back to article Do fear the Reaper: Huge army of webcams, routers raised from 'one million' hacked orgs

Miscreants are right now assembling a massive army of hacked Internet of Things devices – and at a far faster rate than the powerful Mirai botnet swelled its ranks last year. This new cyber-militia of compromised gadgets, dubbed IoT_reaper or Reaper by experts at Qihoo 360 Netlab, can be instructed by its masters to attack …

  1. Duncan Macdonald

    Safe home router ?

    Are there ANY home routers that do not have security holes that could allow them to be taken over as part of a botnet? If so please name them.

    1. Anonymous Coward
      Anonymous Coward

      Re: Safe home router ?

      ERBAUER ERB380ROU

      Absolutely impenetrable by botnets.

      1. Anonymous Coward
        Angel

        Re: Safe home router ?

        Until maybe next year when it goes IoT?

      2. Anonymous Coward
        Anonymous Coward

        Re: Safe home router ?

        So far, as far as you know.

      3. Fatman
        Joke

        Re: Safe home router ?

        <quote>ERBAUER ERB380ROU</quote>

        I Googled used a search engine to look up that name and model number; and clicked on the YouTube link.

        I know of the most practicable use for it....

        After installing a 25mm (or larger) diameter, long length cutting bit, one could take it, and literally ream the ass of IDIoT designers.

    2. Doctor_Wibble
      Unhappy

      Re: Safe home router ?

      Alternatively, where does the ordinary person find a handy list of devices (some may remember what it said on the box) and under what circumstances they are vulnerable? Wifi disabled, the web interface is set to allow LAN only? Mine also has a scripted stats-checker permanently logged in so nothing else can connect anyway, or can it?

      How do we find out if our gateways are part of a botnet? We can't see what's happening the other side of it, and scanning 'services' won't spot it either.

      My first home DSL box required a serial cable and simply wasn't capable of doing anything nefarious. This is another thing we (deliberate or apathy) brought upon ourselves as we demanded more features and super-easy setup wizards.

      TLDR I blame the wizards.

    3. Anonymous Coward
      Anonymous Coward

      Re: Safe home router ?

      I'm surprised nobody has mentioned dd-wrt/Tomato/open-wrt/freewrt etc... You flash your router with the firmware, it's not that difficult to be fair as there are full instructions.

      1. ~chrisw

        Re: Safe home router ?

        Exactly this. I'm running AdvancedTomato on my Netgear R6400. Solid as a rock. Great throughput. Great features. User upgradeable / cross-flashable. And importantly, easily updated when security updates are published.

        The old engineering mantra - measure twice, implement once - applied while checking I was about to flash with the correct build. My worry was unfounded though; the instructions are clear and installation is incredibly simple now compared to a few years ago. The Tomato site lists which versions support which software builds as a good starting point and there's a device for most budgets.

        Installation was a breeze. No TFTPing firmwares, no pinging to catch the router in its the bootloader sequence. Just an upload of a "first stage" base image (to do things like prep the onboard storage to a correct format and size) and then a flash of the full Tomato image. All through the web interface.

        Other firmwares are available. DD-WRT is fine and all, but it's always been bloated for what I want. Tomato won me over with granular Quality of Service features, reliable support for SIP through NAT without dirty hacks and a useful, informative web interface.

        There's various branches of Tomato (Shibby, AdvancedTomato, Kille72, Toastman etc..), but the mainstream release is grand for almost everyone.

        For those not at the Mikrotik / Firebrick / Cisco / Juniper level, and you're not buying kit capable of running OpenWRT/HyperWRT-based firmware, you're not spending wisely.

        Sidenote - I only bought the R6400 as an upgrade from my trusty Netgear WRT54GL - running an older build of Tomato - as the router chipset couldn't keep up with my FTTC throughput! It served well for a decade. Still comes in useful as a managed switch and WiFi repeater.

      2. Dan 55 Silver badge

        Re: Safe home router ?

        I'm surprised nobody has mentioned dd-wrt/Tomato/open-wrt/freewrt etc... You flash your router with the firmware, it's not that difficult to be fair as there are full instructions.

        Unfortunately with the advent of fibre ISPs have decided to provide VoIP routers which the phone runs off. Some of those have no known exploit so you can't do anything with them.

        Others are OEM versions of routers and while you can put your own firmware on them but it's impossible to get the VoIP settings out of them so you lose your phone line. Such a mod has an extremely low Spouse Approval Factor.

    4. adnim
      Happy

      Re: Safe home router ?

      BiPAC 7800DXL?

      Seems pretty good. If ADSL+ is all ya need

    5. patrickstar

      Re: Safe home router ?

      To protect against mass attacks like these, all you have to do (regardless of vendor, model, or any patches) is make sure it doesn't have any open ports to the outside. There are SOME exceptions to this (and UDP services and such can be hard to spot in a scan), but it's a damn good start.

      Also, disable UPnP so stuff on your LAN won't be exposed inadvertently.

      .

      (PS. Can't you atleast delay the Reaper by challenging him to a game of chess?)

      1. Charles 9

        Re: Safe home router ?

        Doesn't work. The ONLY way to have externally-nonaccessible ports is to not have an outside connection AT ALL. Every time you connect to the outside Internet, you create a two-way link. The link you use to connect can be back-hacked to pwn you. That's how drive-by and watering-hole attacks work. That's also why they're particularly hard for firewalls to block because you're being pwned by a connection you made yourself, especially if run through an encrypted connection so they can't be sniffed.

        1. patrickstar

          Re: Safe home router ?

          No. Learn basic networking. There isn't some mysterious opening created over which you can be "back-hacked" just because TCP has a source as well as destination port.

          The source and destination ports, together with the source and destination address, are used to uniquely identify a specific connection. Nothing more.

          A drive-by attack typically works by exploiting vulnerabilities in the web browser. This has nothing to do with any "open ports" just because the page happened to be downloaded over a TCP connection - it could as well be exploited by opening a file stored on the disk. And sometimes is, like in the case of email attachments.

          This is also irrelevant to compromising a router.

          The ways a router could be compromised by browsing a malicious site from behind it (or otherwise connecting from inside it) are basically:

          1. XSRF attacks against the admin web interface

          2. Exploiting bugs in the router's protocol support for NAT traversal

          Neither of these are how routers actually get compromised by "Reaper" or anything else doing the rounds at the moment. I'd be very much surprised if either was ever used for mass-compromising routers for DDoS in the future either, since there are far more profitable things you can do if you have compromised popular web sites. Plus there is a lot more variability in router vendors, models and software than in web browsers and operating systems, so even with an actual 0day you would get a crappy return rate in a non-targeted attack.

          And of course a classic basic firewall doesn't stop an attack over a connection that has been allowed through it. There certainly are firewalls that can, however. See DPI and filtering proxies. They can atleast stop known signatures (like how AV works - in fact, some software versions are actually part of AVs), though just like file scanning and other "blacklists" the efficiency is limited.

          They can also enforce things like "the only thing you are allowed to speak over port X is protocol Y", which can potentially be helpful in preventing the staff or an attacker from running prohibited client software just by changing to a non-standard port (though everything runs over SSL nowadays so not very effective either)

        2. Kiwi
          Facepalm

          Re: Safe home router ?

          The link you use to connect can be back-hacked to pwn you.

          [non-fantasyland citations needed]

          That's how drive-by and watering-hole attacks work.

          No no no NO

          Drivebys work by infecting a web page with a file that will be downloaded by the browser (because it's part of the page's resources) and executed by the browser's systems (eg java (if you have it installed) or javascript handlers). You cannot force any extra stuff through the connection that's not part of/required by the originating page.

          Get off those drugs (but please tell me what they are, I might want to do some travelling to weird and scary places sometime) and get into the real world.

      2. Kiwi
        Boffin

        Re: Safe home router ?

        To protect against mass attacks like these, all you have to do (regardless of vendor, model, or any patches) is make sure it doesn't have any open ports to the outside. There are SOME exceptions to this (and UDP services and such can be hard to spot in a scan), but it's a damn good start.

        I've often done something slightly different to that.

        While my router seems fine now, I cannot be absolutely sure that there is nothing lurking in the background yet to be discovered. The ports for telnet, ssh and a few other common things that I am NOT intending to use are therefore redirected to a non-existant IP address (ie something outside of the DHCP address limits within the network).

        My thinking is that someone from outside the network trying to access the router will try common ports, find them open but nothing responding (thus tying them up a little longer) before moving on. If my router does turn out to have a vulnerability, then you cannot reach it from telnet from outside anyway as the router has no ports listening for telnet.

        If this is a bad idea, then please let me know why (preferably with citations - not all commentards are as clued up on current practices as we think we are! :) )

        (I must someday sit outside and run a full scan against it and see what appears to be open and check that off against my list)

        1. patrickstar

          Re: Safe home router ?

          I suppose you could enable DMZ mode (i.e. default NAT redirection of everything incoming) and point it to a non-existent or sinkhole address in your LAN.

          It depends a bit on the specific implementation in the router whether this will take precendence over services running on it. If it's Linux/iptables based it probably will.

          This could potentially be a way of dealing with unknown UDP services, since there usually isn't any reliable way to tell what's listening to UDP ports from the outside. For TCP you can just do a normal port scan and kill anything that appears. I doubt it will randomly start running new services on its own (except if you count things opened via UPnP), but you never know with crappy consumer gear...

          1. Kiwi
            Thumb Up

            Re: Safe home router ?

            This could potentially be a way of dealing with unknown UDP services, since there usually isn't any reliable way to tell what's listening to UDP ports from the outside. For TCP you can just do a normal port scan and kill anything that appears. I doubt it will randomly start running new services on its own (except if you count things opened via UPnP), but you never know with crappy consumer gear...

            That's my thinking as well.

            This is a Thomson (speedtouch) one provided by a telco that is well known for taking great gear and hobbling the crap out of it (not as bad as Vodafone seem to be these days though, neighbour has a Huawei rebranded cable router that has a setup that lets him see his IP, configure his WIFI SSID and password, and that's it - can't even change the IP range of the DHCP!). Fortunately said telco forgot to hobble the ability to re-flash, so it has OEM firmware on it now (no updates for a while though).

            It has one feature I've not seen elsewhere (and cannot think of the feature's name for the life of me!) - if I try to visit my URL from within the home network (ie I have www.example.com registered which points to the home IP) then unlike most routers which just stop with a "domain unreachable" type error, this one works out that you're trying to reach the web server sitting behind it and routes traffic appropriately.

            I've tried a few other routers which don't have this feature. I can work around it by setting up a separate internal DNS server, but it is a nice function.

            (First time I tried to set up a router for port forwarding I had no idea about this limitation, and was struggling for hours trying to work out what was going on, why my server wasn't being seen - then some helpful hacker who'd found a FTP server visited while I was tailing the server logs, so I realised the system was accessible from outside, which led me to learning that you couldn't visit the URL from inside... )

  2. Sanctimonious Prick
    Devil

    Pfft!

    Mine is made by Huawei :P

    1. Mpeler
      Paris Hilton

      Re: Pfft!

      Huawei would they do a thing like that?

  3. Anonymous Coward
    Anonymous Coward

    Magnificient isn't it?

    Wasn't Mirai followed by "not-Mirai", a bot that logged into, then secured Linux-based IoT devices, then lay dormant for uses unknown (i.e. Hajime; the author apparently issued a few additional versions with patches for bugs openly discussed by reverse engineers?) What happened to that?

  4. Jamie Jones Silver badge

    How to fix this

    Right now, check to make sure you're not exposing a vulnerable device to the internet, apply any patches if you can, look out for suspicious behavior on your network, and take a gadget offline if it's infected., immediately throw away anything that has ever been referred to as "Internet of things"

    FTFY

    1. Anonymous Coward
      Anonymous Coward

      Re: How to fix this

      That suggests an obvious optimization.

      'Never buy anything that has ever been referred to as "Internet of things"'.

      You will save time, money and angst.

  5. whitepines
    Facepalm

    You wouldn't let your pet do this...

    Perhaps it's time to start fining IoT owners if they let their oh so cute little IoT device poop all over DDoS the Internet? Same way we regulate dog / cat owners to make sure that they can enjoy their pet without forcing everyone else to clean up after it?

    1. Anonymous Coward
      Anonymous Coward

      Re: You wouldn't let your pet do this...

      That's right! Shaft the owners for the shit security the manufacturers implemented. That's how you get it fixed!

    2. MonkeyCee

      Re: You wouldn't let your pet do this...

      "Same way we regulate dog / cat owners to make sure that they can enjoy their pet without forcing everyone else to clean up after it?"

      In other words, we don't. Someone *might* get fined if they are caught letting their dog defecate in public, but in general very few of the offenders get caught or even punished.

      I've yet to see anyone punished for their cat shitting somewhere. Or their cat killing other people's pets. Or anything to do with a moggy really. Seen someone get banned form having more cats, and having their herd of ~40 cats spayed and neutered at their cost, but that's about it.

      The local dog owners let their animals shit in public spaces and nowt is done about it (well, it's cleaned up, but that's a tax on everyone). Several of the local cats shit in my garden, and again, nothing will get done about it.

      Well, if I really want them to stop, I plant catnip. Which then leads to a a drug war, with suitably loud turf fights in my garden. But no shitting....

      1. Anonymous Coward
        Anonymous Coward

        Re: You wouldn't let your pet do this...

        If you want to stop cats shitting in your garden then get a cat. This is a really clever move by our cat overlords as it means more cats.

        1. Mpeler
          Pirate

          Re: You wouldn't let your pet do this...

          Or leave a tray of milk in your neighbor's yard... In a few days it'll be SEP (Someone Else's Problem)...

    3. Adrian Midgley 1

      You cannot regulate

      cats.

      And of course they do not have owners, they have staff.

    4. Rob D.

      Re: You wouldn't let your pet do this...

      Dogs/cats/hamsters/stick insects as pets all need the owner to be at least aware of some basic feeding/watering/cleaning up regime or said pet dies. The problem with IoT stuff is that the owner is not buying something to feed and water based on knowledge of the item in question.

      A more appropriate analogy would be owning cars, where the owner is usually punished when they do stupid or illegal stuff with their car or don't get it properly maintained, but the car manufacturer gets the bill when it turns out that the brakes disengage if you use the headlights and wipers at the same time.

  6. Anonymous Coward
    Anonymous Coward

    The reason I love tech so much and why I utterly mistrust it so much is because all the GCSE and A-level subjects were tech subjects, and avid sci-fi reader and film watcher to boot. I've spent 25 years working an IT career and all that has taught me one thing, never, ever trust people with technology!

    It's all the non-techie and people who simply fell into tech careers "because Uncle Joe said there was good money in computers" are the idiots who simply fill their homes with a ton of linked and connected gadgets and then moan when they all start getting hacked, fail to live up to their hype or simply plain don't work. I'm happy to come home to a house that has gadgets but each gadget keeps itself to itself, apart from the obvious laptops, desktops and consoles, the rest of my gadgets are firmly tiny islands of tech. I do not wish to have Amazon or Google listening to my every move, or at best, being on hand when I'm too damned lazy to walk 6 feet to look at the clock to find out what time it is. I do not wish to have my kids looked after by baby monitors that have to be linked to Toys'R'Us, Sports Direst or Carpet Warehouse! I don't need my kettle or fridge talking back to Amazon, TESCO or Boots, so they can all tell me I'm eating too much sugar, salt or fat, I know I'm a bit unhealthy but my guilt keeps me in check not some algorithm on a server in a warehouse in Ireland, thanks very much.

    Tech education and sci-fi have taught me to no unthinkingly pray at the alter of tech. I am not a number, I am a free person(*).

    ( Yes I know, I might be an old git but I'm still a bit PC and respect sex, gender, race and religion! )

    1. Flywheel

      "I don't need my kettle or fridge talking back to Amazon, TESCO or Boots, so they can all tell me I'm eating too much sugar, salt or fat"

      But they wouldn't do that - they'd only tell you when you're running low/out. After all, while manufacturers can stuff our "food" full of cheap sugar, salt and fat, they can maximise profits and keep us coming back for more.

    2. Destroy All Monsters Silver badge
      Windows

      A Citizen Reeducation Van (CRAV) has been sent to your address.

      "and respect sex, gender, race and religion!"

      "Respect" is a word with very fluent postmodern meaning. So there is hope for you yet.

  7. Lord Elpuss Silver badge

    ”Once the botnet's malware was on the camera, it proceeded to attempt to infect other equipment on the internet. Any subsequently hacked devices also cruise up and down the information superhighway for more vulnerable gizmos to hijack.“

    One word. Borg.

  8. John Smith 19 Gold badge
    Unhappy

    Code monkeys X don't-give-a-f**k PHBs X time to market --> IoT

    It's not that this s**t is so insecure.

    It's that it's so easy to make it significantly more secure (EG change the standard install build, remove default passwords etc).

    1. Anonymous Coward
      Anonymous Coward

      Re: Code monkeys X don't-give-a-f**k PHBs X time to market --> IoT

      Default passwords!!!!!!!!!!!!!!!

      My VM box comes with a unique user password. But a default admin (changeme) password that almost no one ever does. (I did).

      1. P. Lee

        Re: Code monkeys X don't-give-a-f**k PHBs X time to market --> IoT

        Default passwords are rarely a problem if they are located on serial port consoles.

        But no, someone wanted to combine production and management interfaces and make them all ethernet.

        How hard would it be to have the management port issue an L2 broadcast and shut itself down if it finds the production ports responding? How about trying to contact google or a public DNS server and shutting itself down if it succeeds?

        We know the security will be bad. We know the vendors don't care about maintenance. How about something easy to make sure user hasn't done something stupid? Writing secure software is hard. Reducing the attack area is so much easier.

        1. Charles 9

          Re: Code monkeys X don't-give-a-f**k PHBs X time to market --> IoT

          "Reducing the attack area is so much easier."

          Oh, but what about false positives? Shrink the surface too much and you'll get complaints.

  9. Anonymous Coward
    Linux

    Reaper cyber-militia malware botnet

    At least it'll get windows off the top results when googling on 'malware' :)

  10. PhillW

    "Check your cameras, broadband gateways, NAS boxes for latest botnet malware"

    OK, thanks for that.......... but there was not anything in the article that I could seethat told me HOW I go about this!

    Should my AV pick it up? Does malwarebytes? Do I have to download and run some other checker? Thats what seems to be missing!

    Anyone got a 'thing' I could do?

    1. Charles 9

      There's no catch-all, unfortunately, as each device is different.

    2. patrickstar

      Nope, nope and nope. None of these will help with an infection of your router unless 'your router' also happens to be the box they are running on.

      I suppose if your connection suddenly and mysteriously starts getting maxed out you atleast know the reason now...

    3. Hans 1

      Anyone got a 'thing' I could do?

      From CVE CVE-2017-8225 link:

      the web directory contains symbolic links to configuration files (system.ini and system-b.ini contain credentials):

      [...] it appears access to .ini files are not correctly checked. The attacker can bypass the authentication by providing an empty loginuse and an empty loginpas in the URI:

      [...] wget -qO- 'http://192.168.1.107/system.ini?loginuse&loginpas'[...]

      Source: https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html#pre-auth-info-leak-goahead

      1. patrickstar

        There are, of course, lots of other flavors of IoT/router/embedded system malware doing the rounds, so checking for this and then declaring that all is well doesn't do much good.

        If you have had anything like this exposed to the Internet you are best off doing a factory reset and probably reflashing the firmware (make sure you get the latest - this way you fix any discovered issues as well). You should then make sure it stays unexposed regardless of whether any vulnerabilities are made public or not.

        1. David Nash Silver badge

          "If you have had anything like this exposed to the Internet you are best off doing a factory reset and probably reflashing the firmware"

          Ever? Anything? Including Routers? So that's all of them, then?

          1. patrickstar

            "Exposed" as in "admin interface or related services reachable over the Internet".

            I realize there are SOME scenarios where you might need to expose something and it's not feasible to use a VPN or such, but as a general rule...

            And the things you might NEED to expose tend to be a bit more securable than random "IoT" gizmos.

            IoT gadgets today are like Windows and Linux boxes were in the late 90's/early 00's. Connect one to the Internet with a default installation and it WILL get compromised, probably sooner rather than later.

            I recall having to enable the firewall in Windows 2000 before plugging in the network cable because otherwise you'd be compromised within 20 seconds or so.

            Judging by the amount of scans I see that seem to be targeting IoT systems and such the expected time to compromise for them now isn't much higher.

            A Windows or Linux system with default credentials is gonna get compromised pretty quickly as well if remote access is enabled, but atleast they don't expose a lot of vulnerable services by default.

  11. thx1138v2

    The most succinct exlanation

    'The "S" in IoT stands for security.' - USAFRet

  12. Anonymous Coward
    Anonymous Coward

    "and take a gadget offline if it's infected."

    Easier said than done. After all, owners of said infected IoT tat will say that they are not infected, it must be their neighbour.

    Just write a bot to infect and brick vulnerable IoT tat... that'll sort it out chop-chop.

  13. Fatman
    FAIL

    IoT shit

    I had a neighbor recently complain that his internet connection was sluggish, and he wanted me to 'take a look at it'.

    After gaining access to the router's admin page (he still had the default password, I noticed a shit load of WiFi connected devices, and traffic flowing up and down. I noticed that he did not use encryption or any kind of access restrictions.

    So, we went on a Search and Destroy mission to shutdown everything in the house, as each device was turned off, you could see that item leaving the connected devices list. After we shutdown everything that he knew about, we noticed that there were still devices connected. So, we enabled encryption and setting a very long 'security string'. We also changed the default password. The router's lags were never collected, so he had no way of knowing who was logged in. That got fixed. Then we re-booted the router.

    One by one we turned on his IoT shit, and supplied the necessary 'security string', and watched as those pieces of (IoT) shit connect. The log began to fill up with failed connection attempts, presumably from neighbors who were freeloading his WiFi.

    They had turned one room into a 'home office' where he, the ball and chain wife and their 3 kids used their laptops extensively; all of them fighting for bandwidth over WiFi. After picking up some patch cables and a 1Gbs switch (yes - a switch, I told him to avoid a hub),we wired them in, and even bypassed the WiFi to their shared printer. A couple of tricks (like DHCP reservation) helped to insure that network ran smoothly.

    He wanted to know what he did not do right, which was his failure to RTFM, and just failing to secure the network from the very beginning. What else do you expect from the average Joe Sixpack?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like