Apparently tens of thousands of home routers are infected with malware being used by hackers to launch distributed denial-of-service (DDoS) attacks.
Security firm Incapsula discovered the router-based botnet while investigating a series of DDoS attacks against its customers that have been ongoing since December.
The firm’s researches tracked the malicious traffic to routers made by Ubiquiti Networks and distributed by Internet companies to their customers around the world. Those devices were found to have DDoS malware installed on them, the researchers said in a report last week.
Hacked routers exposed, majority in Thailand
The researchers say that the routers were not hacked through firmware vulnerability, but mainly because they were deployed in an insecure way – with their management interfaces exposed to the Internet via SSH and HTTP with default logins and passwords.
They found scripts running on the devices designed to scan the Internet for other routers that could also be accessed over the SSH protocol with default logins.
“Facilitating the infiltration, all of these under-secured routers are clustered in the IP [Internet Protocol] neighborhoods of specific ISPs that provide them in bulk to end-users,” the researchers said. “For perpetrators, this is like shooting fish in a barrel, which makes each of the scans that much more effective”.
In the first version of the report, Incapsula said the group Anonymous were among those groups making use of the compromised routers. However, it said later that due to conflicting data, it was not confident that anonymous was involved in the hacking.
The problem of Internet companies giving insecure routers to their customers is widespread, and that hackers have exploited it many times over the years.
Besides the DDoS attacks, the hacked routers can also be used to redirect users to malicious websites, intercept banking sessions, steal credentials for online accounts and many other illegal activities.
In January it was reported that Lizard Squad had set up DDoS for hire services using hacked home routers. Lizard Squad took responsibility for DDoS attacks against Sony’s PlayStation Network, Microsoft’s Xbox Live service, and several other websites.
Incapsula said it detected 40,269 different IP addresses from more than 1,600 Internet companies in 109 countries associated with the botnet and hacked routers. Most of those devices are in Thailand (64%), Brazil (215), the USA (4%) and India (3%).
The company also found 60 servers used by hackers to control the routers, most of them in China and the US.
Users should make sure their routers do not leave their management interfaces over HTTP or SSH to the Internet. There’s a tool on yougetsignal.com which can to scan a router’s IP addresses for open ports.
Make sure that you also change the default login details for your router, for example many routers (including those from TOT in Thailand) come with the default user name of admin, and password of admin. That’s a serious security hole, and you should make sure that the password is changed as soon as possible, if it’s not already done during installation.
SOURCE: PC World.