Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
The Internet Network Networking Security Software Hardware

US ISP Goes Down As Two Malware Families Go To War Over Its Modems (bleepingcomputer.com) 93

An anonymous reader writes from a report via Bleeping Computer: Two malware families battling for turf are most likely the cause of an outage suffered by Californian ISP Sierra Tel at the beginning of the month, on April 10. The attack, which the company claimed was a "malicious hacking event," was the work of BrickerBot, an IoT malware family that bricks unsecured IoT and networking devices. "BrickerBot was active on the Sierra Tel network at the time their customers reported issues," Janit0r told Bleeping Computer in an email, "but their modems had also just been mass-infected with malware, so it's possible some of the network problems were caused by this concomitant activity." The crook, going by Janit0r, tried to pin some of the blame on Mirai, but all the clues point to BrickerBot, as Sierra Tel had to replace bricked modems altogether, or ask customers to bring in their modems at their offices to have them reset and reinstalled. Mirai brought down over 900,000 Deutsche Telekom modems last year, but that outage was fixed within hours with a firmware update. All the Sierra Tel modems bricked in this incident were Zyxel HN-51 models, and it took Sierra Tel almost two weeks to fix all bricked devices.
This discussion has been archived. No new comments can be posted.

US ISP Goes Down As Two Malware Families Go To War Over Its Modems

Comments Filter:
  • by williamyf ( 227051 ) on Tuesday April 25, 2017 @08:14PM (#54302117)

    but there is alink about previous incident in Deutsche Telekom?

    What gives?

    the level of the editors keeps getting lower or what?

    Beadhull, get away from that Keyboard, you need a few cups of coffee! Now!

  • by Foxhoundz ( 2015516 ) on Tuesday April 25, 2017 @08:14PM (#54302119)
    Hacked modem or not, assuming you actually use a respectable router (e.g. VyOS/Edgerouter), you can at least avoid main-in-the-middle attacks due to the fact that that packets will be encrypted by the time they ingress your modem on their way to the CMTS. That being said, it still won't stop the modem from becoming a zombie device itself. ISPs have a burden to resolve this as A) they and they alone lock down your device and manage it remotely via SNMP and B) their network is sending you the malicious unsolicited data from their network to yours.
    • by Anonymous Coward

      A VPN would not have saved anyone in this case. The Brickerbot went after the physical DSL/Cable modem/gateways.

      If you've ever used one of these ISP issued things, there is typically a default username, and the password is derived from the device MAC address. It's also not a new thing, as you could also have your modem hacked just by visiting a rogue website that connects to 192.160.0.1 over websockets.

      • by Anonymous Coward

        A VPN would not have saved anyone in this case. The Brickerbot went after the physical DSL/Cable modem/gateways.

        If you've ever used one of these ISP issued things, there is typically a default username, and the password is derived from the device MAC address. It's also not a new thing, as you could also have your modem hacked just by visiting a rogue website that connects to 192.160.0.1 over websockets.

        Yes, but only if you're dumb enough to run every random script from every unverifiable web site. Seriously, this is a solved problem. A good adblocker (which often include options for filtering malicious sites) and/or NoScript can easily prevent this.

        • by Overzeetop ( 214511 ) on Wednesday April 26, 2017 @06:09AM (#54304003) Journal

          1) I was unaware that website currently require that you manually execute each script

          2) Show me a commercial OS with a supplied browser that includes a good adblocker and a NoScript installed and properly configured by default.

          Computers are basically appliances for 80% of the users on the internet now. I can mod my toaster and replace the plug with a grounded type, and only plug it into a GFCI outlet to reduce the risk of shock, but everybody else just plugs theirs in and makes toast. Until OS makers start putting actual, safe browsers on their products, instead of the two-bare-wires versions they currently include, the problem isn't actually with the users. It's with the negligent programmers.

  • by Anonymous Coward

    This is why I only use Windows IOT Core based devices.

    • by Anonymous Coward

      Yeah, a Windows device would never just reboot to apply a new windows-upda"/(*)/)"(/ç"ç

      NO CARRIER

  • Bricked or not? (Score:5, Insightful)

    by Nkwe ( 604125 ) on Tuesday April 25, 2017 @08:19PM (#54302139)
    From the summary

    All the Sierra Tel modems bricked in this incident were Zyxel HN-51 models, and it took Sierra Tel almost two weeks to fix all bricked devices.

    If the bricked devices were fixed, then they really were not bricked.

    • Some people distinguish betwen "soft-bricked" (the device stops working but can still be revived with user-available measures going beyond normal configuration*), "hard-bricked" (the device stops working and can only be revived with tools unavailable to an ordinary user**) and "broken" (the device is dead and can only be replaced***). In this case the routers appear to have been hard-bricked as they stopped working and had to be physically accessed by the vendor in order to restore functionality.

      * E.g. us
    • I don't think you can ever permanently "brick" something. In this case they probably reflashed the firmware through the JTAG port or something similar. Bricked to the consumer but not the supplier.

      • I don't think you can ever permanently "brick" something. In this case they probably reflashed the firmware through the JTAG port or something similar. Bricked to the consumer but not the supplier.

        You can permanently brick a device, even without hardware damage. Phones, for example, should have JTAG completely disabled for security (though many OEMs fail to do this), and depending on various bits of low-level config devices can get into a completely unflashable state. If the onboard firmware that accepts flashed images does something like sign the images with a key embedded in the SoC, and the ROM refuses to run unsigned firmware, and you can't flash normally any more, then even removing the flash me

    • Correct :)
      Bricked: "You Keep Using That Word, I Do Not Think It Means What You Think It Means"
  • by Anonymous Coward

    Modems are not "Things." They are necessary infrastructure.

    • by Anonymous Coward

      Walks like a duck, talks like a duck. Modems were the first "things" of the internet.

    • by Jamu ( 852752 )
      Everything is a thing.
  • by jfdavis668 ( 1414919 ) on Tuesday April 25, 2017 @08:22PM (#54302155)
    Companies rent you hardware, and they give no thought to upgrades. Not only ISPs, but cable boxes and other such devices. As long as it works when installed, that's good enough. To be properly secure, you need to keep up with security updates.
    • by Doke ( 23992 )
      What security upgrades? Most of these manufacturers never try to upgrade their IoT crap. They drop it, and move on.
    • by sims 2 ( 994794 )

      At work we have a att ADSL2+ modem with the software modified to disable the disconnection redirect and disable updates.

      They really really want their modem to brag every time it loses connection which would be ok but they don't have no cache set so once the connection resets you have to close out of whatever your doing to get it to stop redirecting to the modem status page.

      They issued a firmware update to the modem so you couldn't modify it but didn't add the no-cache option required to fix the problem that

  • Liability (Score:5, Interesting)

    by sit1963nz ( 934837 ) on Tuesday April 25, 2017 @08:40PM (#54302211)
    Perhaps it is time that manufacturers have to accept liability for faulty software.

    There are many things that are considered bad practice (or outright stupidity) that make it into the consumer market, these should be punished.
    The lack of timely firmware updates (or even any updates), should be punished.
    Hardcoded accounts/passwords should be punished
    Telnet/SSH access from the DSL side on by default should be punished
    Wireless not requiring a password (a complex one !) before the wireless can be enabled should be punished

    If manufacturers had to shell out $1000 per item for this sort of behaviour a lot would go to the wall, the others would clean up their act quickly.

    And NO, manufacturers can not opt-out/contract out of this (if they try, make it $5000 an item).

    Sure, no software is perfect, but thats not the problem, its that so much junk is put out there with no attempt to make it secure. The average home user can not be expected to do this themselves.
    • Websites should be liable for malware ads.
      • by Doke ( 23992 )
        This is problematic. Often, a website signs on to an ad network, by placing a link to a rotating ad image. Then the ad agency screws them over by placing inappropriate content on that link. The site owner never intended to put anything nasty on their site, but the ad agency was negligent. You can say this will flow through to the ad agency through complaints, but they tend to have lock-in contracts, and similar stupidity. In the end, the website owner loses.

        This is why I prefer to contribute money v

        • So kill the ad networks. Everyone wins.
        • by sjames ( 1099 )

          What would actually happen is websites would demand indemnity from the ad networks. Any ad network that wanted to actually push ads to anyone would be forced to accept that term. Then, with the financial burden being on them, they might actually screen the ads they serve.

    • by Doke ( 23992 )
      This makes a lot of sense. They have complete control over how the device leaves their factory, and the ability to easily (and cheaply) offer upgrades. There's no good excuse for not supporting their gear. It does cost money to support existing sales, but that's part of being a responsible manufacturer. This translates directly to sales. Irresponsible ones get trashed in reviews.
      • The average user does not read reviews. They use the modem/router that was supplied to them by their ISP.

        By the time the unit is in the consumers hands its already too late, the effort needs to be made right at the concept stage right through to manufacturing.

        Most ISPs regard the modem as throw away items, its cheaper for them to supply something new than to support something old. The manufacturers work on the basis that they want to sell something new and not support something old.

        Neither the manufac
    • by eyenot ( 102141 )

      *applause*

      I want to go a step further: fuck firmware. Make the god damn controllers work properly in the first place. Test every way imaginable even if it adds months before the manufacturing process. If you fuck up, send your customers replacement ROMs. If they don't know how to desolder the old one and install the new one properly, fuck them, too because they're worthless pieces of shit. Take consumer high tech out of the fucking dark ages.

      • I like this idea on the surface, but most attacks against these devices are not persistent. Using a rom will only slow the upgrade process when bugs are found and prevent wasteful bricking attacks. For botnets, it's worlds easier to just reinfect when the device comes back online.
      • If we were capable of making things at this level of complexity work properly in the first place the world would be a very different place.
    • by mentil ( 1748130 )

      Won't happen in any broad sense. Imagine this scenario, which would quickly go into effect if any statutes were passed or frequent civil liability suits gave judgments against them:

      Shell company sells a new modem, licensing the name of some well-known company (e.g. Belkin). They produce the modem for 2 years, releasing periodic updates for the firmware. Upon product discontinuation, the shell company folds, and the liability now rests on a nonexistent company. Every product has its own associated shell comp

    • Yes [medium.com]. Sometimes the bug is hard to stop, but sometimes it's a clear case of negligence. The manufacturer just doesn't care.
  • Fuck this poster. Prob a malware crim
    • by eyenot ( 102141 )

      I wouldn't care if they were. I was highly entertained and informed by this story. I might break karma just to mod down your lousy comment as flamebait.

      • One of the actors is shutting down malware threatened devices. But this article calls them equal. You blind?
  • ... on April 10."

    Come for the nerd-news; stay hard for the WTFs.

  • Maybe all these folks that have been affected will start demanding more from manufacturers in regards to making sure these devices are secure and that security updates are provided on a regular and timely basis.

  • by An Ominous Cow Erred ( 28892 ) on Tuesday April 25, 2017 @10:57PM (#54302957)

    For those not in the know, this company is the heir to Sierra On-Line/Sierra Entertainment/Yosemite Entertainment in Oakhurst, CA. They created King's Quest, Space Quest, Police Quest, Leisure Suit Larry, et al. After the studio joined Codemasters they remained in Oakhurst until at some point it became an ISP. I'm not sure if any of the original folk are still there.

    Relevant Wikipedia Entry [wikipedia.org]

    (The Sierra name lives on as a trademark of Activision, but in name only. The hallowed halls of that great studio are now an ISP.)

    • To clarify, at one point Sierra tried to create their own online gaming network. This was *NOT* an internet-based network, but something you could connect to directly via dialup with a POTS modem. This later on became the ImagiNation network, which was purchased by AT&T.

      https://blog.codinghorror.com/... [codinghorror.com]

      As I understand it, the facilities originally created for this (since upgraded to support DSL service) were repurposed by the people involved into an ISP. All of this is based in the old Sierra headquarte

  • I like the first comment on that article:

    woody188:
    Wish Janit0r would change phase two so that it instead redirects all outbound requests to a page explaining what is wrong with the device and to contact their ISP. At least for modems/routers this would be much more preferable to just bricking a device and would empower the person to get help and maybe even salvage their device should an update be available. Vigilantes don't hurt the innocent! You listening Janit0r?

    Nice idea. Ideally someone else should host that site.

  • You left your car unlocked, so I've removed the engine to prevent anyone from stealing it!

  • concomitant concomitant concomitant
  • I just adore BrickerBot more and more each story I read about it. This is the best solution, and sadly the financial impact is the only way to make these companies take security seriously.

  • So this ISP was handing out shoddy insecure modems by the truckload, leaving all their customers susceptible to attack.

    It's bad enough that this kinds of crappy device exist on the market in the first place, but for an ISP to peddle the things... that's inexcusable. IMO the ISP needed this firm punch in the nose.

No spitting on the Bus! Thank you, The Mgt.

Working...