New evidence suggests that Anonymous has begun using malware-infected home routers to launch DDoS attacks against various targets, particularly in the last few months. That’s the conclusion of a new report from the security firm Incapsula, which began detecting infected systems in December, 2014.
According to Incapsula, the attacks it has logged have come largely from ARM-based SOHO (small office/home office) routers based on Ubiquiti designs. Back in 2013, Ubiquiti devices were found to have a significant security flaw that allowed passwords and other data to be snooped from the hardware, but this exploit appears to have required a physical connection to the router. What Incapsula found is more serious — many Ubiquiti routers appear to have enabled HTTP and SSH logins by default and are using vendor-provided standard credentials. The company targets developing countries for its hardware, which explains the heavy concentration in East Asia.
(This is a good place to note that you should always change your router’s default login and password.)
The routers Incapsula examined were loaded with an average of 4 variants of MrBlack, a DDoS tool (137 variants of MrBlack were observed in total). Other software loadouts included DoFloo and Mayday (also DDOS tools) as well as Skynet, a backdoor program. In this case, the US is serving as the command and control center, with the majority of the routers launching the attacks located in Thailand and Brazil (85% of them). The command and control servers were located mostly in China, but the US accounted for a significant minority share, at 21.7%.
The self-replicating botnet tied to Anonymous
One interesting facet of the MrBlack infection is that infected routers have been tasked with spreading their infection to other devices. At least some of the routers scan for open SSH ports and then attempt to access them using default credentials.
Here’s a fun tidbit. When I saw this story flash across the DailyDot, I noted that the publication had chosen to embed the original report from Incapsula in Scribd. Interestingly enough, the version of the report preserved on Scribd doesn’t match the current version on Incapsula’s own webpage. Specifically, the Scribd version refers to command and control servers reporting to AnonOps.com, a known IRC channel for the organization. This information is missing from the current online report.
It’s not clear why this was redacted or what the link between Anonymous and the MrBlack malware package is suspected to be. It’s certainly possible that elements within Anonymous are just one group that’s exploiting router security for its own gain.
Either way, change the admin login/password combo on your router. Between this, GPU malware, and hard-driving killing Rombertik, old-fashioned pencil and paper are starting to look like a decent computing alternative.
