Home routers co-opted into self-sustaining DDoS botnet

Hackers have established "self-sustaining" botnets of poorly secured routers, according to DDoS mitigation firm Incapsula.

The hijacked routers – located mostly in Thailand and Brazil – were easy pickings for hackers because of the use of factory-default usernames and passwords. Knowledge of these login credentials allowed miscreants to slip malicious code (specifically the MrBlack trojan AKA Trojan.Linux.Spike.A) on to vulnerable home routers, before using them as a platform for denial of service (DDoS) attacks.

Hundreds of thousands, if not millions of insecure home gateways have been press-ganged into the botnet, Incapsula said. It added that the attack platform only exists because ISPs, vendors and users have all disregarded the common-sense security practice of changing default passwords.

The router botnet bears similarities with the attack platform established by the infamous Lizard Squad DDoS-for-hire wrecking crew, which is best known for blitzing gaming networks last Christmas. Lizard Squad used the same tactics but different malware. The latest botnet is either an evolution of Lizard Squad's attack platform or the work of copycats.

Incapsula came across the attack network in the course of investigating an attack against several dozen customers by a DDoS botnet comprised of tens of thousands of hijacked routers.

Units on the botnet are accessible over the web via HTTP and SSH on the default ports of these industry-standard protocols. Newly hijacked routers can be used to scan for other vulnerable machines before pushing and running a script to continue the update cycle. "Using this botnet also enables perpetrators to execute distributed scans, improving their chances against commonplace blacklisting, rate-limiting and reputation-based defense mechanisms," Incapsula concludes.

The whole approach is far more powerful and stealthy than first-generation Anonymous DDoS attack tools, in particular the LOIC (Low Orbit Ion Cannon). Default settings in LOIC broadcast users' IP addresses, making it easy for authorities to identify and round up suspects.

So-called stressed or booter services are all too commonplace in the digital underground, so it could be that unknown hacking crews – who might have cut their teeth in using compromised systems to blitz rival gaming groups – are running portions of the home router botnet. Whoever is running it, the botnet is bad news for anyone who cares about internet hygiene: not least because clean-up operations are likely to be difficult.

"Once the router is hacked, modifying the firmware or otherwise, it’s going to be damn near impossible for the home user to recover," said Jeremiah Grossman, the founder and CTO of WhiteHat Security in a Twitter update. ®