Linux Routers Potentially Vulnerable To Telnet Worm

In late March ESET security published a blog post detailing how an updated version of an existing malware infection can exploit many consumer broadband routers and wireless access points.

Why Should This Infection Be Considered Important?
If your router becomes infected with this malware it can communicate back to its creator via a command and control (C2) server (defined). Under their control your router can be used for purposes such as a distributed denial of service attack (DDos) attack (defined) among any other action the attackers may choose. An example of a DDoS attack occurring in the past using routers is the subject of this article and this article.

Given that the malware comes to reside on a router by attempting to connect to random IP addresses (defined) that have port 23 open it may only be a matter of time before your router is tested for this open port.

By convention port 23 is used by the now deprecated Telnet (defined) protocol. If your routers firewall (defined) does not block access to this port from external sources the attackers have a favourable opportunity to infect your router since the malware can download various versions customized to the individual CPU architecture used within the router e.g. MIPS, ARM etc. The malware attempts to gain access to your router using a stored list of username and passwords that are commonly used or are used by default by consumer routers. Once access is obtained the malware is downloaded and installed.

How Can I Protect Myself from This Malware?
As discussed in a previous blog post, please follow the recommendations provided by the US-CERT to secure your router. This will involve (among other changes) changing the default username and password of the router (making it much harder for the malware to guess the correct credentials).

Blocking commonly used protocols from being used to access your router (which in this case is the Telnet protocol) using your firewall is explained here. Use of a tool (e.g. Steve Gibson’s ShieldsUP!) to test the effectiveness of your router’s firewall will also provide additional protection against this threat and other threats that may attempt to access your router is discussed here. A guide for using ShieldsUp to do this is here with a video demo here. Scanning your router using Nmap (a more advanced tool) is discussed in this article.

Since many Internet Service Providers (ISPs) block/prevent end-users/consumers from making many changes to their routers, please contact your ISP for advice on how to block port 23 from being accessed externally to protect against the threat discussed in ESET’s blog post.

Thank you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s