Self-sustaining botnet made out of hacked home routers


I dunno if I’m dense, but how does this actually hurt me? I doubt they’re running enough data to crowd my bandwidth, and I doubt I’ll be busted when they download “It’s Raining Men.” Aren’t account numbers and passwords encrypted before they hit the router?

So…what you’re saying is that you’d be OK with your equipment being part of a botnet?


Well of course evil hackers are bad bad bad, but morality aside, does it actually hurt me?

Morality aside, some grayhats consider counterattack a good method. I somehow cannot oppose that much.

Edit: Also, if the thing decides to do DDoS, you can get your uplink (typically much thinner than the downlink) saturated and your speed drops close to zero due to the slow or dropped ACK and other outgoing packets. You also risk being disconnected by the ISP if it causes them trouble.

Then there’s the risk of the botnet being used for child porn or chinese espionage, and the associated appearance of the friendly SWAT guys.

And all sorts of MITM shenanigans on your transactions. And attacks on all your poorly secured printers and IoT devices that live on your assumed-secure LAN.


Well, just for starters:
Say your router is also your DHCP server; it tells your computer that it’s also your primary DNS server (a perfectly normal thing) and also tells your computer to use a site in, say, Albania as your secondary DNS server.

When you go to what you think is your bank’s website, your router’s actually sent your off to a site run by the Russian mafia.
You enter your username/account info and password in the page that looks like your bank’s login page…and all your money’s gone.


Sure. When Bank of [wherever you live] is hit by a botnet causing billions of dollars in damage, you don’t think the bank is going to pay for those losses, do you? No sir, that’s coming out of your taxes in a fancy government bailout.


I’m not asking these questions to be a jerk. When I studied engineering they still called it ARPANET so I’m a little behind. But it seems like the threat described has been possible in theory for years - in fact it’s probably already reality. And still my paltry savings account sits there, unharvested, taunting them.

Kind of like how I occasionally let my son play outside, by himself, and somehow the swarms of predators overlooked him. Just lucky, I guess.

Oh, and @newliminted, it’s a dinky little Credit Union, so the losses will only be in the millions. No fancy bailout for them, just the old-fashioned FDIC.

Deleting my post - sigh. Don’t feed the trolls.

I don’t know about you, but my bank uses SSL. The reason SSL connections have certificates is to prevent this kind of Man-in-the-middle attack. Otherwise, any open network on earth could do this, but they don’t seem to very often.

For non-encrypted websites, which may include your email provider, your social network, or the boing boing message boards, if your router can see you log in, it can post as you and annoy everyone with spam. Which sometimes may also mean that your account is cancelled, which is a headache.

Folks teaching security workshops and the like now just assume that routers are probably compromised. To hide your embarrassing data, you can use a Virtual Private Network. A VPN lets you make an encrypted connection to a trustworthy server. All your data is encrypted and sent to them. they decrypt it and send it to the internet, via a router that they’ve changed the passwords on and all that. So you can send naughty emails and your router won’t be able to read them.

… I know why all this is important and I know how to fix it, but I really just want my homehub to be configured for security out of the box and do its own damn updates without me needing to do anything. It’s not reasonable to ask people to put much effort into their appliances and a router is an appliance.


It was actually really informative, and I promise I’m not a troll. A little bit contrarian maybe.

How much time and how much money should a guy who’s not an IT professional put into safeguarding his BoingBoing and occasional porn? Also, is it even possible to safeguard against this without getting another degree in engineering? The first one was hard.

@celesteh, the thing about appliances. Exactly. Will good security ever be as easy as a toaster? Most people will spend as much time and money on both.


It doesn’t have to be YOUR bank. It could be any bank. It could be any target the botnet is directed to attack. The damage most likely will not be done directly to you, but to infrastructure your taxes support.


Regarding the toaster, they’ll need to be configured for network security, too!

1 Like

Oh crap. >.<

Aside from the other reasons people have mentioned… if your ISP caps your bandwidth (as most in the USA do, grumblegrumble) then it can hurt you that way. And if your ISP doesn’t cap bandwidth, they can use expanded usage from their infected customers as an argument for why they should.

But really, the clearest issue is that it gives these lowlifes a foothold into your home network, and there aren’t any good ways to know what they are doing and whether it hurts you until after it’s already hurt you. They’re doing it to hurt someone, so “will I be the someone who is hurt” isn’t the only question to ask.


There’s are dozen of threads on various crypto discussion groups about how fundamentally broken the CA (Certificate Authority) system is broken.

I hope you check your bank’s certificate’s fingerprint every time you connect. Or have deleted ChinaNIC as a root CA from your browser’s CA store. Or…

1 Like

I am shocked!!!

ha ha ha

No, I’m not. Welcome to the world of security.

1 Like

Can anyone explain what the quoted script is actually doing, and why?

Assemble an IP address from four components; but if a flag of some description is set to 1, swap the third and fourth parts; and if that flag is set to 2, drop the third and fourth parts, swap the first and second parts, and prefix and postfix them with numbers chosen at random in what looks like a particularly convoluted fashion …

Hard to say for certain without seeing more of the script. I’m not sure why they would use such an odd method for it, but my guess would be that it’s randomizing the target IP to check in an attempt to get around IDS or firewall systems (either within the source network or the destination) that would quickly pick up on a source IP trying to ping the same port on sequential destinations.

It may be that they’re just trying to be extremely random about it, in the theory that with enough infected systems they’re pretty much guaranteed to scan the entire space eventually even if each individual scanner picks targets completely at random.

The FDIC doesn’t cover credit unions. Most are covered by the NCUA, some by private insurers.

1 Like