Your Router is Probably a Zombie in a Botnet

You have strong enterprise-grade security at the office. But what about at home? While you might think you've got things locked down, here's the harsh reality: You probably don't. And it's not necessarily your fault.

Out of the box, most routers suck when it comes to security. Vulnerable firmware is an easy target. Backdoors have been discovered in just about every brand of router. To make things worse, think about all the devices out there are "secured" with admin/admin on 192.168.1.1. Maybe not yours, but there are many.

It's like we aren't even trying — and some folks have noticed.

What are botnets?

Botnets are networks of compromised internet-connected devices. The people who create and use botnets for nefarious tasks are called botherders or botmasters. To use the parlance of cybersecurity professionals, these people are simply malicious actors.

Devices become zombies when they're infected by malware. This can happen when a user unwittingly opens a suspicious email attachment or even goes to the wrong website. Malware is malicious code custom-built to a vulnerability, so botnets often comprise one type of device.

Not to say that malicious actors don't combine their hordes for an attack, but the code itself is purpose-built. In the recent past, we've seen IP camera botnets, Linux botnets, and Android botnets. Windows is also a big target due to the sheer size of the target — and so are routers.

What does a hacker gain with a puny router? A router is really just a stripped down computer usually running a lightweight version of Linux. It turns out that even low-power devices, en masse, can do a lot of damage.

It's possible you will never even know your device is infected. Malicious actors typically don't fully take control of a machine. They may not even try to steal your files or personal data. Instead, infected devices contribute their resources — computing power, IP address, or storage — to the botnet, which is controlled by a command and control (C&C) server.

How botnets attack

The uses for botnets are limited only by the creativity and technical prowess of the person controlling them. One cybersecurity research firm set out a honeypot where they observed a botnet enter the system, create backdoors, and dump passwords. Later, a human showed up to exfiltrate 3GB of (junk) data with Turbomailer of all things. It's not an uncommon scenario, but most often botnets mine cryptocurrency, carry out amplification and distributed denial of service (DDoS) attacks, and validate lists of usernames and passwords in auth attacks.

DDoS and amplification attacks overwhelm their targets with a massive burst of traffic deployed by hundreds of thousands of devices. Security guru Brian Krebs detailed a 665 Gbps DNS amplification attack against his site. (That's gigabits per second.)

Auth attacks take lists of stolen usernames and passwords and verify them against a website login. Because most people use the same password across websites, malicious actors are looking for common passwords. Rather than raising alarms by hitting a financial institution with a brute force attack, they use a username-password combination that might work. If not, they move on.

Sending spam is another big use for botnets. They're probably the most lucrative and effective cybercrime campaigns. Last year, researchers reported that the BCMUPnP_Hunter malware compromised more than 100,000 routers with years-old firmware. A hacker leveraged this to create a spam-sending army of routers, using the router IP addresses to avoid spam blacklists.

Compared to DDoS or auth attacks, spam may seem like an annoying, but ultimately innocuous reason to use a botnet. Spam serves a bigger purpose than disruption. Cybercriminals use spam to spread malware that expands their botnet. They also attempt to infect computers with malware that steals banking information and installs ransomware.

The amount of spam generated by botnets is astounding. One cybersecurity reported that 97 percent of spam botnet traffic was driven by just two massive botnets — Necurs and Gamut.

Botnets for hire

Necurs is particularly scary because the people (yes, people) behind it team up with other cyber-crime gangs. They hire out their botnet to other elite cyber-crime gangs to wreak havoc, extorting people with ransomware and cleaning out bank accounts.

The partnership made news a couple years ago — and then the Necurs botnet went dark. Only to resurface in 2018. That was just one high-profile instance of a massive botnet — an increasingly common headline.

In another instance, you can hire a botnet. Again going back to our man, Krebs. He reported on one botnet-for-hire site run by a group with the elegant, refined moniker of the Lizard Squad. A sort of hacker version of SaaS (or maybe BaaS, Botnet as a Service?), the fine gentlemen at the Lizard Squad sold capacity of their botnet of compromised routers in the form of subscriptions for DDoS services.

You too can attack your friends, competitors, and enemies starting at the low, low price of $5.99 per month!

Reviving your zombie router

Botnets are notoriously difficult to eradicate. Hardware companies are quick to patch holes and vulnerabilities, but it's one against many.

Last year, the FBI asked everyone to reboot their routers. Not that a simple reboot would erase the VPNFilter malware feeding the 500,000-strong botnet. No. The reboot forced the program to call home — or send a message asking for instructions. The FBI used those callbacks to trace the malware to its source. Often the easiest way to kill a botnet is to kill the server that controls it.

Even when law enforcement takes down a C&C server, the malicious code remains in machines. The malware may be stranded in a host device without instruction, but they're merely inactive. Necurs disappeared in 2016, only to surface again to reactivate the dormant malware.

When we're talking about routers, these aren't the enterprise-level gear made by the likes of Cisco, Sonicwall, or Palo Alto. (Though, Cisco has had their security troubles with their residential product lines.) We're talking about what you would get off the shelf at Wal-Mart or Best Buy — the D-Links, Netgears, and Linksyses of the world.

The problems start with the cheap, antiquated MIPS architecture used by a lot of these devices' processors. MIPS is a type of processor designed in the 1980s and intended for general purpose computing. MIPS never broke through Intel's dominance of the consumer desktop market. However, it did find a niche in specialty hardware by the likes of Silicon Graphics and even made it into the Sony PlayStation and Nintendo 64 (even inspiring one notable Mario character).

MIPS chips later began to find their way into home routers and gateways, providing enough power to handle the smaller demands of a home network. All while being cheap enough to fit the bill for a consumer-level kit.

One substantial problem comes from a security flaw that goes back to 2001. Per one deep yet fascinating paper, the chips lack basic defensive abilities against malicious code execution. Combine this with manufactures commonly implementing out-of-date, vulnerable Linux kernels in their devices, and then putting this device on the edge of your network completely exposed to the internet.

What's next?

The solution going forward? A lot of manufacturers are switching to ARM-based processors. These chips, now cheap enough to begin replacing MIPS devices, are much better at hardware-level defense.

So, it's probably time to finally replace that old router, even if it's been loyally chugging away all this time. Because the real danger lies in what code it's been silently running day and night… the botnets.