Long have criminals relied on web servers to distribute their malware to unsuspecting users and businesses. At least one crime gang, however is going one step further and using personal wireless routers to deliver their password-stealing crimeware. Wireless routers, like web servers, are particularly vulnerable for two reasons: they consistently provide an attack surface exposed on the internet and like all servers, typically contain a login portal that can get the attacker into a vulnerable section of the network.
Recent research has shown that crooks are using wireless routers to deliver Dyre malware, which can be used to steal bank account information. Dyre is a Trojan downloader, most often distributed via malicious emails that have links directing users to servers that host malicious code or redirections to the malicious payload.
The user may simply see a business invoice in a pdf file. They click on the link and then it opens up, installs, and reaches out to the Upatre control server that downloads Dyre. According to Symantec, Dyre is highly sophisticated and can hijack all three major web browsers in order to obtain login information for banking sites. Researchers from Fujitsu Security Operations Center in Warrington, UK began tracking the Upatre botnet that’s being served from the wireless routers. For some reason, the MikroTik and Ubiquiti’s AirOS routers are being targeted.
Leading threat analyst at Fujitsu, Bryan Campbell, said this about the attacks:
“We have seen literally hundreds of wireless access points, and routers connected in relation to this botnet, usually AirOS. The consistency in which the botnet is communicating with compromised routers in relation to both distribution and communication leads us to believe known vulnerabilities are being exploited in the firmware which allows this to occur.”
Currently its believed that hackers are simply exploiting the vulnerability that the default username and passwords for the router are still being used. Ex. “ubnt” can be used as both the username and password to login to the routers and open up ports into the victims network. A router usually has two IP addresses, an external and internal. From the outside anyone in the world can login if they know the username and password. Usually this is disabled, but the internal web server is almost always enabled for router administration.
Why should you care?
Last year, botnets ran off of compromised routers knocked offline Microsoft’s Xbox and Sony Playstation’s networks. They cannot only open up vulnerabilities into your personal network, but your machines may be spreading this malware that is stealing bank account information for users globally.
What can you do?
Change your default credentials. Login into your personal routers, typically 192.168.1.1 or 192.168.0.1 and see if the default password and username works on the router. If so, change this as soon as possible. This link can help you in find the default ip address for most routers and here is a decent tutorial for finding the IP address of the router if your having trouble locating it. As always, let’s try to make life a little more difficult on the criminals.