Security: Linux, Viruses, Malware, and Worms

Abstract:

Not long after the advent of The Internet, the creation of worms, viruses, and other malware had become prevalent. Microsoft based platforms were the original serious target, because of poor security measures. Over time, malware had started to attack Linux based Android mobile phones. Now, the latest attacks appear to be hitting Linux based consumer grade internet routers, which were originally used to help protect Microsoft Windows based platforms in the home. These attacks have spiked in the first two months of 2014.

[Huawei TP-Link image, courtesy rootatnasro]

2013-01-11 - How I saved your a** from the ZynOS (rom-0) attack!! (Full disclosure)

Hello everyone, I just wanted to discuss some vulnerability I found and exploited for GOODNESS .. just so that SCRIPT KIDIES won’t attack your home/business network .
Well, in Algeria the main ISP ( Algerie Telecom ) provide you with a router when you pay for an internet plan. So you can conclude that every subscriber is using that router . TD-W8951ND is one of them, I did some ip scanning and I found that every router is using ZYXEL embedded firmware.

[Linksys Router, courtesy ARS Technica]

2014-02-14 - Bizarre attack infects Linksys routers with self-replicating malware

Linksys is aware of the malware called “The Moon” that has affected select older Linksys E-Series routers and select older Wireless-N access points and routers. The exploit to bypass the admin authentication used by the worm only works when the Remote Management Access feature is enabled. Linksys ships these products with the Remote Management Access feature turned off by default. Customers who have not enabled the Remote Management Access feature are not susceptible to this specific malware. Customers who have enabled the Remote Management Access feature can prevent further vulnerability to their network, by disabling the Remote Management Access feature and rebooting their router to remove the installed malware. Linksys will be working on the affected products with a firmware fix that is planned to be posted on our website in the coming weeks.



[ASUS Warning, courtesy ARS Technica]

2014-02-17 - Dear Asus router user: You’ve been pwned, thanks to easily exploited flaw

"This is an automated message being sent out to everyone effected [sic]," the message, uploaded to his device without any login credentials, read. "Your Asus router (and your documents) can be accessed by anyone in the world with an Internet connection. You need to protect yourself and learn more by reading the following news article: http://nullfluid.com/asusgate.txt."
...
Two weeks ago, a group posted almost 13,000 IP addresses its members said hosted similarly vulnerable Asus routers.

Conclusions:
If you are doing any serious internet based work, one might suggest that care is taken to watch the firmware of your consumer grade internet router, and upgrade the firmware as they become available. If you are running a business, a commercial grade router with a managed service may be of special interest. A short PDF on "SOHO Pharming" helps clarify risks. The avoidance of Linux based Android phones or consumer grade Linux routers may be the next best step.

Security: Taret: Linux Network Devices

Security: Target: Linux Network Devices Abstract:
Widespread use of Microsoft operating systems on the desktop and server have been increasingly exploited by malware for dubious uses. The ever growing increased use of Linux on low-end network devices have made an interesting target for malware creators. Most recently, attacks using compromised Microsoft platforms have been targeting low-end Linux network devices.

History:
Malware, which cooperates with one another over the internet have been called Botnets. They have taken over Microsoft PC's and Servers, because of their ubiquitousness, across the globe. They can be very difficult to find and destroyed, as demonstrated by the Kneber botnet. First known activity for Kneber dates back to March 2009.

As the popularity of Linux grew, the movement of malware from Microsoft platforms to Linux platforms began

In January 2008, a DNS attack on DSL modems was discovered in Mexico. The 2Wire DSL modems were targeted, re-directing people from a Mexico bank to a site falsely demonstrating itself to be a bank.

In January 2009, the Psyb0t was discovered, targeting MIPS based Linux devices.

In February 2010, the Chuck Norris Botnet targeted D-Link Linux based devices.

Sometimes, the network devices are merely used to perform distributed denial of service attacks against corporations or entire nations, as what is happening in South Korea during March 2011.

These botnets are dangerous and could be used to infiltrate other devices on a network, which are then used to gather information, for the purpose of theft or other illegal nefarious behavior.

Enter: Elf_Tsunami.R
In March 2010, a new exploit has been discovered. Elf_Tsunami.R was uncovered by TrandLab. The D-Link DWL-900AP+ is vulnerable, as well as other devices. Formerly exploited Microsoft systems infected with malware can attack and infiltrate the Linux network devices on the local area network.

Elf_Tsunami.R leverages Internet Relay Check (IRC) servers as an independent transport, after the Linux network device is infiltrated, meaning PC anti-virus software can not completely clean out your network, after cleaning your PC.

Network Management Connection:
It has long been expected that Linux would remain more secure to attacks, over Microsoft based appliances, desktops, and servers. Linux consumer based devices, however, are widely available and do not necessarily meet the stringent security requirements for Enterprise and Managed Services networking infrastructure.

Caution should be taken when employing Microsoft and Linux platforms in an Enterprise and Managed Services networking infrastructure, because of the increased use of hybrid exploits. The possibility of infecting customer networks through their implementation is not out of the question, as demonstrated by millions of globally exploited systems and devices.