OT? Linux-based trojans now targeting WRT and other linux-based routers

Charles Jones charles.jones at ciscolearning.org
Fri Mar 27 16:30:38 MST 2009


Log in and run ps and look for rogue processes I guess. Or put a sniffer 
upstream of it. Both are things that the casual "hay I got a kewl router 
from bestbuy" user is never going to do.

Maybe there is a market for adding router pen-testing modules to AV 
software :-)  Although, at least 3 different botnets that I have 
investigated in the past used bots that actually locked down the 
machines they infected, to keep other malware from exploiting the same 
holes they used, so they have sole control.

-Charles

Andrew "Tuna" Harris wrote:
> Interesting... How could one detect a trojan through, say, dd-wrt?
>
> Excerpts from Charles Jones's message of Fri Mar 27 14:19:05 -0700 2009:
>   
>> http://www.linux-magazine.com/online/news/psyb0t_attacks_linux_routers_update
>>
>> Some parts of this article made me LOL. Like:
>>
>> "One type of malware connects primarily to a chat system such as IRC, 
>> which your ordinary 14-year-old might join for the latest superstar gossip."
>>
>> and:
>>
>> "Each IRC network usually has hundreds of these channels, typically 
>> starting with a hash mark in its name, such as #superstars."
>>
>> and:
>>
>> "A participant joining a channel who is not a human is usually a program 
>> called a bot. There are all kinds of bots lurking in the IRC, some of 
>> them explain UNIX commands, look up bus schedules or forecast the 
>> weather. Some, however, await special, often secret, commands"
>>
>> Which prompted me to say on IRC:
>> [03-27-2009 14:11:10] <Charles> hahaha
>> [03-27-2009 14:12:54] * Charles is awaiting special secret commands
>> [03-27-2009 14:13:28] <Charles> but only if you are a superstar
>>
>> Seriously though, I sadly have a lot of experience being attacked by, 
>> and hunting down and eradicating botnets. Infected routers are really 
>> evil, since your typical user has no way to notice or see that something 
>> is running that should not be. This could become a real problem as WRT 
>> and other linux-based routers become more popular.



More information about the PLUG-discuss mailing list