Cos'è il verme "Alce" e come posso proteggermi da esso?

5

Ho sentito da altri che esiste un nuovo worm chiamato "alci". Questo prende di mira e sfrutta attivamente i router domestici.

Quali sono gli effetti di questo exploit?

Come posso proteggermi da questo?

Posso controllare se il mio router è vulnerabile?

    
posta George 28.05.2015 - 17:59
fonte

1 risposta

5

ESET ha rilasciato un rapporto sulla vulnerabilità qui . I loro risultati principali sono:

  • Linux/Moose targets consumer routers and modems including the hardware provided by Internet Service Providers (ISPs) to consumers
  • The threat is built for deep network penetration spreading past firewalls
  • It can eavesdrop on communications to and from devices connected behind the infected router, including desktops, laptops and mobile phones
  • Moose runs a comprehensive proxy service (SOCKS and HTTP) that can be accessed only by a specific list of IP addresses
  • The operators use the infected devices to perform social network fraud on Twitter, Facebook, Instagram, Youtube and more
  • Moose can be configured to reroute router DNS traffic, which enables man-in-the-middle attacks from across the Internet
  • It affects Linux-based embedded devices running on the MIPS and ARM architectures

Se osserviamo come si diffonde, una dichiarazione è molto importante qui:

Last but not least, this threat spreads only by compromising systems with weak or default credentials. No vulnerabilities are exploited by the malware. Although downplayed by system administrators, this attack vector has been effective at compromising a lot of Internet-connected systems. As FireEye recently stated: “Brute forcing credentials remains one of the top 10 most common ways an organization is first breached.

Hanno elencato alcuni dei dispositivi che potrebbero essere interessati:

Fornitori di apparecchiature di rete

3Com, Alcatel-Lucent, Allied Telesis, Avaya, Belkin, Brocade, Buffalo, Celerity, Cisco, D-link, Enterasys, Hewlett-Packard, Huawei, Linksys, Mikrotik, Netgear, Meridian, Nortel, SpeedStream, Thomson, TP-Link, Zhone, ZyXEL

Fornitori di apparecchiature

APC, Brother, Konica / Minolta, Kyocera, Microplex, Ricoh, Toshiba, Xerox

venditori di Internet of Things

Hik Vision, Leviton

Indicatori di compromesso

If the credentials can be used via Telnet to login, if Telnet is enabled by default and if a shell access can be obtained by typing sh in the device’s prompt, then these are very good indicators that a device could be infected by Linux/Moose.

Prevenzione

Change default passwords on network equipment even if it is not reachable from the Internet. Disable Telnet login and use SSH where possible. Make sure that your router is not accessible from the Internet on ports 22 (SSH), 23 (Telnet), 80 (HTTP) and 443 (HTTPS). If you are unsure about how to perform this test, when you are at home, use the "common ports" scan from the ShieldsUP service from GRC.com. Make sure that the above mentioned ports receive a Stealth or Closed status. Running the latest firmware available from your embedded device vendor is also recommended.

    
risposta data 28.05.2015 - 18:26
fonte

Leggi altre domande sui tag