Millions of routers allegedly backdoored with malware that can’t be removed

One of the hackers purportedly responsible for a zombie army of Mirai-infected IoT devices, claimed he infected millions of routers with malicious firmware which can't be removed; a victim's only recourse is to trash the router.

hacker attack
Credit: Byseyhanla

If you are a gamer, then you don’t want a router powered by an Intel Puma 6 chipset that causes spikes of lag and packet loss that end up getting you killed in a game. Although some gamers have always blamed losing or dying on lag, the problem with Intel’s chip is real enough that the company acknowledged it.

The Register reported that the chipset is in some Arris, Linksys and Cisco routers, as well as some which ISPs charge you for such as Comcast’s Xfinity and Virgin Media’s Superhub 3. Arris, which is a fairly common brand for ISPs to rent you, and Intel are allegedly working on new firmware to fix the issue.

[Update: Intel has confirmed that a fix is in the works.]

Continued bouts of lag can ruin gaming, cause issues with streaming and even VoIP apps; although some people might cuss the router as they await a firmware fix, most people wouldn’t toss their router in the trash for those sins. Yet “3.2 million” people might as well trash their routers, according to a hacker who claimed he has pwned that many routers already; he claimed he infected those routers with bots that can’t be eliminated via a firmware fix.

The typical advice for ridding an infected router of Mirai malware is to unplug it; when it reboots, the malware no longer resides in memory. Of course, it might get infected almost immediately again and participate in more DDoS attacks since other infected devices are on the hunt for vulnerable devices which can be exploited.

However, Motherboard reported that a hacker going by “BestBuy” set up a server that automatically exploits router flaws and infects the routers with malicious firmware that cannot be removed. This is one of the cyber thugs allegedly responsible for the massive IoT-powered DDoS attack in October. He is also the same person who apologized for knocking Deutsche Telekom customers offline after Mirai had been modified and caused havoc across the globe.

So now, BestBuy claims to have a zombie army of permanently infected routers. He told Motherboard via chat:

“They are ours, even after reboot. They will not accept any new firmware from [Internet Service Provider] or anyone, and connect back to us every time :). Bots that cannot die until u throw device into the trash.”

It is important to note that BestBuy’s claims are unverified as no one has yet found one of his permanently backdoored routers in the wild.

Nevertheless, BestBuy attempted to “prove” his claims are real.

First, he showed Motherboard’s Lorenzo Franceschi-Bicchierai live stats of what appeared to be an Access Control Server being used to push out the malicious firmware. Motherboard said that within a few hours, the number of “accessed” devices grew from 500,000 to 1.3 million.

Then, he shared login credentials to show “a long list of allegedly infected routers, with their model name and unique ID.”

Various security experts pinged in on the plausibility of BestBuy’s claims. The general consensus was that it is possible, as long as the hackers didn’t make errors when creating the malicious firmware for such a huge array of router models.

While hacking back and online vigilantes hacking for “good” are volatile subjects, if BestBuy’s latest claims are true, then it is almost enough to hope for more “malware for good” to be released.

Over a year ago, a group going by “White Team” came forward to say it had developed Linux.Wifatch, a type of white hat malware that infected “tens of thousands of devices” in order to improve the security of the devices. Once an IoT device with a weak or default password was infected, it was scanned for known malware; the security of the device was also hardened to prevent truly malicious infections.

Not that anyone wants their router, or other IoT devices, to be infected with malware, at least the “vigilante malware” was used for the greater good. Like its evil cousin of the malicious variety, the “good” malware did not first seek permission of the device owner before infecting it. Nevertheless, I’d rather hear about malware for good being pushed out to millions of routers instead of malware for a botnet that allegedly cannot be removed.

Update: Intel Global Communications wants to make sure you don't think the latency issue from Intel's Puma chipset is related to the malware-infected router problem. It's not; the chipset causing lag is a big problem of its own. Also, he says the fix “is being deployed.” Hopefully it won’t take months to roll out via ISPs.

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon