Members
  • Total Members: 14176
  • Latest: toxxxa
Stats
  • Total Posts: 42869
  • Total Topics: 16078
  • Online Today: 3775
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)









Author Topic: Chuck Norris Botnet Karate-chops Routers Hard (Psyb0t, vulnerability in D-Link)  (Read 7188 times)

0 Members and 1 Guest are viewing this topic.

Samker

  • SCF Administrator
  • *****
  • Posts: 7528
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum


If you haven't changed the default password on your home router, you may be in for an unwanted visit from Chuck Norris -- the Chuck Norris botnet, that is.

Discovered by Czech researchers, the botnet has been spreading by taking advantage of poorly configured routers and DSL modems, according to Jan Vykopal, the head of the network security department with Masaryk University's Institute of Computer Science in Brno, Czech Republic.

The malware got the Chuck Norris moniker from a programmer's Italian comment in its source code: "in nome di Chuck Norris," which means "in the name of Chuck Norris." Norris is a U.S. actor best known for his martial arts films such as "The Way of the Dragon" and "Missing in Action."

Security experts say that various types of botnets have infected millions of computers worldwide to date, but Chuck Norris is unusual in that it infects DSL modems and routers rather than PCs.

It installs itself on routers and modems by guessing default administrative passwords and taking advantage of the fact that many devices are configured to allow remote access. It also exploits a known vulnerability in D-Link Systems devices, Vykopal said in an e-mail interview.

A D-Link spokesman said he was not aware of the botnet, and the company did not immediately have any comment on the issue.

Like an earlier router-infecting botnet: http://users.adam.com.au/bogaurd/PSYB0T.pdf called Psyb0t: http://www.dronebl.org/blog/8 , Chuck Norris can infect an MIPS-based device running the Linux operating system if its administration interface has a weak username and password, he said. This MIPS/Linux combination is widely used in routers and DSL modems, but the botnet also attacks satellite TV receivers.

Vykopal doesn't know how big the Chuck Norris botnet is, but says he has evidence that the hacked machines "are spread around the world: from South America through Europe to Asia. The botnet aims at many networks of ISP [Internet service provider] and telco operators," he said.

Right now Chuck Norris-infected machines can be used to attack other systems on the Internet, in what are known as distributed denial of service attacks. The botnet can launch a password-guessing dictionary attack on another computer, and it can also change the DNS (Domain Name System) settings in the router. With this attack, victims on the router's network who think they are connecting to Facebook or Google end up redirected to a malicious Web page that then tries to install a virus on their computers.

Once installed in the router's memory, the bot blocks remote communication ports and begins to scan the network for other vulnerable machines. It is controlled via IRC.

Because the Chuck Norris botnet lives in the router's RAM, it can be removed with a restart.

Users who don't want to be infected can mitigate the risk -- the simplest way of doing this is by using a strong password on the router or modem: http://www.microsoft.com/protect/fraud/passwords/create.aspx
Users can also address the problem by keeping their firmware up-to-date and by disabling remote-access services.

In recent years, hackers have started looking at devices such as routers, which are often not properly secured, Vykopal said. "They are not regularly patched and updated, even though the patches are available." The devices "are also continuously connected to the Internet and they are up for days and months," he said.

In the future, he expects that even more malware will target these devices.

Despite their rarity, router-based botnets are not particularly hard to create, said Dancho Danchev, an independent cyber threats analyst, speaking via instant message. "Router-based botnets are not rocket science given a common flaw can be exploited, and every then and now [one] appears."

(PCW)

Samker's Computer Forum - SCforum.info


Samker

  • SCF Administrator
  • *****
  • Posts: 7528
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
How to stop the 'Chuck Norris' botnet roundhouse-kicking your router
« Reply #1 on: 25. February 2010., 07:25:23 »
UPDATE:

Here’s some new information about the attack and how to protect your router from getting a Norris-style kicking.

First point I want to make is to highlight that this is a botnet attack on routers. ‘Chuck Norris’ infects MIPS-based devices (routers, DSL modems) that run Linux by guessing the administrator username and password (which most people conveniently leave on default - defaults well known to hackers). The botnet also appears to use an exploit present on D-Link systems.

    Note: In case you’re wondering, it’s called because of the following line in the source code ‘in nome di Chuck Norris,’ which is Italian for ‘in the name of Chuck Norris.’

Once ‘Chuck Norris’ has a foothold into the router, it changes the DNS (Domain Name System) settings in the router and directs victims to malicious websites where malware is pushed onto the user. Malware is also installed into the router’s memory which scans the network for other vulnerable devices.

So, how can you protect yourself from ‘Chuck Norris’?

    * Change all router default passwords and make sure you use a strong password: http://www.microsoft.com/protect/fraud/passwords/create.aspx
    * Update all router firmware.
    * Block off or shut off remote access features.
    * Get on with your life.

    Note: You might need to consult your router’s manual to find out how to do all this.

If you think that your router is compromised, here’s what to do:

    * Restart it (which flushes the malicious code from memory).
    * Check for firmware updates.
    * Reset all the settings and input them again, making sure to choose strong administration passwords.
    * Scan all attached systems for malware using an up-to-date antivirus scanner (free scanner link: http://live.sunbeltsoftware.com/ ).
    * Get on with your life.




Djjonny

  • SCF Newbie
  • *
  • Posts: 1
  • KARMA: 0
This I have to see

Samker's Computer Forum - SCforum.info


 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising