NOW READ THIS
("Security Advisory")
Submitted by: Bill Hickey
NCVA List Master
NRT-0450 D-Link Router Vulnerability:
Security researchers at Symantec Corporation said suspicious port scanning that has been tracked back to D-Link
routers may mean a worm or bot is on the loos and infiltrating the popular brand's devices using a three-year-old
vulnerability. The security company issued a warning Monday night, 24 March, to customers of its DeepSight
threat notification service saying that there were "reliable reports" of an in-the-wild worm or bot that was
attacking, then installing itself on D-Link routers. But now, Symantec has taken a step back. "After looking
into it further, we decided that was a little misleading," said the director of Symantec's security response team.
"It's unconfimred at this point, but we have definitely seen an increase in attack activity, and that activity
appears to be coming from other D-Link devices." In other words, although Symantec's researchers haven't gotten
their hands on a worm or bot sample, all the evidence points in that direction. According to Symantec, the attacks
against the D-Link routers begin with hackers scanning TCP port 23 for an active SNMP (Simple Network Management
Protocol) service, a flaw that first showed up in D-Link router firmware in 2005. The company believes hackers are
exploiting the SNMP vulnerability to reset and reconfigure the administrative password on the routers, perhaps to
conduct "drive-by pharming" attacks that change a router's settings so its users are unknowingly directed to bogus
or malicious web sites instead of the real URLs. Symantec characterized the port 23 scanning activity as "moderate"
and said the researchers will continue to investigate. The company said researchers had not been able to verify
that the vulnerability had been patched, and if so, when, or which specific models of D-Link's routers might be at
risk. D-Link officials did not respond to a call for comment. For the moment, Symantec advises D-Link router
owners to make sure the SNMP service is not exposed to the internet.
(ComputerWorld 25MAR08 and www.computerworld.com 25MAR08)