Posted on 02/22/2010 5:37:51 AM PST by ShadowAce
If you haven't changed the default password on your home router, you may be in for an unwanted visit from Chuck Norris -- the Chuck Norris botnet, that is.
Discovered by Czech researchers, the botnet has been spreading by taking advantage of poorly configured routers and DSL modems, according to Jan Vykopal, the head of the network security department with Masaryk University's Institute of Computer Science in Brno, Czech Republic.
The malware got the Chuck Norris moniker from a programmer's Italian comment in its source code: "in nome di Chuck Norris," which means "in the name of Chuck Norris." Norris is a U.S. actor best known for his martial arts films such as "The Way of the Dragon" and "Missing in Action."
Security experts say that various types of botnets have infected millions of computers worldwide to date, but Chuck Norris is unusual in that it infects DSL modems and routers rather than PCs.
It installs itself on routers and modems by guessing default administrative passwords and taking advantage of the fact that many devices are configured to allow remote access. It also exploits a known vulnerability in D-Link Systems devices, Vykopal said in an e-mail interview.
A D-Link spokesman said he was not aware of the botnet, and the company did not immediately have any comment on the issue.
Like an earlier router-infecting botnet called Psyb0t, Chuck Norris can infect an MIPS-based device running the Linux operating system if its administration interface has a weak username and password, he said. This MIPS/Linux combination is widely used in routers and DSL modems, but the botnet also attacks satellite TV receivers.
Vykopal doesn't know how big the Chuck Norris botnet is, but says he has evidence that the hacked machines "are spread around the world: from South America through Europe to Asia. The botnet aims at many networks of ISP [Internet service provider] and telco operators," he said.
Right now Chuck Norris-infected machines can be used to attack other systems on the Internet, in what are known as distributed denial of service attacks. The botnet can launch a password-guessing dictionary attack on another computer, and it can also change the DNS (Domain Name System) settings in the router. With this attack, victims on the router's network who think they are connecting to Facebook or Google end up redirected to a malicious Web page that then tries to install a virus on their computers.
Once installed in the router's memory, the bot blocks remote communication ports and begins to scan the network for other vulnerable machines. It is controlled via IRC.
Because the Chuck Norris botnet lives in the router's RAM, it can be removed with a restart.
Users who don't want to be infected can mitigate the risk -- the simplest way of doing this is by using a strong password on the router or modem. Users can also address the problem by keeping their firmware up-to-date and by disabling remote-access services.
In recent years, hackers have started looking at devices such as routers, which are often not properly secured, Vykopal said. "They are not regularly patched and updated, even though the patches are available." The devices "are also continuously connected to the Internet and they are up for days and months," he said.
In the future, he expects that even more malware will target these devices.
Despite their rarity, router-based botnets are not particularly hard to create, said Dancho Danchev, an independent cyber threats analyst, speaking via instant message. "Router-based botnets are not rocket science given a common flaw can be exploited, and every then and now [one] appears."
If you have a wireless router of any stripe, check out http://www.dd-wrt.com. This is an open-source community firmware for most retail routers. It’s solid as a rock, and it opens up the features on your wireless router like you’d never believe!
As an aside, write down a complex password and tape it to the underside of your router. Of all the components in your home network, your router should have the most complex password of all. Learn a few simple configuration tweaks on standard router firmware, and you’ll be secure even without installing the dd-wrt firmware.
Excellent advice. I use dd-wrt on my Linksys router, and it is very solid, with zero issues.
I don’t see any necessity to change the firmware on a home router. All people need to do is change the default encryption layer and password and do as you say, write the password on a piece of tape underneath the router.
If you ask Chuck Norris what time it is, he always says, “Two seconds ‘til.” After you ask, “Two seconds ‘til what?” he roundhouse kicks you in the face.
Chuck Norris was once on Jeopardy. This show is notable in that it was the first occasion in Jeopardy history that Alex Trebek had appeared without a mustache.
Chuck Norris uses 8’x10’ sheets of plywood as toilet paper.
Chuck Norris has never been in a fight, ever. Do you call one roundhouse kick to the face a fight?
BTTT
Memo to self: Reconfigure SSID to "0BAMA SUX" tonite.
Gee, I guess we need to start worrying about the millions of OSX and Linux boxes out there now.
To be serious for a sec, I would imagine that even folks who'd updated their d-link routers to something like DD-WRT would have to be worried about this attack if they were stupid enough to use the default or weak password.
Guess I should have read the thread before my last post. :-) I like DD-WRT too. One update to turn a $50 appliance into a thousand dollar router. Gotta love it!
Is this just wireless routers or does it include wired routers also and does it matter what OS the computer is running?
I don’t think it matters whether it’s wireless or wired. Since this attacks the router, the computer behind it won’t be infected, as such, so it does not matter which OS the computer(s) are running.
ROTFLMAO! It’s been years since I set up my Lynkis wired router so I thumbed through my spiral notebook for my password and it is pretty lame...
How can someone tell if they have a botnet on their router?
Those SSID names are relatively clean compared to the ones I come across.
I was making the recommendation to those who like to tinker. The default router firmwares are generally stable, but you’re at the mercy of the manufacturer as to what features are enabled. Default Linksys firmware has very limited content filtering, but install DD-WRT and you have more content filtering than you could possibly imagine!
Reboot the router. Then you won’t have one. :)
OK, that’s cool. And I agree linksys default OS is kind of a pain to navigate for the neophyte.
bookmark
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.