By James Grant, Team Lead and Senior Developer
Usually, when you hear about massive online attacks using botnets, it is legions of infected Windows computers that are doing the dirty work. Here is something new, the exploitation of routers: Network Bluepill -a stealth router-based botnet has been DDoSing DroneBL for the last couple of weeks:
“…this is the first known botnet based on exploiting consumer network devices, such as home routers and cable/dsl modems. Many devices appear to be vulnerable. The size of this botnet so far cannot be determined The author of this worm has some sophisticated programming knowledge, given the nature of this executableAction must be taken immediately to stop this worm before it grows much larger. We came across this botnet as part of an investigation into the DDoS attacks against DroneBL's infrastructure two weeks ago, and feel that this botnet was the one which flooded DroneBL.
We are looking into finding out more information about this botnet, and its controller. If you have any information, we would like to know. …If you intend to disassemble this botnet, you should note it's UPX-compressed. I estimate that at the time of writing, there is at least 100,000 hosts infected. I suspect that the .sql and .pma exploit tools are used for finding more controllers. But I do not have the controller payload. This technique is one to be extremely concerned about because most end users will not know their network has been hacked, or that their router is exploited. This means that in the future, this could be an attack vector for the theft of personally identifying information. This technique will certainly not be going away.”
My worry here is that it is even harder for Internet users to keep their peripheral hardware secure compared to keeping their own computer secure. As users, we don't like the idea of viruses and malware on the computer we use, but it is easier to ignore someone misusing our equipment, as long as it doesn't prevent us from doing what we want.