A tale of the rough firmware which has a backdoor . More than 10 major vendor are affected worldwide. The exact number of device is unknown but our online number calculation there are more than 200k device online unknow number of other vendor and offline device
# Full description paper is available at http://blog.ensolnepal.com .The above research have been recently presented in International Conference on Cyber Security and Cyber Law 2015(Feb 21) held at Hotel Yak and Yeti by Nabin kc (@N_Cnew)and Bijay Limbu Senihng (@bhutabe), Kathmandu Nepal. http://www.ekantipur.com/the-kathmandu-post/2015/02/20/money/global-meet-on-cyber-security-law-starts/273454.html
14. This is not the End...
➢ Case of Copyright Infringement
15. This is not the End...
➢ Copyright Infringement (Contd..)
16. This is not the End...
➢ Copyright Infringement (Contd..)
17. Are they just Copyright
Infringement or really a Rogue?
18. Lets clear the confusion
● Tried to upload their vendor firmware
19. A Rouge Router Firmware ;-)
2ook Online Devices+(Unknown number
Offline) Affected Worldwide(approximately)
20. How it can be used?
Botnet (used for DdoS attack, APT Attack )
Personal proxy network aka My personal TOR
Free Wi-fi Map (I am not Mark Zuckerburg but can help
to make a free Internet world)
28. Moral of the Story
● Know your Devices and Vendor
● Creating a hard time for an attacker is a win win
situation. Use as much defense you can.
● A best way to be protect home router is to disable the
Remote Management if you don't need.
● Try Open Source firmware if your device supports(eg.
OpenWrt)
P.S. No router were harm or used for illegal purpose during our research
This presentation revolves around the story of the user router and Internet
Lets begin our story. This is a story between a router and user in the internet world. In this story, the need of user I.e to communicate with the world has been fulfilled by the router. And both are happy together to be a part of Internet
There was a time when 1000 rupee had to pay just to use 1 hour interent story had change intert user had increase , number router ap device had increase , the home router sales had increse
There more then 5 router in a house ,per flat ,some even had router and internt per room but with it ,there explotaion and vurnablity have increase but sad part is our tolarnet after being attack alsolevel had incread with it .
But in the parallel universe, there is ongoing war between Red Team and Black team. One try to protect is then other try to break ,
Yesteray Previosuly one of the speaker told that bad guy don't sleep that may be true as don't sleep when we do more then enough ...that the best time to attack
different security issues had been identified in home router and here nobody seems to be concerned about this issues. CV-2014-8496 is a session hijacking bug to take control over it with score 10/10 but what I seen is most of don't care
The problem of using default credential is already there.
Let me introduce to a real world scnerio of the user attacker and how it is done fist
Our pc phone laptop are behind the router while using inernet ,let say you device is online with deflaut credition I mean ,you havenot chage the default passowrd , which in most of the case is admin admin then attacker will login to you router and change the dns to hisperoson dns server .
Dns it is a just a advisor which will show you the way to the destation , what really happen is that hacker now have the control over you path . At compare with a metro train which most of had problally travel a lot
,what really happen is that when I change dns mens now I will the one who will be decide where your train goes though it will be showing you the same location address. This means you decide to go to pokhara I can drop you at the dharn saying it is pokhara I know we wiill soon figure it out but what if a unkown person is drop he won't figure out until its too late , that case happen here in interent world
I can know point book.com when you are type facebook.com I know no one will be happy about that . This can be exploit in many way like phising ,
But here I will show you the worse case
.
Most of the time our PC are behind the router with the private ip address not as the server
So directly a pc can be attack unless victim click some malware , but what in the care user try to update there software to be secured ,
It is good habit to frequently update you applications OS l right ets see
Leak you infor u
Use ur credital and hire a unploayment gury to chash out money as yestardy,can send mail in you behalf can sealt you documant and idently ,
The poor router has been hacked and also the devices connected to the router were compromised. And now the user is concerned about his router security and changes his default username and password.
Recently a group called Lizard squard used a DdoS attack against Sony which was possible due to botnets. And those botnets was created hacking router, the similar way that we demonstrated earlier.
It was the regular day in my office
I was using internet doing some offiice work as well research router started to be frequently down , and not resplonding ,lets say frequently botellnet occurred , later dig in the cause of it and found that my other frinend was using namp script for this research
Now I need to find solution to solve as I cannot tell not to use namp right ,
Not possible to tell to drop the soldier gun when you are fighting the war.
What are the ither options I do have
Then I stared digging for solution and was with some
Options wihich are avilabe to try , one was to upgarde the firmware other is to upload some opensource it suppor.t . no did work for me nither vedor have new firmware nor opensource community have a compative firmware for it . So I did had third options is the customized the firmware for the soultion , so I stared reverse engeering the firemware start reading the code , there bad luck or
I found somehting in intresting which I had heard in daily news ,it was a backoor
Not a supreman banakphone number
But as powerfula as him credentilas
It was a hardcoded backdoor super super
Really
I verfied and it worked , Now let me ask you one things who somebody have wirte this code is really his fault
Or it was the fault of a guy who forget to put sticker of
Super super along with admin admin as the default one,
I guess
After getting the info about the backdoor, we did more research. During our research, We tried to find the similar security issues in other model. In order to find that issue, we did inspection of router header and used that info in shodan search to find the similar model. And surprisingly what we found was that the same issue is presented in the router of other vendors too.
These are the list of affected router models.
If you are asking did I did any photograph as one of the presenter had change the make then let me tell you is that I am not that good with photoshop if not I can provide those image for forencies to him
Did you any find there any differnce ?
Lets try the other one
Did you notice here?
Ya there is a a differce if some one is good at the game find different he /she would have find it already ..
I end this I go on shoing those images this presention can be in just in it let me tell is what diffrernce really was thre was was the compnay logo
I was really confuse and my face was worese them his I f I was picture ,
Company could have sign and selll each other I don't
Know that .
How to can we find out
I stared checking the mac address of the device in public avilabe database and got trslly intresting stuff
Prolink router mac address are showas trednet and to many reatail I neaver heard of ,
Side need next pic of digging
I also came to know that many vendor use third partry hardware for the product ,so the above can telll you the 100 truth
What other options are there to find out .?
Best and easiest way was to try to upload the vedor provide firmware,if it is there product then it should certily accpeted there firmware right,
A lot of device don't accepted it ,This means the device we buy claming to may not be the real with the sticker of compnay they are attached.
At the time of our reasearch, 200k online device were affected. So from this calculation we can say aprroxmiately half million devices(combning offline and online) are affected too.
With this issue arise a question who is responsible and whom should we blame?
A vendor, who makes router
Or Government who allowed to sell false device
Or a Consumer who is not bothered to buy a genuine device
We can something download malware knowiy unkwoing but we still have some defese system right.
We have a stleaset few watchgurd who will be chasing those stop ritght
Lets see how other think or in this picture
There is always a way
There are a lot of way to do I won't be explain here how can we do it becasuse of the time other it can be a seprate talk that but recently one of the cool way I was read is realse in defcon 22 which work in most of the case
You can find it online about it if intrested
Every one here know about virustotal
If not it a cloud based antivius server where you can upload a any excuatable to check wethere it I malicious or not ,it will check the excuatlbe to 57 major antivirusin the server , give you the result
Defult payload genrate with metaploit and 36 antivurs detected ,just 36 I was hoping atlest 50 will as it is opensouce compnay can find how those are created and catch it .
Second I caeatd is a powershell shell https revese shell script and do little encoding it really show a powe and dorp detection level to 10 and only few of them are major vedor and other are vendor which name I never heard of
Lets try one more time with little more reserche and combine few more techniques I was avable to create a malware with zero dection
User are aware but ,but what they can do is there device are backoor and they do not know about it
Recently lenovo laptop is consider dongrading the https encryption , wd ,alot hardrive drive are also conside backdoor.
Better know .what you are buing , don't use duplicated device preserving you cost . One day it can cost you more then you imagine.
Don't leave you device misconfigure ,if you do show there are a lot of guys ready to do for you but in bad way
Thre is a tale creaitng hard time for attacker is a win win suation to
Use antivirus they won't give 100 but can will save from a lot malware l
-Better use use mut iple antivirus if you pc resouce can handle of two different countlry as one antivurs can catch the virus of other one other may do the same ,mostly coprate should little concren about it ,
If everyone here is aware with interal cyberwar going one the you propably already have understan what I had try to say
If you device support try go for the opensource firmware they are great (opnwart)