back to article Router-rooting malware pwns Linux-based network devices

Security researchers have discovered a rare strain of router-rooting malware that targets network devices running either Linux or Unix. The malware, which poses as an Executable and Linkable Format (ELF) file, carries out a brute-force attack on router user name-password pairs from compromised PCs. If successful, the malware …


This topic is closed for new posts.
  1. Anonymous Coward

    "routers from D-Link"

    Well that's Virgin stuffed then! Their nasty, little free router is already setup with "admin/password" by default so I can see some busy days at Virgin getting those sorted out.

    1. Lee Dowling Silver badge


      I have Virgin but I just hook in direct to the cable modem which is on the line. Anything local network can't get to that point because the wireless router I use blocks such things (why would someone on the local WAN need to touch my cable modem? Unless there's a problem with my cable modem... in which case I have to be sitting in front of it to reboot it / re-cable it / test it anyway.

      Seriously does ANYONE use the bundled junk that comes with an ADSL connection? Most people I know end up popping down to PC World (yuk!) and buying a better router as one of the first things they do when they get Internet. My workplace has dual-ADSL2+ business lines from BT. One of the router's they supplied hasn't even been out of the box, the other one only to see what junk they were peddling for installation (BT OpenZone = put router back in the box). And same config there - frontline routers (in this case a load-balancing Linux PC) connect to modems that *aren't* accessible from the local net in any way.

      Stupid people with stupid hardware with stupid passwords running stupid security settings and doing stupid things despite incessant warnings. Amazing how much in the world of IT can be accounted for by that select group.

      1. Martin 76

        The dlink aint too bad

        Actually, my draytek couldn't cope with the 50mbit, so I stuck with the dlink and stuck dd-wrt on it. Everything is very very reliable on it, and never needs a reboot (only if I start messing with settings, etc, even this dd-wrt seems not to need reboot for most settings). So I'd say the dlink routers virgin supply are not too bad!

      2. Anonymous Coward

        @does ANYONE use the bundled junk that comes with an ADSL connection?

        but you are an I T professional

        @Stupid people with stupid hardware with stupid passwords running stupid security settings and doing stupid things

        you mean non IT professional general public

      3. Robert E A Harvey


        >Seriously does ANYONE use the bundled junk that comes with an ADSL connection

        My next door neighbour will be, for a start. He's just been sold a talktalk service and they sent him a nice little box pre-programmed with his username, passworm, ssid, wpa key. He won't change any of it "in case they don't like me to". And why should he? This way when it goes tits up it will be their problem.

    2. The BigYin

      The new routers...

      ...are NetGear. They're still a bit crap though.

      If I didn't rely on it so much, I'd risk DD-WRT install. heck I may buy a second router so if I break it I am not stuffed.

      1. Ammaross Danan


        I've installed DD-WRT on the WRT54G wireless routers. Works like a charm. Won't overcome the hardware's inherent desire to lock up after a few weeks of heavy use, so manual reboots are still required. :( At least it mitigates it some (they were locking up nearly daily before).

        Wonder if a Buffalo DD-WRT-based cable modem is amongst the list of targets....

        1. E 2

          Easy fix for that manual reboot

          Just telnet or ssh into your WRT54G and set up a cron job that reboots the router periodically!

    3. Anonymous Coward

      Im ok i think

      So my dialup connection is safe ?

  2. Anonymous Coward
    Anonymous Coward

    brute forces it from an already compromised PC? *yawn*

    Not really a vulnerability in the router, more a case of stupid people using weak passwords and insecure computers.

  3. paulc

    Note the true common theme...

    Insecure PCs running MS Windows...

    1. Anonymous Coward
      Anonymous Coward

      I agree,

      but this is a bit of a low-blow. No real need to bring MS into this. Their software is just the vector.

    2. Ammaross Danan

      Insecure PCs

      Insecure PCs by no means. Idiot users. It takes a lot of effort to get malware to install on a computer (2 "run" clicks, one for the download/save, one for the "you're being an idiot, you sure you want to run this malware?" popup), not to mention finding the virus in the first place.

  4. Tom Chiverton 1 Silver badge

    poses as an Executable and Linkable Format (ELF) file

    So, what is it really ?

  5. Coyote

    FAIL troll...


    ELF_Tsunami is an ELF trojan that attempts to exploit or brute force the DWL-900 series routers, presumable to open ports and allow connection to the backdoor on the compromised linux box.

    It won't run on windows.

    1. Peter Gathercole Silver badge


      The trojan is an ELF executable, presumably for whichever processor runs in the Dlink router, but the vector to get it in there would appear to be a compromised MS Windows system that then attempts to brute-force access to the router. So there are actually two components, one of which infects a windows system, and the second of which is installed on the router by the first.

    2. Paul Crawford Silver badge

      ELF but how is it run?

      True, according the Trend Micro site it is indeed a Linux executable file.

      But it is unclear just how it gets on to the user's PC, and then how it is made executable and finally run. Presumably you also need a major browser flaw to allow such a range of actions to run from a poisoned web site?

    3. NoneSuch Silver badge

      To Coyote

      You are missing the bigger picture.

      It will run on the router that your Microsoft machine is plugged into which raises all sorts of security issues. A Trojan running on your router recording your traffic affects all the machines plugged into it regardless of OS.

      Plus, not to mention router based web redirects to spyware laden websites WILL affect your Windows machine in time.

    4. Anonymous Coward
      Anonymous Coward

      It is a Windows problem

      The Windows box gets compromised and then attempts a brute force attack on the router on its network and THEN that is compromised with the ELF binary. If the router has a quality password then the attempt will fail

      How is this NOT a windows problem.

      As mentioned below theoretically other OSs could be compromised but let's be realistic.

  6. Anonymous Coward
    Dead Vulture

    Parse error near "poses as an ELF file"

    No, it really *is* an ELF file. ELF is just the format used by executable binary program files on Linux, so saying that it "poses as an ELF" means that you're claiming it poses as an executable program. Well, it could be doing that, if it was a shell or perl script or similar that was only pretending to be a real executable program, but according to the threat encyclopedia entry you linked to it isn't; it really is an executable binary.

  7. doperative

    Linux router routing malware

    How does this router routing malware get onto the target system?


    > This backdoor may be dropped by other malware. It may be unknowingly downloaded by a user while visiting malicious websites.

    > It connects to Internet Relay Check (IRC) servers.

    > Exploits known vulnerability in the D-LINK DWL-9000AP+ Internet router

    Well doh, I must stop downloading and installing unknown ELF files and allowing my servers to connect to IRC servers, whilst logged in as root ..


  8. Anonymous Coward

    Reading Trend Micro announce

    I wonder how some one in his right mind would trust this company ? I know, the announce is made specifically for Windows users but, come on people from Trend Micro, anyone who has a minimal knowledge of Linux/Unix will smell the (security) farce.

    How should I put this to you, an ELF file does not run on Windows. In order to bring it into my Linux device, I have to download it somehow and the Linux router would not help me with this. I would need a Windows machine (yes, a Linux, Mac or *BSD will do just fine but then there would be no point for your anti-virus scanning it). Then I'll have to get a shell on my router, preferably with root privileges, put my elf there and... no Windows fans, you can't just run it just because it's an executable, you'll have to modify its file attributes in order to make it really executable.

    So as you can all see, a lot of hurdles for a poor Linux malware to do its devious deeds.

  9. Tigra 07
    Thumb Up


    Chuck Norris Botnet!

    I bet that packs a punch!

  10. ysth

    Routers running Unix?

    I have trouble believing there are any routers running Unix.

    1. Anonymous Coward
      Anonymous Coward

      Ignorance must indeed be bliss...

      I have trouble believing that anyone would use anything BUT an embedded *NIX O/S in a router... but they do. ASUS comes to mind.

      1. Anonymous Coward


        Last time I checked, Linux is neither a certified UNIX, nor was it derived from UNIX like the BSDs. Therefore it is merely UNIX-like.

        So as the OP said, I doubt consumer routers use UNIX.

    2. foo_bar_baz

      BSD count?

  11. The Gopher


    Hmm let me see so they run embeded windows do they.. They run a linux kernel. it's well disguised of course but none the less it is a linux kernel. I got a d-link somewhere that died or at least ended up needing rebooting every blinking day, don't think it could handle my 8mbit upgrade.

    Mind you the router I have in at the moment I think I need to hard reset it got some unnamed port forwards most odd.

  12. Anonymous Coward

    @Coyote re "exploit or brute force the DWL-900 series routers,"

    The original article refers to DWL900AP+. DWL-900AP+ is not a router it is an AP (there's a hint in the name, chaps). And a rather old one at that, not one I expect to find in common use in 2011 - even I've got rid of mine.

    The same hardware with a different badge was also one version of the Linksys WAP11 AP - you could swap firmware between them. 11 for 11Mbit, and WEP only. It's *that* old.

    There is no meaningful detail in their article about how the malware actually gets to execute its brute force attacks on the router.

    From the Trend Micro page:

    "It connects to Internet Relay Check (IRC) servers."

    I don't think so.

    The AV cowboys don't know the difference between an AP and a router, and don't know what IRC is short for.

    I tried to point this out on their "satisfaction survey: comments" page but it keep losing my input.

    Way to go, Trend Micro.

    "I have trouble believing there are any routers running Unix."

    Is a BSD a UNIX in your book? Is a Linux a UNIX in your book? A wide variety of BSD-based and Linux-based router software is available.

  13. John Smith 19 Gold badge

    This is *so* wrong.

    It's clearly a case of ELF abuse.

    I know. I've had a lousy day.

    1. The Beer Monster

      ELF and Safety...


  14. Anonymous Coward
    Black Helicopters


    I'm one of those numpties with no programming knowledge. If I were to use DD-WRT on a Linksys WRT54G router, as my son does, would I be vulnerable?

    1. Ken Hagan Gold badge

      Re: DD-WRT

      Yes, and no, maybe.

      The attack is just a brute force assault on whatever password is set for your router. As such, it wouldn't qualify as a vulnerability, were it not for the fact that most end-users probably have incredibly weak passwords on their routers. (Other commenters have noted the social reaons for this.)

      To mitigate this risk, the default setting for all routers on the market (AFAIK) is to block administrative access from the internet-facing side. (There's almost no reason to let anyone configure your router from the outside!) Access is only permitted from the LAN side, where your own desktop computer is. So the point of this attack is to compromise a box on the LAN side, which is where Windows comes in, from where a brute force assault on the router password is at least possible. Then, once the router password is known, this ELF file is deployed. It's the payload, not the attack mechanism.

      So you can see that if you are running Windows on the LAN side and your router is protected by a weak password and it is running something sufficiently Linux-like to allow the ELF to be dropped on it, you will be vulnerable.

      But setting a decent password on your router will block the attack. Make up a really long one and write it down on a sticky label and stick it to the router. No malware can read sticky labels, but you can, so that's easily the best compromise between security and convenience.

  15. Antti Roppola

    Just plain old Bad Design

    I was impressed by mum's commodity telco. Her new ADSL modem came with a proper hard password already set and a refernce card with said password to be stored in a safe place.

    It would not be hard for even the cheapest modem to make a password reset mandatory as soon as you log in to connect to your ISP.

  16. Anonymous Coward

    "Exploits known vulnerability in the D-LINK DWL-9000AP+ Internet router"

    Known, but not identified by Trend?

    Anyone know what Trend are really talking about here? The Trend-published info is just rubbish, and a quick search finds very little detail elsewhere.

  17. tony trolle

    web based ?

    'ant this a web based program that tries to hack the modem from say last year ?

  18. Tim Bates

    Nearly killed me

    Laughed when I saw it effected DLink - I have no respect for them anymore. Between being generally crap products, and having one of their power supplies fall apart in my hands while unplugging it (nearly killing me)... They're just not worth the effort.

  19. Anonymous Coward

    come on retards

    Come on, it's not hard to fill in the gaps.

    Your windows box gets infected with malware. Said malware tries to brute force weak passwords on specific routers/ap's. If successful it uploads an Elf binary to it, presumably so it can man in the middle you and report back to an IRC server for c&c.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2021