11

Today this article was published by the BBC: Talk Talk and Post Office routers hit by cyber-attack. It states:

It involves the use of a modified form of the Mirai worm - a type of malware that is spread via hijacked computers, which causes damage to equipment powered by the Linux operating system.

Reading wikipedia on the Mirai worm it states it works as following:

Mirai then identifies vulnerable IoT devices using a table of more than 60 common factory default usernames and passwords, and logs into them to infect them with the Mirai malware. Infected devices will continue to function normally, except for occasional sluggishness, and an increased use of bandwidth. A device remains infected until it is rebooted, which may involve simply turning the device off and after a short wait turning it back on. After a reboot, unless the login password is changed immediately, the device will be reinfected within minutes.

So my question is Can I protect my router from the Mirai Worm and How would I know if my router was vulnerable?

User1
  • 3,041
  • 5
  • 23
  • 30

4 Answers4

16

Like your quote says; change the password. It would be much harder to fix if Mirai used 'actual' vulnerabilities (software bugs i.e. memory corruption). Then you'd have to hope there's an update available and apply that. But it seems like it's only taking advantage of people who leave their devices with the proverbial 'changeme' as password.

Alexander O'Mara
  • 8,774
  • 6
  • 34
  • 38
J.A.K.
  • 4,793
  • 13
  • 30
  • I'm not sure which "Password" you need to change, I know when this worm was used on IoT it was using Telnet and the hardcoded root password of badly coded security cameras, I was wondering whether there was something else at play here such as stopping it being visible to the internet – User1 Dec 01 '16 at 16:43
  • 2
    @user1 The one you login to the admin panel with probably, but if the device has some hard-coded credentials for Telnet or something, you probably have to replace the device unless there is an update that solves this. – Alexander O'Mara Dec 01 '16 at 16:47
  • 1
    @AlexanderO'Mara Is a further level of protection disabling remote access to your router, so that the admin panel is not visible to the outside world? – User1 Dec 01 '16 at 17:02
  • @user1 I would say it's a different type of protection. It won't protect the device from attacks from inside the local network. Lately there has been a surge in these attacks coming from inside the network because manufacturers of these devices naively assumed local traffic would always be safe. Too many of these devices are vulnerable to simple CSRF attacks that can be done just from visiting the wrong website. – Alexander O'Mara Dec 01 '16 at 17:05
  • @AlexanderO'Mara Wow, I'd never even heard of a CSRF. Really useful to know when thinking about security. It would be good to bulk out this answer with some of the comments – User1 Dec 01 '16 at 17:31
  • Could you not just try telnetting in with the same password and change it using your new root access? – Nate Diamond Dec 01 '16 at 22:27
  • Yes, this doesn't work on hardcoded credentials. But then i'd suggest working with a whitelist of IP addresses for remote access. Or if thats not an option, a proper VPN to your LAN will do nicely. – J.A.K. Dec 04 '16 at 05:16
3

This may be useful, though it's a little specific to netgear (DG834 etc): https://wiki.openwrt.org/toh/netgear/telnet.console#using_the_netgear_router_console

Some info gleaned from DEFCON 2014, after my netgear was hacked a few weeks back.

The problem is not the password per se, as the backdoor that was implemented for telnet. Not all implementations use nvram to allow that particular fix, but then not all implementations have a stupid back door. Except of course that ISP-supplied routers are notoriously vulnerable to anything going, and sometimes prevent the user from correcting the situation. Get a new box.

For Heaven's sake, at least change the default password! (Good Grief)

My first step would be to (export the settings and) update to the latest firmware. Or else consider one of the many open-source firmware such as dd-wrt, openwrt, pfsense etc etc, which are linux- or BSD-based.

Change the password at the very least, but change the "admin" account too. On the old netgear, there isn't a GUI for this, but you may edit the admin account-name in exported settings before re-importing, or indeed use telnet via busybox (but beware using special characters such as > ).

Some people advise changing the default IP 192.168.0.1 to something else; clearly this means you need to reconnect to your main box by setting the new router IP there, too.

Also turn off the router's UPnP, which inhibits any DNS rebinding attack, and to be extra sure restrict ISP addresses to the block range used by the ISP, using ipconfig (in the router). You may also restrict ports to those you know you will need, but it becomes more onerous to maintain, and will be puzzling if something does not work becasue it needs a port you have disallowed.

It helps to respond to outside pings with a 'drop' as default action, so you are a little more stealthy (dial-in becomes more complicated).

Finally, test with something like https://www.grc.com/shieldsup

I hope that helps.

Will LaC
  • 31
  • 2
  • I'd argue that that horrible telnet hack that NETGEAR uses is much more widespread. I bough once a D3xxx series and threw it away days later after discovering that the NETGEAR application that talks to the router used a telnet connection with a special sequence of bytes as a poor man's authentication (i.e. the sequence is always the same and cannot be changed). – grochmal Dec 02 '16 at 03:29
  • Changing an IPv4 address to anywhere in the private address spaces won't protect against a casual scan that takes just seconds at most. It might stop the most trivial hacker scripts, but not anybody who's more invested. – phyrfox Dec 02 '16 at 04:38
1

Don't have any outward (WAN) facing services running on your router. Portscan your own IP with an online portscanner, or do it yourself with zenmap. the flags sS -Pn -oN scan.txt -pT:1-65535 -vv T4 -n yourIP will show you what services are open. Check any open services with -sV, or use amap. Generally disable IPv6 and UPnP unless you use those things. If you need to, install OpenWRT or DDWRT over default firmware which is fairly reliable and safe. IIRC Morai malware attacks specific types of devices, not major brands of SoHo routers like ZyXEL etc.

You can check for default credentials on ssh, telnet etc. with hydra and a good router wordlist ( use Google to find one ).

user400344
  • 863
  • 5
  • 9
1

The Mirai Worm makes it way inside a system by bruteforcing specific port numbers that are running telnet. The bruteforce attack works by looking for common default credentials on the telnet port. Here is a picture of Mirai's username/password dictionary:

Mirai Wordlists

To prevent this kind of attack there are a few things you can do.

  1. Make sure your router is up to date with the latest firmware and software.
  2. Change your router's default password to something strong and unique. Make sure to avoid passwords on this list (or any other wordlist you come across for that matter).
  3. Check if you have a telnet server, SSH, or any other remote access services running. To verify this, check the router's admin panel or use a port scanner such as Nmap. If remote access is enabled, you may want to disable this, depending on your set up.

Although the Mirai WOrm only targeted devices running telnet servers, it is important to remember that we want to protect from the type of attack, not a specific attack. Therefor, you should investigate other ports on your router (such as SSH) as mentioned previously to prevent other attacks or different "flavors" of future Mirai Worms.

A case study providing more information regarding the Mirai Worm can be found here, if you are interested.

Gavin Youker
  • 1,270
  • 1
  • 11
  • 23