14 DAY TRIAL // Czech security researchers warn of a worm-like piece of malware infecting Linux-based routers, DLS modems and other embedded devices. The infected devices form a botnet capable of launching Distributed Denial of Service (DDoS) attacks.
According to a report from Computerworld, the researchers have named the worm Chuck Norris, after a comment found in the malware code, which reads, "In nome di Chuck Norris," Italian for "in the name of Chuck Norris." Jan Vykopal, the head of the network security department with Masaryk University's Institute of Computer Science in Brno, the Czech Republic, explains that poorly configured devices are specifically at risk of being infected with this new threat.
According to Mr. Vykopal, the worm is resident in memory and does not survive hardware reboots. But this is unlikely to make much of a difference to the botnet, since networking devices are rarely restarted and, even if one is, it would get reinfected shortly afterwards.
The worm employs several propagation techniques including brute force attacks and exploiting vulnerabilities. Infected devices scan both the internal networks and the Internet for other potential targets and attempts to log into their administrative interface using the default credentials.
It is a well-known fact that a lot of people, particularly home users, fail to change the default passwords for their routers or cable modems. Last year, researchers from the Intrusion Detection Systems Lab at the Columbia University estimated that as many as six million vulnerable embedded network devices were connected to the Internet. Their study revealed that 41.62% of such devices were running on factory settings.
But, sometimes, ISPs are to blame just as much as home users. Back in October, we reported that Time Warner had mass-deployed tens of thousands of insecure routers to its customers. Not only that, but their set-ups also prevented users from securing the devices on their own.
According to the experts, the "Chuck Norris" botnet comprises MIPS-based devices spread across the globe, from routers to TV receivers. The army of zombie embedded systems is controlled from IRC and has crippling Denial of Service capabilities. The infected devices can also be commanded to replace the default DNS servers with some under the attacker's control.
A router-based botnet is rare, but not unprecedented. Last year in March, the team at DroneBL discovered a similar threat, which reached 80,000 clients before being destroyed by its maker. Given the striking similarities between the two, they might even be related.