The phantom menace: why pay more attention to routers

This article is in reaction to the news that a new worm targeted specific models of Linksys routers. The Moon worm ([1], [2]) is exploiting a flaw of those routers’

This article is in reaction to the news that a new worm targeted specific models of Linksys routers. The Moon worm ([1], [2]) is exploiting a flaw of those routers’ firmware to bypass proper authorization and try to spread itself further to the addresses found on computers that are connected to the device. It is still unknown if the worm has any really malicious functionality, but the fact that the attacks are targeting routers might make you think twice.

The point is that routers are rarely attacked, but when they are it can cause serious consequences. The efficiency of attacks when this sort of attack occurs is usually due to the careless attitude of users who have routers. People apply weak passwords or even the default ones (which are well-known for all models, you do not even need to guess). Complex passwords that are different from the defaults or the likes of “admin/1234” are often ignored.

The main danger for businesses is that after infecting a router, attackers can silently and extensively intercept all traffic passing through the device, which is great for spying.

As we already mentioned, The Moon is not the first case of routers falling under attack, and it is not even the most serious one, at least not so far.

A more serious episode was the infamous Trojan DNSChanger (both for Windows and Mac OS X), which caused a massive epidemic a few years ago. About 4 million people fell victim when their computers and routers were targeted. DNSChanger appeared some time in 2007, and its variant targeting routers was seen in 2008.

After infecting computers, this Trojan attempted, judging by the total number of victims, to change the settings of routerss, primarily DNS, so that all traffic would be redirected to servers belonging to criminals. Eventually, users were seeing unsolicited advertisements, often of the 18+ category. It was extremely difficult to get rid of them, especially without knowing that the infection was not on the computer, but in the router.

DNSChanger was created by the Estonian commercial company Rove Digital, whose employees were cyberidealists on the loose. In late 2011, Estonian law enforcement arrested them and the FBI took control of the DNSChanger servers and maintained their operation while an extensive information campaign was held to tell users about how to get rid of DNSChanger and regain normal DNS forwarding. Otherwise users would have lost their access to the Web.

Finally, we cannot forget about the recent discovery of a botnet, which consisted largely of smart home appliances (at least one refrigerator participated in spamming) and wretched routers.

Frankly, it is odd that attacks at routers do not happen more often. Cybercriminals have many advantages when it comes to taking control of a wireless router. The most obvious is the ability to intercept all traffic passing through the device stealthily. When there are signs of malware infection in a LAN, the end points are checked first – computers, servers and mobile devices. Routers are not high on the list of suspects, and they are often last to be inspected.

On the other hand, the successful infection of a router provided that its password is harder than “admin/1234”, is not an easy task. The vast majority of routers use file systems based on RAM, so after each reboot the router should be re-infected, and in most cases infecting is only possible from within the local area network (routers are usually secured from external IP addresses). Therefore, in order to gain control over the device the attacker must first find a way to install malicious software on any machine within the network. After that a router would be re-infected when needed. And while users’ computers are restarted quite often, a router may be functioning nonstop for months provided that it works OK, so the infection can reside in the router for a very long time.

In addition, there was information in 2008 that one security expert managed to develop a malicious rootkit for Cisco routers. Given the popularity of this brand of routers the news of the rootkit was a big deal.

The main danger for businesses is that after infecting a router, attackers can silently and extensively intercept all traffic passing through the device, which is great for spying.

It is relatively easy to secure oneself from this threat. Firstly, do not use simple passwords. Secondly, you need to configure adequate settings as most routers’ firmware present plenty of tools to protect your local network. And thirdly, firmware should be updated as soon as possible: as with all software there may be vulnerabilities in it like the one exploited by the worm, The Moon.

Tips