All News | Boards | Chips | Devices | Software | Archive | About | Contact | Subscribe
Follow LinuxGizmos:
Twitter Facebook Pinterest RSS feed
*   get email updates   *

Linux routers under attack — for their own good

Oct 5, 2015 — by Eric Brown 1,870 views

Symantec reports on an unusual “Linux.Wifatch” threat that improves the security of old Linux routers. Meanwhile, a new XOR botnet poses a deadlier threat.

Linux may still be the most secure general-purpose OS in existence, but as its presence grows in the embedded and Internet of Things (IoT) market, it’s increasingly being targeted by malware. Linux-based routers with outdated firmware (see farther below) and wireless enabled home automaton devices seem particularly vulnerable.

On Oct. 1, Symantec’s Mario Ballano posted an alert about an oddball piece of invasive code called Linux.Wifatch that attaches to Linux routers. The catch is that it appears to be helping the devices improve their security by distributing threat updates.

Linux.Wifatch message
(click image to enlarge; source: Symantec)

The Linux.Wifatch viglanteware was first detected last year by a security researcher who noticed his router had been hijacked and turned into a “zombie connected to a peer-to-peer network of infected devices.” An updated version that appeared in April of this year is written mostly in Perl. The Wifatch code loads its own Perl interpreter onto the router, and then tries to “harden compromised devices” by remediating malware infections and distributing threat updates to all the peer-to-peer connected routers. It also leaves a message to the owner to update the firmware.


Linux.Wifatch does not obfuscate the code, leaving it open to inspection. Although it includes several backdoors that could be “used by the author to carry out potentially malicious actions,” cryptographic signatures are included that are intended to limit changes to the malware’s creator, writes Ballano. The malware can be removed by resetting the device, but there is no way to stop it from re-invading unless you update your device’s software and firmware.

According to Ballano, Linux.Wifatch appears to exploit devices that have Telnet connections with weak credentials. Symantec estimates that tens of thousands of devices have been infected, 83 percent of which run on ARM processors. A third of the infected devices are found in China, followed by Brazil (16 percent), Mexico and India (9 percent each), and Turkey and Vietnam (7 percent each). The U.S. represents 5 percent of Linux.Wifatch infected devices.

XOR Botnet does 150 Gpps DDOS

An Oct. 1 blog post by Jack Wallen warns about a much more serious botnet spread by Linux embedded Linux systems with out-of-date firmware. The distributed denial-of-service (DDoS) botnet is spread via a trojan called XOR, and is capable of quickly crippling a website with a 150 Gpps (giga packets per second) DDoS attack, writes Wallen.

Typically, the botnet goes after routers with old firmware that are unprepared for modern DDOS attacks. It and worms its way into SSH access by exploiting weak passwords, then downloads more files and seeks out other XOR-infected devices.

As Wallen notes, recent Linux kernel releases have added security code that would likely protect you against such an attack, even if you use “password” as your password. Yet, most low-end routers lack OTA updates for their firmware, or even notify users about updates that can be downloaded, if they’re available at all. The same goes for many other Linux-based embedded and IoT gizmos.

Wallen suggests that users check their routers by gaining shell access and issuing the command “uname -r.” He tried one modern Asus router and found a Linux kernel that was released in 2009 and is no longer maintained by Linux kernel developers. Even DD-WRT firmware is using old kernels, he adds.

Many higher-end routers, such as Google’s $200 OnHub are being billed as a worthwhile investment considering the potential for attacks on Linux routers. Home automation devices provide another target especially for identity thieves, or those who want to hijack your security system to break in and rob your house. Google’s Nest is promoting its Weave IoT stack for offering application-specific encryption keys, so even if malicious hackers break into one device, they won’t automatically gain access to others, such as a door lock.

(advertise here)

Print Friendly, PDF & Email

Please comment here...