Linux Routers Targeted by Tsunami Malware

Ever thought Linux is invulnerable and robust against malware attacks? then its time to rethink. Security researchers at TrendMicro found malware that can exploit routers based on Linux and Unix platforms. The malware, though was said to be predominantly found in Latin America, has possibilities of spreading to other regions.

Potential of the threat
As per the source: the malware code, found to be ELF_TSUNAMI.R, has high damage potential though the distribution potential and overall risk are rated to be low. This code operates as an .ELF file through Linux IRC (Internet Relay Chat) backdoor program and performs brute force attacks via multiple login attempts onto the router or exploit the router. The attacker can also disable the firewall on the compromised router, leaving the network susceptible to more attacks.

How it works?
The attacker drops an .ELF file containing the ELF_TSUNAMI.R code into the router. This might be dropped by other malware or unknowingly downloaded by a user in the network, while visiting a malicious website. This creates a backdoor on the router through which the attacker can send and execute commands via an Internet Relay Chat (IRC) server.

The vulnerability in D-Link routers
Currently, D-Link routers are found to be existing with the remote authentication bypass vulnerability. Due to this vulnerability, the attacker can download the ‘config.xml’ file without requiring normal authentication requirements. This file contains complete configuration details of the device as well as usernames and passwords of the users listed in the device. When the attacker has the file, he can simply take over the admin privileges of the affected router and the subnet under it. The details of firmware versions with vulnerabilities can be found at http://www.juniper.net/security/auto/vulnerabilities/vuln13679.html.