Researchers at the security firm Team Cymru have discovered a massive network of router exploits that has effectively hijacked the internet for more than a quarter of a million computers. The exploit works by redirecting computers to different DNS servers, allowing the network to misdirect web traffic from its victims. There's no evidence of spoofing campaigns yet, but the team is still investigating. "What we've seen so far is a little mysterious," said Steve Santorelli, a researcher at Cymru. "300,000 machines going to different DNS servers." Even stranger, it all seems to be coordinated by two IP addresses located in London, both registered to a hosting company called 3NT Solutions.
"What we've seen so far is a little mysterious."
The network isn't properly a botnet simply because the compromise is limited to the routers rather than the computers behind them — but as the Cymru team points out, this level of access could be even more dangerous. In a similar attack in Poland, a router compromise was used to spoof the mBank banking site, allowing attackers to gain user credentials and ultimately empty accounts. Without precautions, attackers can use the router to direct a given URL (in this case, mbank.pl) to whichever server they want, carrying out more sophisticated attacks from there.
The most troubling thing about the attack is how long these vulnerabilities have gone unpatched. The router exploit that allowed the network to grow is two years old, and most routers in the US and Western Europe have already been protected against it. It's only in Eastern Europe and Asia that the attackers found routers still vulnerable to the attack, with a particularly large concentration in Vietnam.
Team Cymru has contacted law enforcement and is attempting to trace back the two master IP addresses, but in the meantime their main plea is to router vendors. "This is a logical evolution from traditional botnet technology," said Santorelli. "and one that now requires the vendors to fix, immediately."