Small Office / Home Office (SOHO) router security has recently become a hot topic. For those who are unfamiliar with the situation, it can best be described as negligent, with ISPs, vendors, and users sharing a long tradition of disregarding basic security practices. The result of this negligence is the existence of hundreds of thousands-more likely millions-of hacker-controlled routers used to attack the Internet ecosystem and interconnected networks.

Several dozen Imperva Incapsula customers were recently targeted by one such DDoS botnet comprised of tens of thousands of hijacked routers. After informing the major companies involved, we are sharing attack details in an attempt to raise awareness about the dangers posed by under-secured, connected devices.

The attacks we will describe are enabled by what we perceive as particularly careless security practices. Many of these botnet devices remain active, continuing to play a role in attack attempts against our clients and other websites-even as this is being written.

Attack Description

The DDoS campaign in question amounts to a series of application layer HTTP flood attacks launched against 60 Incapsula-protected domains, which share no common relation.

We first encountered these attacks on December 30, 2014 and have been mitigating them ever since. In the last 30 days, after a short-lived lull, we saw the escalate to a new height, with double the number of attacking IPs.

History of DDoS attacks from routers infected with MrBlack malware

Figure 1: History of DDoS attacks from routers infected with MrBlack malware

This escalation piqued our interest, prompting further investigation by the Incapsula security team. Our analysis revealed that this wave of attacks is a part of a much larger DDoS assault targeting hundreds of other domains outside of the Incapsula network, and includes other attack vectors-including network layer barrages.

Botnet Profile

What makes this specific DDoS campaign stand out is the botnet from which it’s being launched, one consisting of a large number of SOHO routers, predominantly ARM-based Ubiquiti devices.

Faced with this homogenous botnet, our security investigators’ initial assumption was that the routers were compromised by a shared firmware vulnerability. However, further inspection revealed that all units are remotely accessible via HTTP and SSH on their default ports. On top of that, nearly all are configured with vendor-provided default login credentials.

Anybody can remotely access this Ubiquiti router...

Figure 2: By punching in its IP and the default credentials, anybody can remotely access this Ubiquiti router

This combination invites trouble. At the risk of overstating the obvious, this level of access lets any perpetrator easily:

  • eavesdrop on all communication.
  • perform man-in-the-middle (MITM) attacks (e.g., DNS poisoning).
  • hijack cookies.
  • gain access to local network devices (e.g., CCTV cameras).

Setting aside the exploitation discussion, we have determined that all these exposed routers were injected with variants of MrBlack malware (a.k.a. Trojan.Linux.Spike.A), whose signatures we’ve identified while mitigating the attack.

Incoming DDoS traffic from a compromised router

Figure 3: Incoming DDoS traffic from a compromised router (Hi-res image)

After inspecting a sample of 13,000 malware files, we saw that on average, each compromised router held four variants of MrBlack malware, as well as additional malware files, including Dofloo and Mayday, which are also used for DDoS attacks.

Malware Type Variants Observed Commonness
MrBlack DDoS tool 137 86.57%
Dofloo DDoS tool 19 5.48%
Mayday DDoS tool 24 2.84%
BillGates DDoS tool 5 2.30%
Skynet Backdoor 5 1.46%
Unknown/New DDoS Bot 2 1.35%

Botnet Geo-locations and C2 Data

During the 111-day period (from December 30 2014 to April 19 2015) Incapsula recorded attack traffic from 40,269 IPs belonging to 1600 ISPs worldwide. We were also able to trace the IP addresses of 60 command and control systems used by perpetrators to remotely direct malicious traffic.

More than 85 percent of all compromised routers are located in Thailand and Brazil, while the majority of the C2s are located in the US (21%) and China (73%). Overall, we’ve documented attack traffic from 109 countries around the world.

Top attacking countries, by number of IPs

Figure 4: Top attacking countries, by number of IPs

Based on the profile of targets and the attack patterns, we know these compromised routers are being exploited by several groups or individuals.

Given how easy it is to hijack these devices, we expect to see them being exploited by additional perpetrators. Even as we conducted our research, the Incapsula security team documented numerous new malware types being added-each compounding the threat posed by the existence of these botnet devices.

Attack heat map: Botnet and C2 geo-locations

Figure 5: Attack heat map: Botnet and C2 geo-locations

Self-sustaining Botnets

Our analysis reveals that miscreants are using their botnet resources to scan for additional routers to add to their “flock.” They do so by executing shell scripts, searching for devices having open SSH ports which can be accessed using default credentials.

Scanning script used to identify remotely accessible routers

Figure 6: Scanning script used to identify remotely accessible routers

Facilitating the infiltration, all of these under-secured routers are clustered in the IP neighborhoods of specific ISPs, that provide them in bulk to end users. For perpetrators, this is like shooting fish in a barrel, which makes each of the scans that much more effective. Using this botnet also enables perpetrators to execute distributed scans, improving their chances against commonplace blacklisting, rate-limiting and reputation-based defense mechanisms.

Copycats or Lizard Stresser v2?

Those who follow the escapades of Lizard Squad have probably noticed that the above-described botnet shares several similarities with Lizard Stresser-the group’s DDoS-for-hire (stresser) service.

Specifically, Lizard Squad’s botnet was also reportedly built on an infrastructure of under-secured routers that were likewise injected with malicious code, used to scan for other similarly vulnerable devices.

Despite several outward similarities, however, the two botnets don’t appear to be one and the same.

Most tellingly, the malware types observed in both cases are different. While Lizard Squad were known to use Linux.BackDoor.Fgt.1 to control their router-based botnet, the hijacked routers that we observed were mostly infected with Spike malware.

Still, looking at the historical attack data, we continue to find some interesting parallels between the attacks on our client and what has been reported about Lizard Squad’s shenanigans.

Lizard Squad's shenanigans

In both cases we observe similar peaks and valleys of activity. Notably, the assault on our clients started on December 30, nearly at the same exact time that Lizard Stresser was first announced. From there, after observing high frequency of attacks in January 2015, we saw the assault flat line in February, a week or so after Lizard Squad’s website was brought down by Anonymous.

Finally, we saw attacks become more frequent in early April, with the largest of the bunch occurring days before Lizard Squad remerged on Twitter with a promise of a new, and more powerful, botnet.

Lizard Squad remerged on Twitter with a promise of a new, and more powerful, botnet

It should be pointed out that none of these circumstantial correlations offer any hard evidence of the groups’ involvement. If anything, they present us with several open questions about the possible evolution of Lizard Squad’s botnet resources and the existence of copycats that are following in the groups footsteps.

With this in mind, we ask all security researchers with any additional information about the perpetrators that are attacking on our clients, to reach us at info@incapsula.com.

Taking Action

Prior to publishing this report, Incapsula contacted the vendor of the routers and the ISPs whose routers and networks we found to be most open to abuse.

Revisiting the notion of shared responsibility, we strongly urge router owners to disable all remote (WAN) access to their router management interfaces. To verify that your own router is not open to remote access, you can use this tool from YouGetSignal to scan the following ports: SSH (22), Telnet (23) and HTTP/HTTPS (80/443).

Regardless of the result, we also strongly advise all router owners to change the default login credentials, if they haven’t done so already.

You can download these user guides to learn how to do so on Ubiquiti routers. If you have other routers you should contact the vendor for the applicable user guide.

Finally, if you believe your router(s) is already compromised, upgrade your router’s firmware to the latest version provided by the manufacturer.If you never done this before, we suggest reading this post, from the Super User community blog, about ‘Router Flashing for mere Humans’.


Would you like to write for our blog? We welcome stories from our readers, customers and partners. Please send us your ideas: blog@incapsula.com