[CWN-Summit] Re: FYI: OpenWRT/DDWRT-based botnet causing DDOS attack

L. Aaron Kaplan aaron at lo-res.org
Tue Mar 24 19:39:36 CDT 2009


as far as I understood it , this was mostly ssh brute force attacks or  
default pwds or just telnet open on the WAN port, no?
(http://www.adam.com.au/bogaurd/PSYB0T.pdf)

A.K.A: totally *lame* and nothing new.

Of course you have to set a proper pwd on your router. You should also  
use a seatbelt when driving *at least* (OpenBSD users would recommend  
an additional helmet) ;-)
The bad thing about embedded wifi routers is that they don't have any  
update mechanism as on the Mac or Windows or Linux.
ANd they blink anyway all the time, no chance to see from the outside  
that something is wrong.

Yes, well known problem.

And time for an openwrt CERT.
Anybody interested to pentest openwrt? I think that is the only chance  
we have to make it better.

I know of at least one other vuln in openwrt which was only fixed  
recently but of course there are many out there which are not fixed yet.

I hope all of you changed the default pwd on your DSL routers. (?) If  
not, now is the time to check if you can still get it's web page and  
if you can still log in.

a.


On Mar 24, 2009, at 8:02 PM, Ben West wrote:

> Here is a cached copy (via Yahoo) of the DroneBL announcement at
> http://www.dronebl.org/blog/8
>
> This provides details of how the botnet infects more machines.  They
> estimate *100,000* infected machines!
>
> http://74.6.239.67/search/cache?ei=UTF-8&p=http%3A%2F%2Fdronebl.org%2Fblog%2F8&fr=ubuntu&u=dronebl.org/blog/8&d=XjpWTp2uSg7q&icp=1&.intl=us
>
> On Tue, Mar 24, 2009 at 1:53 PM, Ben West <westbywest at gmail.com>  
> wrote:
>> From Slashdot:
>>
>> "The people who bring you the DroneBL DNS Blacklist services, while
>> investigating an ongoing DDoS incident, have discovered a botnet
>> composed of exploited DSL modems and routers. OpenWRT/DD-WRT devices
>> all appear to be vulnerable. What makes this worm impressive is the
>> sophisticated nature of the bot, and the potential damage it can do
>> not only to an unknowing end user, but to small businesses using
>> non-commercial Internet connections, and to the unknowing public
>> taking advantage of free Wi-Fi services. The botnet is believed to
>> have infected 100,000 hosts." A followup to the article notes that  
>> the
>> bot's IRC control channel now claims that it has been shut down,
>> though the ongoing DDoS attack on DroneBL suggests otherwise.
>> http://it.slashdot.org/article.pl?sid=09/03/23/2257252&art_pos=14
>>
>> Here is a related post on DDWRT forums.
>> http://www.dd-wrt.com/phpBB2/viewtopic.php?p=278399
>>
>> Here is the announcement from DroneBL.
>> http://www.dronebl.org/blog/8
>>
>> The dronebl site being attacked is not available, probably because of
>> DDOS attack itself and slashdot effect, but apparently you can tell  
>> if
>> your router has been compromised if you can no longer SSH in.
>>
>> Another compelling argument for using long, complex passwords on any
>> login port you open up to the outside, or at least key-based login.
>>
>> --
>> Ben West
>> westbywest at gmail.com
>>
>
>
>
> -- 
> Ben West
> westbywest at gmail.com
> _______________________________________________
> CWN-Summit mailing list
> CWN-Summit at lists.cuwireless.net
> http://lists.chambana.net/cgi-bin/listinfo/cwn-summit
>



More information about the CWN-Summit mailing list