Chuck Norris Botnet and Broadband Routers

Rob Thomas robt at
Mon Feb 22 15:50:02 UTC 2010

Hi, team.

William Pitcock wrote:
> On Mon, 2010-02-22 at 16:21 +0200, Gadi Evron wrote:
>> Last week Czech researchers released information on a new worm which 
>> exploits CPE devices (broadband routers) by means such as default 
>> passwords, constructing a large DDoS botnet. Today this story hit 
>> international news.
> What makes this any different than psyb0t, which was discovered in the
> wild last year?

Or Coldlife aka Coldbot, which dates back to circa 2004 (at least)?  It
came bundled with a list of 2K+ compromised routers.

Secure your routers, folks!  This includes D-Link, Juniper, and Cisco.
They're all targets, and regularly exploited.

Juniper:  SSH brute force, some telnet (ugh!) brute force.
Cisco:  telnet and SSH brute force, some old web bugs.



Updates and suggestions welcome!

Compromised routers are useful for DoS, sure, but more useful as proxies
and IRC bounces.  Remember the first big wave of DNS amplification
attacks against Stormpay, et al.?  That same perp built a large overlay
network of tunnels between compromised routers (most of which spoke eBGP).

Concerned that your routers might be compromised?  Send us a note at
team-cymru at and we'll let you know what we've seen.  We'll need
your ASN(s) or CIDR block(s).

Rob Thomas
Team Cymru
ASSERT(coffee != empty);

More information about the NANOG mailing list