The Hacker Battle for Home RoutersTrend Micro Says Botnet Families Fight for Control of Vulnerable Routers
Three botnet families are battling it out, seeking vulnerable home routers to take over and use as proxies, researchers at the security firm Trend Micro say.
Residential routers are a prime target for cybercriminals. Most households have one, and due to the legacy of poor IoT security practices, many can be taken over easily either through exploiting security vulnerabilities or using default credentials that have never been changed.
Trend Micro says that four years after the Mirai botnet, the landscape is more competitive than ever.
“Ordinary internet users have no idea that this war is happening inside their own homes and how it is affecting them, which makes this issue all the more concerning,” according to a new Trend Micro report, which was co-authored by Stephen Hilt, Fernando Mercês, Mayra Rosario and David Sancho.
Botnet code running on a device can diminish bandwidth. It could also mean connectivity problems. If security solutions flag a device as being part of a botnet, certain services may be inaccessible. At worst, if a router is being used as a proxy for crime, the owner of the device could be blamed.
With many workers still working from home during the pandemic, there’s also a worry about how such infections could potentially affect enterprises as well.
Brute-Force Attacks Rising
Throughout 2019 and into this year, Trend Micro says, its telemetry detected a rising number of brute-force attempts to infect routers, which involve trying various combinations of login credentials. The company suspects the attempts came from other routers.
In the first four months of last year, Trend Micro detected between about 10 million brute-force login attempts per month against residential routers. By October, the figure leaped to around 97 million, then 219 million in November and peaking at 249 million in December. The figures tapered off earlier this year, but in March still numbered 193 million.
Many of those brute-force attempts came over telnet, the remote connectivity tool. “While telnet is not as widely used today as in the past, IoT devices still largely rely on it for its remote access capabilities,” the report says.
Three botnet families are duking it out: Mirai, Kaiten and Qbot. One reason for the increase in home router attacks is that the source code for all of those bot families is freely available.
“These three botnet malware families are part of a competition to infect the most routers, where sharing a device is not an option,” Trend Micro says.
Mirai, which was used to cause devastating DDoS attacks in 2016, proved to be the “gateway drug” for those involved in the bot scene, Trend Micro says. Since the source code was released, others have created more aggressive strains that are also more effective, the company notes (see: IoT Botnets: Why the Next Mirai Could Be Worse).
Competing with Mirai are Kaiten and Qbot. Kaiten, also known as Tsunami, is one of the earliest IoT botnets. It dates back to 2001 and uses the IRC protocol for command-and-control. Qbot, around since 2008, uses TCP for command-and-control.
All three families are capable of booting a pre-existing botnet infection from a router. For example, some variants of Mirai remove other variants. Kaiten can do the same with other strains of itself. “More recent Qbot variants have added the ability to uninstall other pieces of botnet malware,” the report says.
While routers are capable of running more than one type of malware, Trend Micro says operators tend to take exclusive control so the bandwidth of a device isn’t diminished.
While it takes a high degree of technical skill to code a botnet, it doesn’t take much skill to run one. And prices have dropped.
“Cybercriminals are selling Qbot and a number of Mirai variants on underground forums, online stores, and even social media sites, including Twitter and Instagram,” Trend Micro says. “In general, IoT botnet malware rentals are very affordable and allow inexperienced low-level criminals to enter the field. Qbot rentals, for example, start at a mere $5.”
There are higher-grade options as well. A private botnet variant – which comes with infrastructure, a bot-killing feature and a Telnet brute-forcing tool – can cost up to $150, the report says.
The advice on how to protect home routers is well known: Run the latest firmware, change default credentials and disable remote logins, or conversely only allow local logins from the same network. But the problem is that most consumers turn their routers on and leave them running for literally years. And unless the ISP pushes out firmware updates, most users never update their routers.
Japan is trying to tackle the problem by undertaking an expansive program to scan the country’s IP addresses to identify vulnerable IoT devices. It uses about 100 common default login credentials to attempt to log into devices. When the scanning results in devices that accept login credentials, the ISP is notified, which triggers remediation efforts (see: Japan's IoT Scanning Project: Insecure Devices Found).