Any comments? ---------- Forwarded message ---------- From: Dave Farber <dave@farber.net> Date: Fri, Apr 11, 2014 at 8:13 PM Subject: [IP] Summary of what I know so far about the Linksys botnet and/or worm To: ip <ip@listbox.com> ---------- Forwarded message ---------- From: *Brett Glass* <brett@lariat.net> Date: Wednesday, February 12, 2014 Subject: Summary of what I know so far about the Linksys botnet and/or worm To: "Eugene H. Spafford" <spaf@acm.org>, "dave@farber.net" <dave@farber.net> Cc: security@linksys.com Gene, Dave: Here is what I know so far about the Linksys router exploit that I've been observing in the wild today. * The exploit has affected Linksys E1000 and E1200 routers that have public IP addresses on our network. Those which we've shielded behind carrier-grade NAT (the majority) have not been compromised. * The routers are rapidly scanning blocks of IP addresses for Web servers on ports 80 and 8080. This choice of ports seems to indicate that they are looking for other routers of their ilk to infect. It's unclear whether, once they find a vulnerable router, they infect it themselves or report its IP address back to a botmaster for later infection. I suspect the latter, though, because infection would require flashing the router with a modified firmware image that would be model-specific and there is not room in a router for multiple images. It's also likely that a central server is coordinating the scans. * All of the E1000s that have been affected have the last version of firmware that was made for this now-discontinued model. The affected E1200s have firmware version 1.0.03 (the last one published for hardware version 1) or 2.0.04 (not the latest for hardware version 2, but close; there's now a 2.0.06. I do not know if 2.0.06 stops the exploit because we have no E1200s running it with public IPs). We have not seen any E900s infected, even though the E900 and the E1200 use the same hardware. * None of the infected routers had default or easily guessable passwords, suggesting that the backdoor or security hole through which the exploit was performed did not require guessing a password. * Re-flashing routers and resetting them to factory defaults SEEMS to clear the malware, but of course one cannot be 100% sure that it does not protect itself from re-flashing. * These routers use Broadcom chipsets and Wind River's RTOS operating system, and it wasn't swapped for a Linux-based one, so the creators of the malware must be skilled in development for this OS -- or at least sufficiently skilled to modify the firmware. At this point, it appears that those who implemented this exploit is still building an "army" and has not used it for anything yet. However, there are so many millions of these routers in the field, with so many private networks behind them, that there's no telling just how much havoc they could wreak if they were set to invasion of privacy, DoS attacks, etc. I haven't been able to get in touch with anyone at Linksys to talk about this. Their support techs are all in remote call centers in far-flung corners of the world, and I have not been able to get them to escalate. --Brett Glass Archives <https://www.listbox.com/member/archive/247/=now> <https://www.listbox.com/member/archive/rss/247/125534-14f1b966> | Modify<https://www.listbox.com/member/?member_id=125534&id_secret=125534-f26397ec>Your Subscription | Unsubscribe Now<https://www.listbox.com/unsubscribe/?member_id=125534&id_secret=125534-8937d9ee&post_id=20140411201339:49F005E2-C1D7-11E3-AB53-859A868D5D56> <http://www.listbox.com> -- --------------------------------------------------------------- Joly MacFie 218 565 9365 Skype:punkcast WWWhatsup NYC - http://wwwhatsup.com http://pinstand.com - http://punkcast.com VP (Admin) - ISOC-NY - http://isoc-ny.org -------------------------------------------------------------- -