March 10, 2011, 12:27 PM — More evidence malware writers have become at least as sophisticated as the companies they target:
Trend Micro reports a new bit of malware circulating as an executable that targets routers running operating systems or kernels based on Unix, Linux and other Unix-like embedded operating systems.
The code arrives as an Executable and Linkable Format (ELF) -- Unix or Linux executable file -- that creates a backdoor into Internet Relay Chat applications. It may also do brute-force attacks to get username/password lists from the routers they infect.
Most infections by the trojan called ELF_Tsunami-R so far have been in Latin America, especially against D-Link routers, though it probably works on others as well.
There are desperately few bits of malware designed to attack Linux machines, especially compared to Windows, or even the MacOS.
Linux-based routers have also been targeted successfully in the past, at least once to build a botnet of respectable size.
Coding for routers is dicier than for Windows machines because there are so many fewer safeguards between the code and the processor, the operating systems are far more specialized and the range of commands is more limited.
Many run Linux kernels, full operating systems or Linux-like OSes that let them share executables with various Linux and Unix machines with relatively little modification.
Targeting routers, and Linux routers at that, sounds pretty abstruse, but Linux or Linux kernels are pretty common inside both home routers and larger, more powerful routers designed for corporate networks.
There is a huge, barely acknowledged installed base of Linux within corporate IT as a matter of fact.
Replacing the OS with Linux and configuring an aging server or PC as a cheap base for firewalls, routers, spam filters or other specific jobs allows many IT departments to fill specific needs for which there is often no budget to buy new hardware.
There's are active communities of DIYers, modders and Linux geeks using the OS to modify routers, PCs and other gear.
Trojans or viruses aimed at those, if they get through malware filters at the edge of the network, would be in an ideal position to collect secure data as it flows through the network, or to act as a backdoor into the core of a corporate network.
Sure, end users do a lot more stupid things than IT people do, and it's a lot more likely a random bit of malware will find fertile ground in Userland than on a Linux box repurposed as a router sitting in a server closet somewhere.
There are a LOT of small, poorly secured D-Link and other home and small-office routers out there running Linux-compatible kernels or OSes, even in big companies.
Routers and switches from D-link, NetGear, Belkin or other manufacturers do fill-in duty in branch offices, remote business units or to help break up overutilized network connections into sub-sub-sub-networks and cut down the average headcount on each LAN without spending what it would cost to do the same thing properly from farther up in the network.
Trend Micro also found malware designed to carry out large-scale DNS poisoning attacks by infecting DSL modems and using them, among other vulnerable hardware, as a base.
Odd. Not the risks you normally think about. Definitely worth plugging that particular hole.
Kevin Fogarty writes about enterprise IT for ITworld. Follow him on Twitter @KevinFogarty.
