Botnet Runs through Routers with Ease

Friday, May 15, 2015 @ 04:05 PM gHale

Large botnets pushing out distributed denial-of-service (DDoS) attacks are using insecure routers distributed from Internet Service Providers, researchers said.

Bad traffic targeting 60 of its users over a 121-day period came from 40,269 IP addresses belonging to 1,600 ISPs over 109 countries, said researchers at website security company Incapsula.

Barracuda fixes MitM Holes
Router Software has Bug Issue
Misconfigured DNS Servers Vulnerable
Brute Force Attacks: Trawling for Passwords

The botnet mainly came from ARM-based Ubiquiti devices, which led security researchers to think the attackers exploited a vulnerability in the firmware.

However, after inspecting the situation, researchers found all of them could end up accessed remotely on the default ports via HTTP and SSH, which opened the door for remote attacks.

The botnet operators did not have to make too much effort to find a way in, though, because almost all routers ended up protected with the default credentials from the vendor.

“This combination of faulty practices invites trouble. At the risk of overstating the obvious, this level of access lets any perpetrator easily: Eavesdrop on all communication, perform man-in-the-middle (MitM) attacks (e.g., DNS poisoning), hijack cookies, gain access to local network devices (e.g., CCTV cameras),” the researchers said.

The most prevalent piece of malware discovered on the compromised devices was Mr. Black, also known as Spike, a denial-of-service bot. It was present on 86.5 percent of the devices.

Based on the research results, it is possible that multiple individuals or groups exploit the insecurity of the devices because Incapsula found other DoS kits, such as Dofloo and Mayday, although in a much smaller percentage, 5.48 percent and 2.84 percent, respectively.

Incapsula’s efforts led to the discovery of 60 command and control (C&C) servers, a large part of them (73 percent) located in China and 21 percent operating from the U.S. As far as the geolocation of the controlled routers goes, most of them were from Brazil (64 percent) and Thailand (21 percent).

Leave a Reply

You must be logged in to post a comment.