at
Mon Feb 22 14:21:54 UTC 2010

Last week Czech researchers released information on a new worm which 
exploits CPE devices (broadband routers) by means such as default 
passwords, constructing a large DDoS botnet. Today this story hit 
international news.

Original Czech:


When I raised this issue before in 2007 on NANOG, some other vetted 
mailing lists and on CircleID, the consensus was that the vendors will 
not change their position on default settings unless "something 
happens", I guess this is it, but I am not optimistic on seeing activity 
from vendors on this now, either.

CircleID story 1:

CircleID story 2:

The spread of insecure broadband modems (DSL and Cable) is extremely 
wide-spread, with numerous ISPs, large and small, whose entire (read 
significant portions of) broadband population is vulnerable. In tests 
Prof. Randy Vaughn and I conducted with some ISPs in 2007-8 the results 
have not been promising.

Further, many of these devices world wide serve as infection mechanisms 
for the computers behind them, with hijacked DNS that points end-users 
to malicious web sites.

On the ISPs end, much like in the early days of botnets, many service 
providers did not see these devices as their responsibility -- even 
though in many cases they are the providers of the systems, and these 
posed a potential DDoS threat to their networks. As a mind-set, 
operationally taking responsibility for devices located at the homes of 
end users made no sense, and therefore the stance ISPs took on this 
issue was understandable, if irresponsible.

As we can't rely on the vendors, ISPs should step up, and at the very 
least ensure that devices they provide to their end users are properly 
set up (a significant number of iSPs already pre-configure them for 
support purposes).

The Czech researchers have done a good job and I'd like to thank them 
for sharing their research with us.

In this article by Robert McMillan, some details are shared in English:

Discovered by Czech researchers, the botnet has been spreading by taking 
advantage of poorly configured routers and DSL modems, according to Jan 
Vykopal, the head of the network security department with Masaryk 
University's Institute of Computer Science in Brno, Czech Republic.

The malware got the Chuck Norris moniker from a programmer's Italian 
comment in its source code: "in nome di Chuck Norris," which means "in 
the name of Chuck Norris." Norris is a U.S. actor best known for his 
martial arts films such as "The Way of the Dragon" and "Missing in Action."

Security experts say that various types of botnets have infected 
millions of computers worldwide to date, but Chuck Norris is unusual in 
that it infects DSL modems and routers rather than PCs.

It installs itself on routers and modems by guessing default 
administrative passwords and taking advantage of the fact that many 
devices are configured to allow remote access. It also exploits a known 
vulnerability in D-Link Systems devices, Vykopal said in an e-mail 

A D-Link spokesman said he was not aware of the botnet, and the company 
did not immediately have any comment on the issue.

Like an earlier router-infecting botnet called Psyb0t, Chuck Norris can 
infect an MIPS-based device running the Linux operating system if its 
administration interface has a weak username and password, he said. This 
MIPS/Linux combination is widely used in routers and DSL modems, but the 
botnet also attacks satellite TV receivers.

Read more here:

I will post updates on this as I discover them on my blog, under this 
same post, here:


More information about the NANOG mailing list