D-Link Routers Vulnerability Mass Scans
Suspicious port scanning that’s been tracked back to D-Link Inc. routers may mean a worm or bot is on the loose and infiltrating the popular brand’s devices using a three-year-old vulnerability, security researchers at Symantec Corp. said today.
The security company issued a warning Monday night to customers of its DeepSight threat notification service saying that there were “reliable reports” of an in-the-wild worm or bot that was attacking, then installing itself, on D-Link routers. By Tuesday, however, Symantec had taken a step back.
“After looking into it, we decided that that was a little misleading,” said Oliver Friedrichs , a director of Symantec’s security response team. “It’s unconfirmed at this point. But we have definitely seen an increase in attack activity, and that activity appears to be coming from other D-Link devices.” In other words, although Symantec’s researchers haven’t gotten their hands on a worm or bot sample, all the evidence points in that direction. “We suspect that it’s a bot,” he said.
The attacks against the D-Link routers begin with hackers scanning TCP port 23 for an active SNMP (Simple Network Management Protocol) service, a flaw that first showed up in D-Link router firmware in 2005. It looks like they’re exploiting the SNMP vulnerability to reset and reconfigure the administrative password on the routers, perhaps to conduct “drive-by pharming” attacks that change a router’s settings so its users are unknowingly directed to bogus or malicious Web sites instead of the real URLs.
Router vulnerabilities are up and attacks against routers are on the upswing, especially attacks that target devices used by consumers and small businesses to create wireless networks. Attackers are increasingly looking “beyond the desktop” for new places to install (and hide) their malware.
Port scanning activity Symantec is seeing as “moderate” and said the researchers will continue to investigate. He and his team, however, had not been able to verify that the vulnerability had been patched, and if so, when, or which specific models of D-Link’s routers might be at risk.
D-Link officials did not respond to a call for comment.
D-Link router owners: make sure that your SNMP service is not exposed to the Internet.
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.