The router of all evil: more than just default passwords and silly scripts

Thursday 5 October 11:30 - 12:00, Green room

Himanshu Anand (Symantec)
Chastine Menrige (Symantec)

In the last couple of years, we have seen a few highly sophisticated router attacks and malware, the most famous of which are the Cisco exploit (CVE-2016-6366), found among the data dump released by the Shadow Brokers hacking group, and the zero-day exploit in networking devices that took down the Italian Hacking Team.

While working on router exploits and malware, we came across some very interesting router malware and malicious firmware. This paper will look at two case studies:

  • The Netgear router attack (CVE-2016-6277) and the analysis of malicious firmware associated with it, which was flashed remotely, as well as the use of the Firmware Mod Kit (FMK) for the development of malicious firmware.

  • Shellshock exploitation (CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186 and CVE-2014-7187), which was used to compromise routers and infect them with .ELF malware, as well as infect them using Perl-based IRC bots.

This paper will discuss the objectives of Internet of Things (IoT) malware which are primarily associated with distributed denial of service (DDoS) attacks and information stealers. A few such attacks involved man-in-the-middle (MitM) threats and Domain Name System (DNS) changers. The paper will also discuss the future of router exploits, how attackers can exploit networks, and how such attacks could be very dangerous for both corporate and home users.




Himanshu Anand

Himanshu Anand has been working with Symantec since 2013 as a security response engineer with the Intrusion Prevision/Detection System (IPS/IDS) team. He is the founding member of Linux User Group-Jaipur and one of the first students of Malware Must Die (MMD). His research areas of interest include exploit writing and analysis, fuzzing, and hardware hacking. Last year he presented at VB2016.




Chastine Menrige

Chastine Menrige has over 10 years of experience in threat research. Currently, she is working at Symantec Corporation as a network analysis engineer, dealing with network threats related to ransomwares and APT attacks and providing IPS detections to prevent and mitigate these attacks. Last year, she presented at VB2016.

   Download slides    Read paper    Watch video






Other VB2017 papers

Mariachis and jackpotting: ATM malware from Latin America

Thiago Marques (Kaspersky Lab)

Fabio Assolini (Kaspersky Lab)

Of all the forms of attack against financial institutions in the world, the ones that are most likely to combine traditional…

Walking in your enemy's shadow: when fourth-party collection becomes attribution hell

Juan Andres Guerrero-Saade (Kaspersky Lab)
Costin Raiu (Kaspersky Lab)

Attribution is complicated under the best of circumstances. Sparse attributory indicators and the possibility of overt…

Keynote address: Inside Cloudbleed

John Graham-Cumming (Cloudflare)

In February 2017, Cloudflare was revealed to have been leaking private information including HTTP headers, cookies and POST data…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.