"routers from D-Link"
Well that's Virgin stuffed then! Their nasty, little free router is already setup with "admin/password" by default so I can see some busy days at Virgin getting those sorted out.
Security researchers have discovered a rare strain of router-rooting malware that targets network devices running either Linux or Unix. The malware, which poses as an Executable and Linkable Format (ELF) file, carries out a brute-force attack on router user name-password pairs from compromised PCs. If successful, the malware …
I have Virgin but I just hook in direct to the cable modem which is on the line. Anything local network can't get to that point because the wireless router I use blocks such things (why would someone on the local WAN need to touch my cable modem? Unless there's a problem with my cable modem... in which case I have to be sitting in front of it to reboot it / re-cable it / test it anyway.
Seriously does ANYONE use the bundled junk that comes with an ADSL connection? Most people I know end up popping down to PC World (yuk!) and buying a better router as one of the first things they do when they get Internet. My workplace has dual-ADSL2+ business lines from BT. One of the router's they supplied hasn't even been out of the box, the other one only to see what junk they were peddling for installation (BT OpenZone = put router back in the box). And same config there - frontline routers (in this case a load-balancing Linux PC) connect to modems that *aren't* accessible from the local net in any way.
Stupid people with stupid hardware with stupid passwords running stupid security settings and doing stupid things despite incessant warnings. Amazing how much in the world of IT can be accounted for by that select group.
Actually, my draytek couldn't cope with the 50mbit, so I stuck with the dlink and stuck dd-wrt on it. Everything is very very reliable on it, and never needs a reboot (only if I start messing with settings, etc, even this dd-wrt seems not to need reboot for most settings). So I'd say the dlink routers virgin supply are not too bad!
>Seriously does ANYONE use the bundled junk that comes with an ADSL connection
My next door neighbour will be, for a start. He's just been sold a talktalk service and they sent him a nice little box pre-programmed with his username, passworm, ssid, wpa key. He won't change any of it "in case they don't like me to". And why should he? This way when it goes tits up it will be their problem.
I've installed DD-WRT on the WRT54G wireless routers. Works like a charm. Won't overcome the hardware's inherent desire to lock up after a few weeks of heavy use, so manual reboots are still required. :( At least it mitigates it some (they were locking up nearly daily before).
Wonder if a Buffalo DD-WRT-based cable modem is amongst the list of targets....
Insecure PCs by no means. Idiot users. It takes a lot of effort to get malware to install on a computer (2 "run" clicks, one for the download/save, one for the "you're being an idiot, you sure you want to run this malware?" popup), not to mention finding the virus in the first place.
The trojan is an ELF executable, presumably for whichever processor runs in the Dlink router, but the vector to get it in there would appear to be a compromised MS Windows system that then attempts to brute-force access to the router. So there are actually two components, one of which infects a windows system, and the second of which is installed on the router by the first.
True, according the Trend Micro site it is indeed a Linux executable file.
But it is unclear just how it gets on to the user's PC, and then how it is made executable and finally run. Presumably you also need a major browser flaw to allow such a range of actions to run from a poisoned web site?
You are missing the bigger picture.
It will run on the router that your Microsoft machine is plugged into which raises all sorts of security issues. A Trojan running on your router recording your traffic affects all the machines plugged into it regardless of OS.
Plus, not to mention router based web redirects to spyware laden websites WILL affect your Windows machine in time.
The Windows box gets compromised and then attempts a brute force attack on the router on its network and THEN that is compromised with the ELF binary. If the router has a quality password then the attempt will fail
How is this NOT a windows problem.
As mentioned below theoretically other OSs could be compromised but let's be realistic.
No, it really *is* an ELF file. ELF is just the format used by executable binary program files on Linux, so saying that it "poses as an ELF" means that you're claiming it poses as an executable program. Well, it could be doing that, if it was a shell or perl script or similar that was only pretending to be a real executable program, but according to the threat encyclopedia entry you linked to it isn't; it really is an executable binary.
How does this router routing malware get onto the target system?
> ELF_TSUNAMI.R
> This backdoor may be dropped by other malware. It may be unknowingly downloaded by a user while visiting malicious websites.
> It connects to Internet Relay Check (IRC) servers.
> Exploits known vulnerability in the D-LINK DWL-9000AP+ Internet router
Well doh, I must stop downloading and installing unknown ELF files and allowing my servers to connect to IRC servers, whilst logged in as root ..
ref:
http://about-threats.trendmicro.com/Malware.aspx?language=us&name=ELF_TSUNAMI.R
I wonder how some one in his right mind would trust this company ? I know, the announce is made specifically for Windows users but, come on people from Trend Micro, anyone who has a minimal knowledge of Linux/Unix will smell the (security) farce.
How should I put this to you, an ELF file does not run on Windows. In order to bring it into my Linux device, I have to download it somehow and the Linux router would not help me with this. I would need a Windows machine (yes, a Linux, Mac or *BSD will do just fine but then there would be no point for your anti-virus scanning it). Then I'll have to get a shell on my router, preferably with root privileges, put my elf there and... no Windows fans, you can't just run it just because it's an executable, you'll have to modify its file attributes in order to make it really executable.
So as you can all see, a lot of hurdles for a poor Linux malware to do its devious deeds.
Hmm let me see so they run embeded windows do they.. They run a linux kernel. it's well disguised of course but none the less it is a linux kernel. I got a d-link somewhere that died or at least ended up needing rebooting every blinking day, don't think it could handle my 8mbit upgrade.
Mind you the router I have in at the moment I think I need to hard reset it got some unnamed port forwards most odd.
The original article refers to DWL900AP+. DWL-900AP+ is not a router it is an AP (there's a hint in the name, chaps). And a rather old one at that, not one I expect to find in common use in 2011 - even I've got rid of mine.
The same hardware with a different badge was also one version of the Linksys WAP11 AP - you could swap firmware between them. 11 for 11Mbit, and WEP only. It's *that* old.
There is no meaningful detail in their article about how the malware actually gets to execute its brute force attacks on the router.
From the Trend Micro page:
"It connects to Internet Relay Check (IRC) servers."
I don't think so.
The AV cowboys don't know the difference between an AP and a router, and don't know what IRC is short for.
I tried to point this out on their "satisfaction survey: comments" page but it keep losing my input.
Way to go, Trend Micro.
"I have trouble believing there are any routers running Unix."
Is a BSD a UNIX in your book? Is a Linux a UNIX in your book? A wide variety of BSD-based and Linux-based router software is available.
Yes, and no, maybe.
The attack is just a brute force assault on whatever password is set for your router. As such, it wouldn't qualify as a vulnerability, were it not for the fact that most end-users probably have incredibly weak passwords on their routers. (Other commenters have noted the social reaons for this.)
To mitigate this risk, the default setting for all routers on the market (AFAIK) is to block administrative access from the internet-facing side. (There's almost no reason to let anyone configure your router from the outside!) Access is only permitted from the LAN side, where your own desktop computer is. So the point of this attack is to compromise a box on the LAN side, which is where Windows comes in, from where a brute force assault on the router password is at least possible. Then, once the router password is known, this ELF file is deployed. It's the payload, not the attack mechanism.
So you can see that if you are running Windows on the LAN side and your router is protected by a weak password and it is running something sufficiently Linux-like to allow the ELF to be dropped on it, you will be vulnerable.
But setting a decent password on your router will block the attack. Make up a really long one and write it down on a sticky label and stick it to the router. No malware can read sticky labels, but you can, so that's easily the best compromise between security and convenience.
I was impressed by mum's commodity telco. Her new ADSL modem came with a proper hard password already set and a refernce card with said password to be stored in a safe place.
It would not be hard for even the cheapest modem to make a password reset mandatory as soon as you log in to connect to your ISP.
Come on, it's not hard to fill in the gaps.
Your windows box gets infected with malware. Said malware tries to brute force weak passwords on specific routers/ap's. If successful it uploads an Elf binary to it, presumably so it can man in the middle you and report back to an IRC server for c&c.