back to article Use home networking kit? DDoS bot is BACK... and it has EVOLVED

A router-to-router bot first detected two years ago has evolved - and now has the capability to reconfigure the firewalls of its victims. The Lightaidra malware captured by security researcher TimelessP (@TimelessP) is an IRC-based mass router scanner/exploiter that's rare because it spreads through consumer network devices …

  1. DNTP

    I for one am shocked- SHOCKED- to believe large ISPs installing home network devices would simply leave them set to DEFAULT PASSWORDS.

    Or that ANY home user would TOLERATE that situation.

    1. IDoNotThinkSo

      I'd be even more shocked, SHOCKED, I tell you, if there were unpatched vulnerabilities in these home network devices which left them vulnerable to attack even without the default passwords...

      1. MrZoolook

        I'm not shocked at all. Especially considering that given the option to change login details, even the US military didn't bother to change their software from default login values...

    2. Primus Secundus Tertius

      Cars and computers

      For all I know there is a hard-wired password in my car that will make it engage reverse gear on the motorway. But I am not an expert on cars.

      Equally, the vast majority of computers and routers are sold to non-experts.

      In Britain the Trades Description Act requires that items sold retail be "basically fit for purpose". Whether a weak password breaks that law is debatable.

      1. brooxta
        Coat

        Re: Cars and computers

        I think it's called reverse (gear) engaging.

    3. Lord Lien

      "Or that ANY home user would TOLERATE that situation." Most "home" users are not tech savvy as the people that read The Register. So long as their internet works the average Joe would be oblivious if their home router was hackable.

  2. admiraljkb

    ISP's when leasing equipment to the end user, technically would have an obligation to keep it up to date for security purposes. That includes no default passwords and providing firmware updates to close security loopholes.

    The last "Residential Gateway" device I received from ATT a couple of months ago was actually secured fairly well on the defaults front. It was a forced upgrade off the old one that wasn't supported any longer. That old one when I got it wasn't secured in the slightest. So I'm at least seeing progress on this front. Hopefully other ISP's are also *starting* to finally take at least basic security seriously...

    1. Grease Monkey Silver badge

      It's a shocking thought but BT home routers don't have a standard default password and do get updated automatically.

      On the subject of default passwords every manufacturer could do what BT and some other ISP do and ship each router with a different default password. Sure it dores't prevent the device being hacked, but it does make it that bit harder. Malware authors like other crime tend to go after the low hanging fruit so just making things a little bit harder is sometimes all it takes to stay secure.

      1. Kevin Johnston

        OK, I'll bite (and may get flamed for this)

        If there are no default passwords, how does it get automatic updates? Surely any process to allow them is a potential hole?

        1. Ben Tasker

          Fairly simple, the update doesn't overwrite the passwords database ;) The box pulls rather than being pushed to, so simple enough really.

          Well, I say database. If you've ever rooted one you'll find it's actually an XML file containing all sorts of config.

          BT's not a shining example though, they have services open by default (and potentially accessible by anyone on the internet) using HTTP basic auth. They also rather spectacularly fucked up with their 'different default wireless keys and passwords' a while back by using the routers serial for the wifi and neglecting to think about the fact the access point was helpfully broadcasting it's serial number.

  3. phil dude
    Linux

    bad link...

    The correct link is here.

    Looks like some cruft after the posted one...

    "http://protectyournet.blogspot.co.uk/2013/08/lightaidra-botnet.html"

    P.

  4. Brian Miller

    Passwords? We don't need no steenkin passwords!

    Anybody remember about the researcher who created a botnet to map out the Internet? 420,000 nodes, just on cameras alone.

    It doesn't matter how many times this happens, the hardware manufacturers need to start requiring passwords on their devices, and ones that are "strong." My Cisco ISA550 requires a password that is stronger than logging into their website! And yes, it has to be changed on the first login. And why do they keep opening up ports by default? "This router keeps you safe!" Really? Really?? It doesn't keep you safe, and it doesn't keep anyone else safe, either!

    Maybe the manufacturers could be fined under the truth in advertising laws. These are insecurity routers!

    1. Tom 35

      Re: Passwords? We don't need no steenkin passwords!

      ISP routers with remote admin turned on, and everyone has the same password. Takes 5 minutes to find the password posted online by one of their "your a contractor not staff, no benefits for you" support people.

      Stuff that is OLD, buy a new one (about 1.5 years) and no longer supported/patched.

      Can't wait for the internet of things.

    2. phil dude
      WTF?

      Re: Passwords? We don't need no steenkin passwords!

      If every router sold, by default had EVERYTHING facing WAN closed perhaps there would be fewer problems. Better still lets have some liability attached to products we BUY. I just installed the newer firmware and you have to "acknowledge we don't accept any responsibility".

      When I install Linux, fair enough my responsibility. But they are making money selling this stuff, and they should be compelled to support best practices - at least, y'know, competent.

      If the $CORP started being responsible (i.e. liable) for competent security, perhaps $BADGUY would not have it so easy...

      P.

      1. Grease Monkey Silver badge

        Re: Passwords? We don't need no steenkin passwords!

        I never ever understood why a home router would have admin enabled on the WAN interface. Then again I've never worked on one configured that way out of the box.

  5. Nate Amsden

    Quick!

    Better go check to see if my bridged cable modem connected to my Soekris system running OpenBSD is vulnerable..

    nope..

    on with my day!

  6. Anonymous Coward
    Anonymous Coward

    Lightaidra Source Code?

    A quick googling brought this up on github, last commit two years ago, and this writeup.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like