Persistent router botnets on the horizon, researcher says at Defcon

Tool released at Defcon makes firmware backdooring easier for certain router models

Security researcher Michael Coppola demonstrated how small and home office (SOHO) routers can be compromised and turned into botnet clients by updating them with backdoored versions of vendor-supplied firmware.

Coppola, who is a security consultant at Virtual Security Research (VSR), gave a crash course in router firmware backdooring -- a complicated process that requires reverse engineering skills -- at the Defcon hacker conference on Sunday.

During the talk he also released a tool called the Router Post-Exploitation Framework (rpef) that automates the firmware backdooring process for several popular router models from different vendors.

The devices supported by rpef include: Netgear WGR614, WNDR3700 and WNR1000; Linksys WRT120N; TRENDnet TEW-651BR and TEW-652BRP; D-Link DIR-601 and Belkin F5D7230-4.

Only specific versions of these routers can be backdoored with the framework and some require more testing. However, the list of supported devices will be extended in the future.

Rpef can add several payloads to the router firmware: a root bind shell, a network sniffer or a botnet client that connects to a predefined IRC (Internet Relay Chat) server where it can receive different commands from the attacker, including one to launch a denial-of-service attack.

Writing the backdoored firmware onto a device -- a process also known as flashing -- can be done through the Web-based administration interfaces of most routers and a remote attacker can abuse this feature in several ways.

One method is to scan the Internet for routers that make their Web-based administration interface accessible remotely. This is not the default setting in many routers today, but a lot of devices configured like this are available on the Internet.

Once these devices have been identified, the attacker could attempt to use the default vendor-supplied password, brute force the password or exploit authentication bypass vulnerabilities to get in. There are websites that specialize in tracking and documenting router default administrative credentials and vulnerabilities.

"I've done port scans and there are huge netblocks with thousands of IP addresses of open routers that are listening remotely to the Internet with default passwords," Coppola said.

However, even when the Web interface is not exposed to the Internet, there are ways to flash them with rogue firmware remotely.

In a presentation at the Black Hat security conference on Thursday, security researchers Phil Purviance and Joshua Brashars, who work for security consultancy firm AppSec Consulting, showed how known JavaScript attacks can be combined with new HTML5-based techniques to flash the DD-WRT Linux-based custom firmware on a user's router when he visits a malicious website.

There are already JavaScript-based scripts available that can enumerate local network devices through a victim's browser and even determine the type, make and model of those devices -- a technique known as device fingerprinting.

Determining the victim's internal network IP address cannot be done with JavaScript alone, but plug-in based content like Java can be used for this purpose, Purviance and Brashars said.

Once a router has been identified, the attacker can attempt to access its Web interface through the victim's browser by using default credentials or by launching a cross-site request forgery (CSRF) attack that piggybacks on the victim's active session.

If the victim logged into the router's Web interface with the same browser in the past and their session cookie is still active, the attacker can simply direct the victim's browser to perform an action in the router's interface without the need for authentication.

A lot of routers, especially older ones that haven't been updated with new firmware, don't have CSRF protection.

Purviance and Brashars demonstrated how new browser features like XMLHttpRequest Level 2 (XHR2), Cross-Origin Resource Sharing (CORS) and HTML5 File API, can be used to download a rogue firmware file to the user's browser and then flash the router with it without any user interaction. This was not possible in the past with JavaScript and older browser technologies, the two researchers said.

Their demonstration used DD-WRT, which has the downfall of resetting the router's user-defined settings and can be discovered easily because it has a different interface.

However, their attack can easily be combined with the backdoored firmware produced by Coppola's tool. Instead of DD-WRT, one can upload a backdoored firmware and it will look exactly the same as the original one, Coppola said.

Even the user-defined settings can be retained. Most routers offer the option to retain settings when performing a firmware update, Coppola said. Those settings are stored on a separate memory chip called NVRAM (non-volatile random-access memory) that doesn't get overwritten when you flash the firmware, he said.

"There's a lot of opportunity for people to make massive botnets just from routers," Coppola said. "I actually do think that this is going to start emerging and I don't mean that in a sensational way."

Router-based botnets are not just a concept. Back in 2009, DroneBL, an organization that tracks the IP addresses of infected computers, discovered a worm that was infecting routers and DSL modems running the mipsel Debian distribution.

In 2011, researchers from antivirus vendor Trend Micro came across a similar piece of malware that was spreading in Latin America and was targeting D-Link routers.

In both cases, the malware was using brute force attacks and default credentials to compromise the routers and install a temporary botnet client that was being removed when the routers rebooted.

With the backdoored firmware created by Coppola's tool, the infection persists when the device is restarted and the rootkit-type malware running on the device is actually hidden.

The reason why router botnets are not yet common is that the proper tools to create them didn't exist, Coppola said. A separate tool presented at Defcon on Friday called the Firmware Reverse Engineering Konsole (FRAK) really increases the level of analysis that people can do on firmware, he said.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?