Backdoor gives attackers admin access to DSL modems/routers

Discussion in 'malware problems & news' started by lotuseclat79, Jan 2, 2014.

Thread Status:
Not open for further replies.
  1. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,390
  2. woomera

    woomera Registered Member

    Joined:
    May 21, 2004
    Posts:
    212
    Linksys been taking a beating for a long time, who would actually buy their products.
     
  3. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,344
    Location:
    Europe, UE citizen
    Does block the backdoor's port with the software firewall work ?
     
  4. SnowFlakes

    SnowFlakes Registered Member

    Joined:
    Jun 29, 2011
    Posts:
    194
    so how to protect yourself ?
    anyone ?
     
  5. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,390
    Purchase your own router (not one of the routers that were compromized) and install DDWRT and/or Tomato firmware - i.e. check either of the websites for DD-wrt an Tomato for routers that are compatible with either of them firmware-wise before you purchase.

    You will have to slog through configuring the router's new firmware after you install it to set it up to your like-ing (e.g. port forwarding, etc.).

    -- Tom
     
  6. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Close the open port 32764.
     
  7. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    This problem appears to exist on most DSL modem/routers. I've had several makes and models including Netopia, Westell, Linksys, and Zyxel in the last 8 years. Each has had an undocumented open port that can't be closed with any of the configuration options. The port numbers have included 43287, 54109, 54123, and 65457. I could find no information on the specific open port for any of them. After seeing the leaked documents and some of the discoveries on other brands and models, it's hard to come to any conclusion other than they're being backdoors built into the firmware.
     
  8. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,344
    Location:
    Europe, UE citizen
    1 I'm not sure to have successful blocked this port on my router: whichi is the best way to be sure ?
    2 what blocking with the software firewall, does it work ?


    I mean:
    1 not with a simple GRC or PcFlank test.
    2 could backdoor bypass the software fw block ?
     
    Last edited: Jan 7, 2014
  9. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    I recommend ALWAYS combining a Router/Modem with a good bidirectional software Firewall :thumb:

    Never allow ANYTHING out without it prompting for access 1st :thumb:

    Make sure it blocks EVERYTHING coming in, unless you requested it :thumb:

    If you read the PDF, it uses both methods :eek:
     
  10. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,344
    Location:
    Europe, UE citizen
    I have always done it, hope that software fw is enough to block the backdoor.

    :( . - I can't downoad the PDF, it say to me " Sorry, this blob took too long to generate. ".
     
  11. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    This type of approach might make for a good New Year's resolution :) Hardware and firmware selection aside, I think it worth adding:

    1) Eliminate wireless use wherever possible, and if you truly can't, use maximum security including MAC address filters on all of your privately acquired APs and client devices.
    2) Don't use the hardware (and where not changed, firmware and/or software) revealing MAC Addresses provided by manufacturers. Change your [wireless] router's MAC Addresses and at least those used by other wireless devices. Reminder: You must not pick MAC addresses at random. Privately acquire old/broken/cheap networking gear to get them and/or carefully consider the option to use locally administered addresses.
    3) Eliminate telco/ISP provided wireless devices including combo wireless routers from your premises. Especially if the telco/ISP is deploying devices with public hotspot functionality.
    4) Disable WiFi based location services in all of your devices.
    5) Periodically change your public IP Address

    To help protect against some related threats including the compromise of some other router that affects you via wireless. Helping in-wireless-range neighbors to secure their own systems could be beneficial to you as well.

    At a minimum, the potential for hardware based backdoors would remain. So it might be beneficial to have a secondary means of monitoring the traffic flowing through your router's interfaces. Especially upstream/WAN and, where present, Wireless.
     
    Last edited: Jan 4, 2014
  12. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,390
    With regard to not picking a spoofed Mac address at random, at least one tool I know of (macchanger) can be given an option that uses the original Mac address' manufacturer, but otherwise creates the rest of the Mac address randomly from a given set of characters. Macchanger can work on all Linux or Unix-like systems - I do not know if it has been ported to Windows or Mac systems though, or if there is a comparable tool to it for those systems.

    -- Tom
     
  13. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
  14. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,390
    Thanks siljaline!

    Just a heads-up for those attempting to run the poc.py after download - i.e. it is really an html file, so you need to rename the downloaded poc.py file to poc.py.html, and then open it with your web browser. Inside the html webpage for poc.py.html you will find a 139 line poc.py python script which can be run in a command line Terminal window with the command:
    Code:
        $ python poc.py --ip <router ip address>
    
    Note: The Python executable needs to be installed to execute the poc.py python script, and if you don't know what your router's default ip address is from your computer, you can ask your ISP provider by telephone, or try several ip addresses in the range: 192.168.1.1, 192.168.1.2, etc. unless you have installed your own router, then you are on your own.

    -- Tom
     
  15. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,215
    Apart from five models, it's all local, if that.
    Mrk
     
  16. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,344
    Location:
    Europe, UE citizen
    Some answer ?
     
  17. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,390
    Hi blacknight,

    You can test all of your ports from an external test port scan at Test Your Firewall.

    Use the Advanced Port Scanner at PCFlank.com.

    -- Tom
     
  18. T-RHex

    T-RHex Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    152
    Blocking the port (outgoing) with a software firewall would only protect against your computer inadvertently causing the attack (eg. being tricked through a malicious website). If the attack is feasible remotely (I'm not suggesting it is, but the article does seem to imply it can be for particular models), then a software firewall will do nothing as the attack is directly against the router.

    Regarding (1), I thought MAC address filters were proven to give no extra security, or only a false sense of security, as they can easily be spoofed.

    As for (2), is that so remote attackers cannot determine who manufactured your router and therefore misdirect their attack against a specific vendor? Is there a way for a remote attacker to get your router's MAC address?

    For (3), I'm not so sure using such devices is necessarily bad ... at least the ISPs push out firmware updates which would help protect those who don't otherwise worry about security patches.
     
  19. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    1,283
    Location:
    UK
    Looking at the first link siljaline posted
    I just had to put http://192.168.0.1:32764/ into my web browser to see if anything popped up but i just got a problem connecting message so my Netgear DGN 2200 is safe/ok
     
  20. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
    Hoping the information provided was of some benefit to you.
     
  21. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,752
    Location:
    Toronto Canada
    Same result for me.
     
  22. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,418
    Location:
    Slovakia
    As long as there are closed ports on the computer, a router and a software firewall can open all ports in their little corner for what I care. :)
     
  23. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    Do they not provide extra security in cases where an adversary doesn't know about this or isn't setup to do this or forgets to do this or doesn't know what MAC Address to spoof? If we know there are other cases where an adversary could/would bypass them through spoofing (I assumed the reader knows this, now you've made the point explicit) but still use them for their "partial protection", do we have a false sense of security?

    There may be purchase and/or tech-support records that reveal owner information for a given MAC Address. Such records, perhaps even more easily acquired knowledge about the range of MAC Addresses currently being assigned to specific types of devices, could also help a potential adversary know specifics about the device. Just knowing manufacturer might help someone choose the correct approach to exploit a hardware backdoor or other vulnerability. Just knowing manufacturer can, in some scenarios, help someone to zero in on the desired target. For all of those reasons I think it best not to use original MAC Addresses.

    I suppose that depends on what you mean by remote attacker. I was/am thinking broadly. Your ISP modem will see the MAC Address. I'd have to refresh my memory on DSL & Cable protocols to correctly identify whether and how said MAC Address might make it further to the ISP. IIRC, it would be sent as payload in DHCP requests. I believe, depending on how IPv6 address assignment is done, hardware identifiers are embedded within IPv6 addresses (include non-link-local ones).

    http://packetlife.net/blog/2008/aug/4/eui-64-ipv6/
    https://ietf.org/doc/draft-ietf-6man-stable-privacy-addresses/?include_text=1

    MAC Addresses are revealed via wireless communications to within-wireless-range parties. Nearby AP/router MAC Addresses along with signal strength are sent to remote location service providers. Client device MAC Addresses are phoned home in some scenarios. Although the sub-discussion involved non-manufacturer firmware without such features, some off the shelf routers have cloud features which may phone home MAC Addresses.

    I would say it is violation of fundamental privacy/security principles and best practices. However, if it comes down to two bad choices: a) No one manages/updates the user's router, b) An ISP controls/manages/updates the user's router... then indeed b) may be the less bad choice. Assuming said ISP actually does this well and doesn't abuse their access by inserting a backdoor, collecting information they shouldn't, etc. To me, this discussion isn't meant for users who would limit their options to those two bad choices.
     
  24. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Last edited: Jan 7, 2014
  25. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.