Once again, cybercriminals are leveraging default passwords with malcode named after Chuck Norris. What's unusual is that the targets are not computers.
Untold numbers of experts have written about the importance of changing default settings on IT-related hardware. One example of why that's important is Psyb0t. That particular malware rapidly compromised over 100,000 devices simply because default passwords were not changed.New contender
While researching botnet constructs for an upcoming article, I came across a post in the Prague Daily Monitor: Czech experts uncover global virus network. Not exactly what I was looking for, but my curiosity got the best of me.
The article describes how Mgr. Jan Vykopal (chair of Masaryk University's Network Security Department), while working for the Defense Ministry, uncovered an extensive network of zombie gateway devices. Vykopal mentions:
"Modems were among the attacked devices as they are only poorly protected. The viruses were able to deflect the communication of Internet users to servers where they could be wiretapped."Similar exploit
I then realized the malware Vykopal uncovered was similar to Psyb0t. Both rely on the following default conditions to be in place:
- Remote login to the device is allowed
- The default username and password for remote login were not changed.
For argument's sake, say the malware becomes entrenched in a network's Internet gateway. That means the following is available to the attacker:
- The malware can prevent access to the infected device.
- The local network can be scanned for other vulnerable hardware.
- The infected appliance can assist in distributed denial of service attacks.
- The malware could launch password dictionary attacks on local computers.
- The attacker can change the gateway's DNS settings.
Changing DNS settings, that's not good. While doing research for an article about Drive-by Pharming. I learned how malware can easily redirect Web browsers to malicious Web sites and their viral download droppers.One good thing
For some reason, the malware developer decided to control the botnet via IRC, a technique that allows analysts to ferret out the command and control servers, thus limiting their usefulness. Also, the malware resides in the device's RAM, so all it takes is a restart to remove the malcode.Preventative measures
Fortunately, this malware is easy to avoid. The following steps should keep your network's gateway device safe:
- Disable remote access.
- Change all default login settings.
- Use a strong password.
- Disable Universal Plug and Play.
- Reboot the device.
- Check for firmware updates and install if any are found.
I guess the developer of this particular malcode is a Chuck Norris fan, hence the moniker:
"The malware got the Chuck Norris moniker from a programmer's Italian comment in its source code: ‘in nome di Chuck Norris', which means ‘in the name of Chuck Norris'."
I'd be okay with the name if that's what everyone would use. Sadly, that never seems to happen. I wonder how many different names this Chuck Norris malware will eventually have.Final thoughts
Luckily, not becoming part of the Chuck Norris botnet is relatively easy. If it doesn't seem that way, please let us know in the comment section. TechRepublic members are more than willing to help.
Michael Kassner is currently a systems manager for an international company. Together with his son, he runs MKassner Net, a small IT publication consultancy.