Mar 10, 2011 18:49 GMT  ·  By

Security researchers warn of a new trojan that infects home routers by performing brute force attacks against their administration interfaces.

According to security vendor Trend Micro, the trojan is predominantly found in Latin America, which is also possibly where it originated.

It functions as an .ELF file, an executable format used on many UNIX-like operating systems such as Linux, Solaris, xBSD, and so on.

Preliminary investigation suggests the trojan is capable of mounting brute force attacks against routers using a predefined list of usernames and passwords.

So far it's certain that it targets routers produced by D-Link, however, Trend Micro researchers don't exclude the possibility of the trojan working on others as well.

Detected as ELF_TSUNAMI.R, the malware displays botnet capabilities. Infected devices connect to an IRC server where they listen for commands from attackers.

There is not much detailed information about it at this point because analysis is ongoing, but this is not the first time when malware has targeted routers.

Back in March 2009, the DroneBL project discovered a worm that infected routers and DSL modems running the Debian mipsel distribution.

The malware was very similar to the new trojan found by Trend Micro because it also connected to IRC and was capable of brute-forcing usernames and passwords.

In addition, the worm harvested usernames and passwords via deep packet inspection and by exploiting MySQL servers.

Its creator left a message on the IRC control channel claiming the botnet was an experiment with no malicious intentions that reached 80,000 clients.

The possibility of this type of malware becoming more prevalent is not one that can be easily dismissed. In a study published in 2009 researchers from Columbia University's Intrusion Detection Systems Lab claimed there are up to six million remotely-accessible embedded devices with default passwords connected to the Internet.