A router-to-router bot first detected two years ago has evolved - and now has the capability to reconfigure the firewalls of its victims.
The Lightaidra malware captured by security researcher TimelessP (@TimelessP) is an IRC-based mass router scanner/exploiter that's rare because it spreads through consumer network devices instead of vulnerable Windows PCs. TimelessP detected the router-to-router bot using a honeypot.
The bot, first developed in 2012, targets consumer grade cable and DSL modems with default usernames and passwords in order to spread. Lightaidra requires Linux to be running on the device in order to infect equipment. The primary use of the malware is in running DDoS attacks, according to an earlier write-up of the malware on a cybercrime blog.
Variants of the malware cropped up in DDoS attack tools that run on Linux spotted by security researchers from Malware Must Die back in May. The ELF DDoS tool, for example, was based on Lightaidra and capable of running on Linux-based workstations, servers and routers. "I've watched the attacks evolve over time… [This] was the first one I saw that reconfigures the firewall in the downloader," TimelessP told El Reg.
Source code for the malware was published online in December 2012 and remains available (although El Reg will not reveal its location here), "which means the variant could have been done by anyone, really," as TimelessP (who declined to give his real name) points out. "It's conceivable that bots like this could be opening up devices to further attacks by others and to obfuscate the real sources of attacks," TimelessP told El Reg. "Antivirus software would have been of little use here."