Daily cyber threats and internet security news: network security, online safety and latest security alerts
March 26th, 2008

D-Link Routers Vulnerability Mass Scans

Suspicious port scanning that’s been tracked back to D-Link Inc. routers may mean a worm or bot is on the loose and infiltrating the popular brand’s devices using a three-year-old vulnerability, security researchers at Symantec Corp. said today.

The security company issued a warning Monday night to customers of its DeepSight threat notification service saying that there were “reliable reports” of an in-the-wild worm or bot that was attacking, then installing itself, on D-Link routers. By Tuesday, however, Symantec had taken a step back.

“After looking into it, we decided that that was a little misleading,” said Oliver Friedrichs , a director of Symantec’s security response team. “It’s unconfirmed at this point. But we have definitely seen an increase in attack activity, and that activity appears to be coming from other D-Link devices.” In other words, although Symantec’s researchers haven’t gotten their hands on a worm or bot sample, all the evidence points in that direction. “We suspect that it’s a bot,” he said.

The attacks against the D-Link routers begin with hackers scanning TCP port 23 for an active SNMP (Simple Network Management Protocol) service, a flaw that first showed up in D-Link router firmware in 2005. It looks like they’re exploiting the SNMP vulnerability to reset and reconfigure the administrative password on the routers, perhaps to conduct “drive-by pharming” attacks that change a router’s settings so its users are unknowingly directed to bogus or malicious Web sites instead of the real URLs.

Router vulnerabilities are up and attacks against routers are on the upswing, especially attacks that target devices used by consumers and small businesses to create wireless networks. Attackers are increasingly looking “beyond the desktop” for new places to install (and hide) their malware.

Port scanning activity Symantec is seeing as “moderate” and said the researchers will continue to investigate. He and his team, however, had not been able to verify that the vulnerability had been patched, and if so, when, or which specific models of D-Link’s routers might be at risk.

D-Link officials did not respond to a call for comment.

D-Link router owners: make sure that your SNMP service is not exposed to the Internet.

Share this item with others:

More on CyberInsecure:
  • D-Link Wireless Routers With New ‘Security Feature’ Are Susceptible To Network Intrusion
  • Vulnerable DD-WRT Firmware Exposes Wireless Routers
  • New DNSChanger Trojan Allows Mass DNS Hijack, Non-Windows And Fully Patched Systems Affected
  • Mass SQL Injection Attack Infects Over 28,000 Pages, Including iTunes Podcast
  • Border Gateway Protocol Might Be Exploited On Previously Presumed To Be Unavailable Scale

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: D-Link Routers Vulnerability Mass Scans

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.