Presentation Material
Abstract
In the last couple of years, we have seen a few highly sophisticated router attacks and malware, the most famous of which are the Cisco exploit (CVE-2016-6366), found among the data dump released by the Shadow Brokers hacking group, and the zero-day exploit in networking devices that took down the Italian Hacking Team. While working on router exploits and malware, we came across some very interesting router malware and malicious firmware. This paper will look at two case studies: * The Netgear router attack (CVE-2016-6277) and the analysis of malicious firmware associated with it, which was flashed remotely, as well as the use of the Firmware Mod Kit (FMK) for the development of malicious firmware. * Shellshock exploitation (CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186 and CVE-2014-7187), which was used to compromise routers and infect them with .ELF malware, as well as infect them using Perl-based IRC bots. This paper will discuss the objectives of Internet of Things (IoT) malware which are primarily associated with distributed denial of service (DDoS) attacks and information stealers. A few such attacks involved man-in-the-middle (MitM) threats and Domain Name System (DNS) changers. The paper will also discuss the future of router exploits, how attackers can exploit networks, and how such attacks could be very dangerous for both corporate and home users.
AI Generated Summary
The talk examines the evolution of router-focused malware, highlighting a shift from basic default password attacks and DDoS botnets toward more sophisticated firmware manipulation. The speaker categorizes observed router malware into three primary forms: script-based bots (often using shellshock exploits), compiled ELF binaries (exemplified by the Mirai botnet), and firmware-based attacks.
The core research details a novel attack where an adversary exploits a Netgear remote code execution vulnerability to remotely flash the router’s firmware with a modified, open-source image using the Firmware Mod Kit. The malicious firmware establishes persistence, sniffs network traffic to harvest credentials, and exfiltrates collected data (including passwords tried by other botnets like Mirai) to an attacker-controlled FTP server. This represents a significant escalation in attacker capability, moving beyond traffic disruption to long-term credential theft and network reconnaissance.
Key techniques involve a simple shell script downloaded via the initial exploit, which fetches and installs the custom firmware image. Analysis of the extracted filesystem revealed scripts responsible for the sniffing and exfiltration logic.
Practical implications underscore the router’s strategic position within a network, making it a high-value target. The research illustrates that many routers in the field remain vulnerable to years-old exploits due to poor vendor patching support. The primary defensive takeaways are the critical importance of changing default credentials, using strong passwords, and applying firmware updates where available, as the underlying hardware and software often lack robust security design. The attack demonstrates that router compromise can lead to direct credential harvesting, not just indirect abuse for DDoS or ad injection.