Fwd: [IP] Summary of what I know so far about the Linksys botnet and/or worm

Sat Apr 12 04:32:55 UTC 2014

Any comments?

---------- Forwarded message ----------
From: Dave Farber <dave at farber.net>
Date: Fri, Apr 11, 2014 at 8:13 PM
Subject: [IP] Summary of what I know so far about the Linksys botnet and/or
worm
To: ip <ip at listbox.com>

---------- Forwarded message ----------
From: *Brett Glass* <brett at lariat.net>
Date: Wednesday, February 12, 2014
Subject: Summary of what I know so far about the Linksys botnet and/or worm
To: "Eugene H. Spafford" <spaf at acm.org>, "dave at farber.net" <dave at farber.net>
Cc: security at linksys.com

Gene, Dave:

Here is what I know so far about the Linksys router exploit that I've been
observing in the wild today.

* The exploit has affected Linksys E1000 and E1200 routers that have public
IP addresses on our network. Those which we've shielded behind
carrier-grade NAT (the majority) have not been compromised.

* The routers are rapidly scanning blocks of IP addresses for Web servers
on ports 80 and 8080. This choice of ports seems to indicate that they are
looking for other routers of their ilk to infect. It's unclear whether,
once they find a vulnerable router, they infect it themselves or report its
IP address back to a botmaster for later infection. I suspect the latter,
though, because infection would require flashing the router with a modified
firmware image that would be model-specific and there is not room in a
router for multiple images. It's also likely that a central server is
coordinating the scans.

* All of the E1000s that have been affected have the last version of
firmware that was made for this now-discontinued model. The affected E1200s
have firmware version 1.0.03 (the last one published for hardware version
1) or 2.0.04 (not the latest for hardware version 2, but close; there's now
a 2.0.06. I do not know if 2.0.06 stops the exploit because we have no
E1200s running it with public IPs). We have not seen any E900s infected,
even though the E900 and the E1200 use the same hardware.

* None of the infected routers had default or easily guessable passwords,
suggesting that the backdoor or security hole through which the exploit was
performed did not require guessing a password.

* Re-flashing routers and resetting them to factory defaults SEEMS to clear
the malware, but of course one cannot be 100% sure that it does not protect
itself from re-flashing.

* These routers use Broadcom chipsets and Wind River's RTOS operating
system, and it wasn't swapped for a Linux-based one, so the creators of the
malware must be skilled in development for this OS -- or at least
sufficiently skilled to modify the firmware.

At this point, it appears that those who implemented this exploit is still
building an "army" and has not used it for anything yet. However, there are
so many millions of these routers in the field, with so many private
networks behind them, that there's no telling just how much havoc they
could wreak if they were set to invasion of privacy, DoS attacks, etc.

I haven't been able to get in touch with anyone at Linksys to talk about
this. Their support techs are all in remote call centers in far-flung
corners of the world, and I have not been able to get them to escalate.

--Brett Glass

   Archives <https://www.listbox.com/member/archive/247/=now>
<https://www.listbox.com/member/archive/rss/247/125534-14f1b966> |
Modify<https://www.listbox.com/member/?member_id=125534&id_secret=125534-f26397ec>Your
Subscription | Unsubscribe
Now<https://www.listbox.com/unsubscribe/?member_id=125534&id_secret=125534-8937d9ee&post_id=20140411201339:49F005E2-C1D7-11E3-AB53-859A868D5D56>
<http://www.listbox.com>

-- 
---------------------------------------------------------------
Joly MacFie  218 565 9365 Skype:punkcast
WWWhatsup NYC - http://wwwhatsup.com
 http://pinstand.com - http://punkcast.com
 VP (Admin) - ISOC-NY - http://isoc-ny.org
--------------------------------------------------------------
-