this post was submitted on 01 Feb 2024

253 points (98.1% liked)

Technology

58011 readers

3021 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related content.
Be excellent to each another!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, to ask if your bot can be added please contact us.
Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago

MODERATORS

[email protected]

253

Chinese malware removed from SOHO routers after FBI issues covert commands (arstechnica.com)

submitted 7 months ago by [email protected] to c/[email protected]

43 comments fedilink hide all child comments

all 50 comments

sorted by: hot top controversial new old

[+] [email protected] 180 points 7 months ago* (last edited 5 months ago) (5 children)

[removed by mod]

[–] [email protected] 50 points 7 months ago (3 children)

I'm curious as to whether the router manufacturer included a back door or if the FBI used the same exploit that was used to infect the routers in the first place.

[–] [email protected] 12 points 7 months ago

It's not entirely uncommon for the latter to happen. Some greyhats have done similar things to clear out botnets in the past. It still counts as unauthorized access to a system though so most avoid doing so even if the intended result is beneficial

[–] [email protected] 6 points 7 months ago (1 children)

I would assume they used the same exploit as the botnet because only the NSA gets to use the fancy secret backdoors and secret list of vulnerabilities.

Unless the routers were also managed by ISPs in which case they might have just had builtin remote access/remote commands

[–] [email protected] 5 points 7 months ago (2 children)

How would you like the router owners to have been alerted?

[–] [email protected] 22 points 7 months ago (2 children)

Perhaps via the contact information they provided to their ISP?

[–] [email protected] 9 points 7 months ago

I suspect it might have been problematic to tip off the malware operators that the network was about to be shut down. Apparently customers are going to be informed via their ISPs now. I guess some if them may decide to junk the routers.

[+] [email protected] -10 points 7 months ago (5 children)

My ISP has never had info on my router, for 20+ years. Was there something in the story I missed about these being ISP issued routers?

[–] [email protected] 29 points 7 months ago

The ISPs don't need info on the routers...

The FBI has identified the routers; if they're able to connect to them and issue commands, they clearly know the IPs of those routers and thus the ISP servicing that IP. The ISP knows which of their customers is/was assigned a particular IP.

[–] [email protected] 19 points 7 months ago* (last edited 7 months ago) (2 children)

Your ISP knows the Mac address of your router since it requests a public IP from them using DHCP. That's why if you contact support they usually can confirm the brand of your router by doing an oui lookup.

In theory the FBI could have collected a list of MACs and optionally used an ASN lookup on the public IP and then handed each ISP their list of MACs, which the ISP could associate back to customers to contact. It would only not work for customers who spoof their router WANs ethernet mac.

But I think just patching it is a normal and fine solution imo.

[–] [email protected] 2 points 7 months ago (1 children)

Do you work in networking? How did you learn the magicks of the computer tongue?

[–] [email protected] 2 points 7 months ago* (last edited 7 months ago)

I only do web development, but my networking knowledge mostly comes from being the designated person to call the ISP for tech support and being in charge of setting up the WiFi in every place that I've lived, in addition to participating and running community scale mesh wifi tech meetups for many years (think NYCMesh except just 4 guys who never accomplished much aside from buying and flashing lots of routers with openwrt lmao)

I also ran 12Us of homelab for a few years in my basement, which was powered by an overkill fiber to the home setup (courtesy of tricking Comcast into undercharging me for gigabit pro) that necessitated a 10G switch and firewall.

[–] [email protected] 1 points 3 months ago

Or I mean, Shodan exists. I'm sure the gov has better.

A theoretical botnet I was looking at on github used shodan to identify possible targets to infect.

[–] [email protected] 5 points 7 months ago

Probably works the other way around - FBI detects the problem at various IP addresses, patches them, then contacts the iISP and asks them to contact the customer who had x.y.z IP address

[–] [email protected] -2 points 7 months ago

I would imagine you are in the vast minority :)

[–] [email protected] 8 points 7 months ago (2 children)

How would you like the router owners to have been alerted?

By two men in black showing up at their doors, of course.

:-)

[–] [email protected] 3 points 7 months ago

"We're musicians maam"

[–] [email protected] 2 points 7 months ago* (last edited 7 months ago)

We are here to help.

[–] [email protected] 1 points 7 months ago

"Computer Sabotage" crime in Germany, no?

[–] [email protected] 38 points 7 months ago

That's basically how the Sasser worm came to be. A hacker found a buffer overflow in the LSASS service, used that to replicate and then shut down the vulnerable service. But apparently he failed to account for Windows shutting down when LSASS was stopped, leading to a bootloop.

In the end it lead to massive damages when it actually was supposed to be a cure.

[–] [email protected] 9 points 7 months ago

This is the best summary I could come up with:

The routers—mainly Cisco and Netgear devices that had reached their end of life—were infected with what’s known as KV Botnet malware, Justice Department officials said.

From there, the campaign operators connected to the networks of US critical infrastructure organizations to establish posts that could be used in future cyberattacks.

Before the takedown could be conducted legally, FBI agents had to receive authority—technically for what’s called a seizure of infected routers or "target devices"—from a federal judge.

"To effect these seizures, the FBI will issue a command to each Target Device to stop it from running the KV Botnet VPN process," an agency special agent wrote in an affidavit dated January 9.

Wednesday’s Justice Department statement said authorities had followed through on the takedown, which disinfected "hundreds" of infected routers and removed them from the botnet.

To effect these seizures, the FBI will issue a command to each Target Device to stop it from running the KV Botnet VPN process.

The original article contains 560 words, the summary contains 159 words. Saved 72%. I'm a bot and I'm open source!

[–] [email protected] 7 points 7 months ago (1 children)

In other news, "fbi installed mallard on your router"

[–] [email protected] 4 points 7 months ago

I would also like a mallard