Worm Targeting Home Routers and Modems Is Endangering Your Corporate Network

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

A new worm has been discovered that can infect popular home routers and modems such as Linksys and Netgear. Pstb0t or Bluepill basically uses a brute-force attack. It has 6000 usernames and 13,000 passwords that it uses in various combinations to try to gain access to your hardware. According to security researchers, the worm is programmed to infect at least 30 different Linksys and 10 Netgear devices.


The reason this is important to security professionals is because of SOHO users. They're working from their homes, extending your networks to them. Although experts disagree on what an attacker could gain by taking control of the device, one thing for sure is that they certainly could disable it, leaving many SOHO users without Internet access and affecting their organization. A simple reboot of the device would reset it to factory settings, losing any specific settings and policies. Another concern would be that an attacker could open specific ports on the device, allowing them to directly attack the computer on the other side of the firewall.


What concerns me is that unlike PCs, which a lot of SOHO users turn off at night, the routers and modems are typically left on 24 hours a day. As an attacker, I could easily target users in specific time zones so I launch my attack when they are asleep. In addition, this type of attack is difficult to detect since most of these low-end devices do not come with intrusion-detection or intrusion-prevention capabilities.


My advice is simple: Educate SOHO users about the vulnerability. Tell them to report any unusual activity on the router and their network. Make sure that when you deploy the devices (if you do), you use strong passwords. Change them on a regular basis. Many organizations do not change the passwords on these devices at all once they are deployed. Finally, log into the device on a regular basis to make sure that settings have not changed. Remember, many SOHO users have company data on their computers and they are removed from the general protection of our networks. Their network is your network and their problems are your problems.