Everybody reading this article is probably using an array of tools for protecting their smartphone, laptop, or enterprise server. But, very few of us are concerned about the security state of our router.
Even less of us are actively doing something about it. And most likely no one has an automated router protection system in place.
The story begins in early 2014, when a number of now infamous malware — namely, Moose, MrBlack, and TheMoon — started attacking home routers and harvesting information along with carrying out DDoS attacks.
The primary attacks were done taking advantage of default credentials on telnet/ssh, later expanding on exploiting the software vulnerability on such devices. At the same time, the trend of malicious activities became more mature; at first, it was only DDoS attacks but later malware could read and harvest the traffic that went through the router.
In October 2016, Mirai carried out the most intense DDoS attack of the century using vulnerable devices on the Internet, which included routers.
The lack of mature protection technologies makes this a fertile ground for attacks. We believe that a compromised router provides significant new capabilities to an attacker, beyond those of a compromised end-device. By compromising a router, the attacker can have access to or block network packets going through it, steal cookies and session IDs to impersonate the user, or compromise their privacy.
Who is in charge of protecting us?
A system administrator makes sure all the clients are safe from any malicious activity. This includes making sure all computer systems have the latest version of the most relevant anti-virus software while the firewall protects them from any internal and external malicious activities.
Moreover, mandatory cybersecurity awareness courses helps prevent users from being victims of cyberattacks. While these precautions are important to take, are they thorough enough?
The answer is clearly no. We now see routers being compromised and adversaries have access to all the traffic that goes on in our homes, offices, or enterprises. System administrators, along with normal home users, are now faced with a new challenge to figure out if their router is infected and find a way to make it safe.
How can we secure routers?
From a security expert perspective, attacking and protecting routers is significantly different compared to laptops and desktops, therefore new methods and tools are needed.
The first challenge in this space is the limited CPU and memory resources in such devices, which limits both the malware developers and security solutions.
The second challenge includes routers having variable device configurations, which decrease the applicability of both malware and system analysis tools.
The former is a challenge for malware authors, while the latter is a challenge for any emulation capability, which needs to pretend to be many different configurations in order to get firmware and malware to run. Finally, many, if not most, router firmware is proprietary, and thus difficult to emulate.
RARE to the rescue!
Given the challenges of the diversity of various vendors’ firmware and plethora of different platforms, how can we analyze and profile the behaviour of these router malware?
To answer this, we developed RARE (Riverside’s Augmented Router Emulator), a systematic approach to analyze router malware and understand its behaviour in depth. We identified and collected 221 malware-targeting routers, which is clear evidence of how those of us in security are caught up with end devices, and are neglecting the importance of security in routers and switches.
The key novelty is the augmented operation of our approach, which fools malware binaries to activate irrespective of their preferred target platform. In other words, instead of trying to guess the right router platform for each malware, we start with a generic one and we carefully and repetitively ‘adapt’ it to fool the malware. This is achieved by leveraging two key capabilities:
- A static level analysis that informs the dynamic execution, and
- An iterative feedback loop across a series of dynamic runs, the output of which informs the subsequent run.
We provide an overview of our approach in Figure 2.
Figure 2 — Overview of RARE: A key novelty is the feedback loop (Iterative Adaptation Loop) that enables previous runs of the malware to inform the subsequent run in order to fool the malware to activate.
Using RARE, we successfully activated 94% of all malware, which included 88.8% of the obfuscated ones, and extracted useful information towards understanding and profiling the infected router’s behaviour. This includes identifying more than 200 unique IP addresses of C&C and reporting servers.
We collect malicious behaviours from the infected router, which includes: killing processes in the router in order to free up resources for themselves, adding firewall rules to make the router unreachable for users, and terminating user interface processes such as HTTP and telnet services. In some cases, the malware installs a new firmware and replaces the original one.
These findings are available upon request — please visit our website for more information.
This work is a first step towards developing a key capability for an under-served segment of devices. We would love to hear from and engage with the community of network administrators and ISP providers — let us know what you think and how you can help our quest.
Ahmad Darki is a PhD candidate in Computer Science at the University of California Riverside. His research is on developing techniques and tools to analyze malware.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.