[Infowarrior] - DSL modem hack used to infect millions with banking fraud malware

Richard Forno rforno at infowarrior.org
Tue Oct 2 07:19:18 CDT 2012


(c/o AJR)

DSL modem hack used to infect millions with banking fraud malware

Even when PCs are locked down, modems and routers can still be compromised.

by Dan Goodin - Oct 1 2012, 2:35pm EDT

http://arstechnica.com/security/2012/10/dsl-modem-hack-infects-millions-with-malware/

Millions of Internet users in Brazil have fallen victim to a sustained attack that exploited vulnerabilities in DSL modems, forcing people visiting sites such as Google or Facebook to reach imposter sites that installed malicious software and stole online banking credentials, a security researcher said.

The attack, described late last week during a presentation at the Virus Bulletin conference in Dallas, infected more than 4.5 million DSL modems, said Kaspersky Lab Expert Fabio Assolini, citing statistics provided by Brazil's Computer Emergency Response Team. The CSRF (cross-site request forgery) vulnerability allowed attackers to use a simple script to steal passwords required to remotely log in to and control the devices. The attackers then configured the modems to use malicious domain name system servers that caused users trying to visit popular websites to instead connect to booby-trapped imposter sites.

"This is the description of an attack happening in Brazil since 2011 using 1 firmware vulnerability, 2 malicious scripts and 40 malicious DNS servers, which affected 6 hardware manufacturers, resulting in millions of Brazilian internet users falling victim to a sustained and silent mass attack on DSL modems," Assolini wrote in a blog post published on Monday morning. "This enabled the attack to reach network devices belonging to millions of individual and business users, spreading malware and engineering malicious redirects over the course of several months."

Assolini said the mass attack was the result of a "perfect storm" brought on by the inaction of a variety of key players, including ISPs, modem manufacturers, and the Brazilian governmental agency that approves network devices, but failed to test any of the modems for security.

It remains unclear which modem manufacturers and models are susceptible to the attacks. Assolini said a vulnerability disclosed in early 2011 appears to be caused by a chipset driver included with modems that use hardware from communications chip provider Broadcom. It allows a CSRF attack to take control of the administration panel and capture the password set on vulnerable devices. Assolini doesn't know precisely when, but at some point attackers began exploiting the vulnerability on millions of Brazilian modems. In addition to pointing the devices to malicious DNS servers, the attackers also changed the device passwords so it would be harder for victims to change the malicious settings.

The attacks were recorded on modems from six manufacturers, five of whom are widely marketed in Brazil and several that are among the most popular. In an e-mail, a Kaspersky spokesman said the firm isn't publishing the affected manufacturers or models at this time.

"The negligence of the manufacturers, the neglect of the ISPs and ignorance of the official government agencies create a 'perfect storm,' enabling cybercriminals to attack at will," Assolini wrote.

People who connected to the Internet using a compromised modem were routed to imposter websites when they attempted to visit sites such as Google, Facebook, and Orkut. In some cases, the malicious sites exploited vulnerabilities in Oracle's ubiquitous Java software framework to silently install banking fraud malware when the booby-trapped websites were accessed. In other cases, users were told they should install a software plug-in so their computers would be able to take advantage of recent changes made to the sites. Attacks were recorded on all major Brazilian ISPs, with some providers seeing about 50 percent of their users affected, Assolini said.

One of the 40 DNS servers used in the attack that was later accessed by authorities showed more than 14,000 victims had connected to it. During his presentation, Assolini displayed an Internet chat in which one of the hackers claimed to earn "more than 100,000 Reais (approximately $50,000) and would spend his ill-gotten gains on trips to Rio de Janeiro in the company of prostitutes," according to a write-up by Graham Cluley, a senior technology consultant at antivirus provider Sophos.

With an attack this effective and easy to exploit, it wouldn't be surprising to learn the countries other than Brazil have also been targeted. Last year Kaspersky Lab researchers reported a similar attack hitting Mexico.

The mass attack is concerning because it successfully targeted devices few of us spend much time trying to secure. With so much emphasis spent on locking down computers, it's worth remembering that the modems and routers can also be exploited to steal banking passwords and other online assets. The vulnerability is even more alarming since the list of affected manufacturers and models is still unknown. Users who want to protect themselves should make sure their modems are using the latest available firmware, although based on what we know now, there's no guarantee the latest release has been patched against the exploited CSRF flaw.

---
Just because i'm near the punchbowl doesn't mean I'm also drinking from it.



More information about the Infowarrior mailing list