Home Router Botnet Dwindles into Extinction

Attacks from compromised routers across the world against WordPress websites began to decrease at the beginning of the week, indicating the botnet’s activity may have come to an end. The devices have been used in burst attacks, striking between 100 and 200 times a month on average, then falling silent.

The routers are from Internet Service Providers (ISP) in Asia, Africa, Europe and South America, and were apparently exploited because they run an old and vulnerable version of RomPager web server. The flaw was disclosed and addressed in 2014 by affected vendors, but firmware updates can suffer huge delays in reaching the terminals, due to the lack of a mechanism that would at least notify users of new versions becoming available, or applying the patch automatically.

At the time of discovery, the vulnerability affected at least 200 router models from vendors including ASUS, D-Link, Edimax, Huawei, TP-Link, ZTE, and ZyXEL. Exploiting the flaw requires nothing more than sending a packet (specially crafted HTTP cookie) to the IP facing the internet.

Engineers working on the Wordfence WordPress Security plugin noticed the attacks from this botnet in April and started to look for patterns that would indicate their origin. They also determined how the routers must have gotten infected, and that the perpetrators applied the low-frequency attack strategy to stay under the radar. However, the number of attacks against websites protected by Wordfence reached as many as 40,000 in an hour, with some clients recording over 100 unauthorized login attempts per day.

On May 1, the botnet activity suddenly started to die down. “In the past 72 hours, the attack frequency dropped simultaneously across hundreds of ISPs in many countries,” reads the blog post from Wordfence. One of multiple possible reasons is a recent Interpol-coordinated takedown of offensive servers in the ASEAN region.

Another hypothesis is that the attackers simply reached their goal and decided to stop; this would be rare in the criminal world, where botnets are created and maintained for constant malware distribution.

ISPs pushing patches to routers deployed to customers could also explain the sudden drop in attacks; this would have required all ISPs involved (hundreds of them) to start the process in the 72-hour time interval monitored by Wordfence. It would not be far-fetched, because services blocking cyber threats did blacklist the attacking IP addresses, denying users’ access to certain online resources. Customers complaining to their ISP about this could prompt the provider to deploy a firmware update for the router, although the fact that the devices ran outdated firmware for so long does make this explanation unlikely.

Regardless of the reason behind the botnet’s apparent demise, users should regularly check for new firmware versions for their router. These devices are the internet gateway for the home network and compromising them means that all other connected gadgets become exposed.