
Lizard Stresser Runs on Hacked Home Routers - wglb
http://krebsonsecurity.com/2015/01/lizard-stresser-runs-on-hacked-home-routers/
======
jameshart
Is this seriously a real implementation of the movieplot plan, where the
villain sits there stroking his cat and explaining: "Oh no, Mr. Bond, did you
really think I attacked Xbox Live and PSN on Christmas day for some
ideological purpose? Or for the 'lulz'? No Mr Bond, that was merely a
demonstration of my power. Now I can sell my services to the highest bidder
and no-one can stop me! not even you, Mr Bond, since you will be observing the
auction from the bottom of my shark tank! Ahahaha! Ahahahahahahahaaa!"

Except without the sharktank, and just with an online store offering various
service levels. Maybe this is what Moriarty's 'crime as a service' model looks
like in the real world...

~~~
api
Yup. While there's no sharks, there probably is a cat.

~~~
dceddia
'DDoS as a Service'?

~~~
dewey
That's not really something new though. Stressers / Booters are a thing for a
long time now.

~~~
timdorr
Except the good ones know how to properly obfuscate the C&C servers. These
morons ran everything through their public IRC server, hosted on the same
network as the website advertising the service.

~~~
sp332
Yup, from [http://www.malwaretech.com/2014/12/darkode-ode-to-
lizardsqua...](http://www.malwaretech.com/2014/12/darkode-ode-to-lizardsquad-
rise-and.html) "I had noticed that lizardpatrol.com (the official LizardSquad
website) was hidden behind cloudflare, so on a hunch I send a HTTP request to
the darkode server, with the hostname set to "lizardpatrol.com".... That's
right, the darkode server is also hosting the official LizardSquad website, oh
dear."

Why is CloudFlare protecting these sites, anyway?

~~~
dewey
Because it's a customer like everyone else, as a service provider you should
maintain a neutral stance even if you don't like the service they provide.
Just like ISPs shouldn't handle Netflix's traffic any different than traffic
from other companies.

~~~
sp332
ISPs will cut off service entirely if a customer is behaving abusively.

~~~
Karunamon
No, they will cut off service entirely if the user's behavior threatens their
network (usually legally).

As an example, ISP's don't drop spammers because they morally hate spam, they
drop spammers because their mail servers will get blacklisted and make their
customers hate them.

A fine distinction, but an important one.

------
mentat
This should provide some fuel to the "Internet of Things hacking will bring
the world to its knees" people. The vast majority of these devices have no
meaningful patching policy. Default username/password is one thing but there
are many other vulnerabilities.

~~~
rudolf0
My prediction is "Internet of Things" will begin to transition into "Local
Network of Things (Accessible via VPN or Gateway)" for this exact reason.
It'll still appear as "Internet of Things" to most end users though.

~~~
walterbell
What kind of hardware/OS do you envision implementing the gateway/VPN server?

~~~
potatolicious
Something with a higher bar of quality than the typical consumer electronics
you pick up in the bargain bin at Newegg/Amazon/Wal-Mart.

I think it's within the realm of possibility for consumers to install
routers/gateways that are competently engineered. It's flat out impossible to
ensure every IOT device a consumer owns has even the most basic security
principles covered.

~~~
walterbell
If a home has a desktop or media PC, it could potentially run a router/gateway
VM on platforms like Qubes, Genode, etc. The router VM would be isolated from
desktop/media VMs, and would have the benefit of running a BSD/Linux x86 OS
that has automated updates. New wifi standards can be supported by upgrading a
USB or PCI WiFi adapter, rather than buying a new router.

------
drzaiusapelord
>consider changing the router’s default DNS servers to those maintained by
OpenDNS.

Is openDNS a sponsor for Krebs? This seems like a great way to break CDN geo-
ip, get served ads, and get non-standard "typo domain" messages. Ironically,
it opens people up to DDOS as a attack against openDNS means Kreb's readers
now don't have dns.

~~~
driverdan
ISP DNS servers tend to be terrible. OpenDNS and Google DNS tend to be much
faster than ISPs.

~~~
mahouse
Not really. Some (most?) ISPs have servers in their own networks that can
speed up the loading of, for example, YouTube videos. By not using your ISP's
DNS servers, you will miss them.

~~~
ericd
Ironically, the most common fix for slow choppy youtube videos is to swap out
your ISP's DNS.

------
penguat
As an aside on the username/password thing, unless it's going to be visible
through your window, you're probably best off keeping them on a sticky label
attached to your router. That way, you have them when you need them, they're
not available on the internet.

~~~
a3n
Put the sticker on the bottom.

~~~
at-fates-hands
This actually how Quest does it. Imagine my surprise when I was setting up the
router and had to call and ask what the router password was and the tech said,
"Yeah, just flip it over, under the serial number is a long hexadecimal code,
that's your password."

At least the password was somewhat strong. I'm not sure having it printed on
the same label as the serial number is a good idea though.

~~~
Forbo
I don't understand the problem with having it on the same label as the serial
number. Can you elaborate?

~~~
rz2k
To me it implies that the default password can be determined if you are able
to discover the MAC address. Either the manufacturer might have it in a
database that could be compromised, or the algorithms generating the MAC
addresses and the pseudorandom default passwords might be reverse engineered.

~~~
gamed
This is often the case with WPS on home routers. Here's a blog post detailing
the reversing of D-Links WPS PIN generation.

[http://www.devttys0.com/2014/10/reversing-d-links-wps-pin-
al...](http://www.devttys0.com/2014/10/reversing-d-links-wps-pin-algorithm/)

------
creeble
If your router allows Internet access via admin password, you should _get a
new router_ not change your admin password.

~~~
maxerickson
I think "Remote Management" is an option on pretty much all consumer routers.
It's pretty unfortunate to have it default to on when there is a non unique
default password though.

~~~
x0x0
Sure, but from the wan side? Why on earth would anyone want that?

~~~
zaroth
There are many ways, even if WAN-side Management is disabled, to take over
these routers from the WAN side. E.g. [1, 2] There are also vulnerabilities in
the auto-provisioning protocols used by the modems that can give the attacker
an entry-point. [3]

This is just the tip of the iceberg from 10 minutes of Googling. I also recall
there was some technique where an attacker could reflect attack traffic
through a browser and back into the router, so if you knew the router IP and
user/pass you could compromise it by getting the user to visit a malicious or
drive-by-hacked site.... but I couldn't find a link for that one.

[1] -
[https://securityevaluators.com/knowledge/case_studies/router...](https://securityevaluators.com/knowledge/case_studies/routers/soho_router_hacks.php)

[2] - [https://www.eff.org/deeplinks/2014/08/def-con-router-
hacking...](https://www.eff.org/deeplinks/2014/08/def-con-router-hacking-
contest-success-fun-learning-and-profit-many)

[3] - [http://www.computerworld.com/article/2491042/malware-
vulnera...](http://www.computerworld.com/article/2491042/malware-
vulnerabilities/home-routers-supplied-by-isps-can-be-compromised-en-
masse.html)

~~~
justincormack
Javascript to 192.168.1.1, eg see here
[http://blog.kapravelos.com/post/68334450790/attacking-
home-r...](http://blog.kapravelos.com/post/68334450790/attacking-home-routers-
via-javascript)

------
jwcrux
This is pretty much an exact replica of the methods used by the Internet
Census of 2012.

