Lizard Squad's DDoS attack service mostly powered by thousands of hacked home routers

Shawn Knight

Posts: 15,240   +192
Staff member

lizard squad ddos lizard stresser sony routers hackers hack hacked ddos attack home routers

Lizard Squad, the group of hackers responsible for knocking Microsoft’s Xbox Live and Sony’s PlayStation Network offline during the holidays, began offering its DDoS attack as an on-demand service earlier this month to anyone willing to pay their nominal fees.

Dubbed LizardStresser, the service was made available via multiple package deals with varying amounts of downtime. How exactly the hacking collective managed to pull off its public attacks as well as those requested by paying individuals has remained a mystery until now.

According to KrebsOnSecurity, the attacks are mostly powered by thousands of hacked home Internet routers. Considering the fact that many home routers are protected by little more than factory-default usernames and passwords, it’s easy to see how the Lizard Squad could amass a sizable army of routers.

The malware being used to affect vulnerable routers appears to date back to early 2014, Krebs notes. Upon infection, it turns the host into an attack zombie that also scours the Internet in search of other devices it can infect.

Krebs adds that the best line of defense is to simply change the default credentials on your router. It’s also a good idea to pick a strong password and of course, be sure to enable encryption when setting everything up.

Those looking to take it a step further are also encouraged to change their router’s default DNS servers to those maintained by OpenDNS.

Permalink to story.

 
^^ yeah you would think that would be the case. So much for having firewalls, if they don't work for you by default.
 
For the record, how exactly does one do that?
I'm not going to assume any technical knowledge, so here's a full tutorial. First, you're going to need to find your router's IP address. Directions sorted by operating system (I'm assuming you're using Windows):

On Windows Vista/7:
  1. Click on the Start Menu.
  2. Type "cmd" into the search box, then hit Enter.
  3. Type "ipconfig" into the box that pops up. This will output a bunch of information.
  4. If you're on Wifi, look for something like "Wireless LAN adapter Wireless Network Connection." If on Ethernet, look for "Ethernet adapter Local Area Connection."
  5. Under that connection, you should see "Default Gateway," followed by some numbers that probably look like 192.168.1.1 or 192.168.0.1. Put that into the address bar on your computer.
On Windows 8 (copied from Microsoft's website):
  1. Swipe in from the right edge of the screen, and then tap Search.
    (If you're using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, and then clickSearch.)
  2. Enter cmd in the search box, and then tap or click Command Prompt
  3. Complete steps 3-5 from the Windows Vista/7 instructions.
Once you have that IP address pasted in your web browser, go to the address. It's going to want a username and password. Now, I'm not sure what router you're using, but either the username and password is on the physical device (which will be a box given to you by whomever provides your Internet access), or it's going to be a combination like admin/admin, or admin/1234, or something like that. Look up your router's model number and search for the default username and password on the Internet, and see what you get.

Once you get onto your router, you're going to need to look for advanced settings of some kind. As stated before, I'm not sure what kind of router you have, and different routers have different interfaces. Once you find advanced settings, look for something along the lines of "Remote Administration."

In Remote Administration, make sure everything is disabled. There might be an option to allow/disallow ICMP requests (or it might say ping). You can disable this if you'd like, but it honestly has next to zero security benefit. If you want peace of mind, just disable everything. Honestly, remote administration is one of the worst ideas I've ever seen used in this kind of technology.

Let me know if you have any questions or difficulties following these instructions.
 
How does setting DNS settings to Open DNS help?
DNS servers that belong to ISPs generally suck, but the point being made here is that OpenDNS will blacklist domains that are known to host malware. By switching to their DNS servers, you're adding an extra layer of defense because your computer won't be able to go to websites that are blacklisted by OpenDNS. This was all in the article linked from KrebsOnSecurity.

Personally, I don't really see a need. However, Verizon and Comcast (major ISPs in my area) generally have shitty DNS servers with shitty response times and shitty uptime, so I always change my DNS servers to Google's (8.8.8.8 and 8.8.4.4). Never had any problem with them, although I'll change if we see some information about Google doing DNS poisoning attacks from its servers.
 
Once you find advanced settings, look for something along the lines of "Remote Administration."

Let me know if you have any questions or difficulties following these instructions.
Your instructions are fine, though I don't see anything listed as "Remote Administration".

There is a setting listed as "Enable Web Access from WAN?" which is set to "No". The description is "This feature allows you to config RT-N10 from the Internet.". I'm not sure if this is the setting you are referring to.
 
Your instructions are fine, though I don't see anything listed as "Remote Administration".

There is a setting listed as "Enable Web Access from WAN?" which is set to "No". The description is "This feature allows you to config RT-N10 from the Internet.". I'm not sure if this is the setting you are referring to.
That's exactly it. The theory behind that feature is that you can change router settings while outside the network (so, for example, tech support for a company wouldn't have to drive down to a location if they could change things remotely), which makes sense until you realize that it's much safer and much more secure to set up remote access to a computer inside the network, then access the router from that computer, instead of exposing your router's login page to the Internet.
 
I'm pretty sure BT (uks leading ISP) has been busily updating its supplied Home routers. They (FBI ?) should just follow the money, that normally nets the bad guy.
 
I wonder if the culprit behind North Korean internet shutdown was carried by Lizard squad.. :D
 
Remote administration is disabled on every single router I've ever seen (eight years of system administration work now) by default. Doesn't hurt to make sure, though; I always do.
Yeah same. Wonder what routers are being targeted and how?
 
Thanks for that write up nima 304! I've been using windows pc's and a few macs since the mid-late 90's and know more than the average bear about computers, but I have to confess, I know little about routers. thanks.
 
I thought by default the admin page was not externally accessible?


Couldn't someone drive around with a laptop programmed to try to log into the firmware of every network it encountered with known default admin PW/UN? Then subsequently infect any router that allowed access?

Could malware also be broadcasted out in the same manner from infected routers?
 
Last edited:
Hi,

You dont need access to the router from the Internet to hack it. How many people you know that received an email and just click on the attachment? So yes most of the router have remote administration disable but if you dont change the default password its easy to send an email and run a little script to log to your router and change the settings.
 
I thought by default the admin page was not externally accessible?
^^ yeah you would think that would be the case. So much for having firewalls, if they don't work for you by default.
Remote administration is disabled on every single router I've ever seen (eight years of system administration work now) by default. Doesn't hurt to make sure, though; I always do.


Yes, remote administration is disabled, but that doesn't stop the attack being that it generates from within. Most routers come with a default password to the network on the side of the box. Whether that method is used from war driving or a rootkit style attack on a system, it allows you on the network. From there, it's simple. EVERYBODY's router ships with the SAME default information. Username is usually admin, password is usually blank or "password." That's the information that needs to be changed.
 
Yes, remote administration is disabled, but that doesn't stop the attack being that it generates from within. Most routers come with a default password to the network on the side of the box. Whether that method is used from war driving or a rootkit style attack on a system, it allows you on the network. From there, it's simple. EVERYBODY's router ships with the SAME default information. Username is usually admin, password is usually blank or "password." That's the information that needs to be changed.
There are quite a few caveats there now.

1) Attacker must be physically close to the target.

2) Wifi network must have default or weak password (to get to the admin page, you need to be on the Wifi). A WEP network is trivially crackable (within seconds on a modern laptop or smartphone) so all WEP networks are effectively unencrypted.

3) Admin must have default password.

How are they getting thousands of these exploitable routers if it requires 1)? Is there a master list of compromised routers that wardrivers are adding to?
 
There are quite a few caveats there now.

1) Attacker must be physically close to the target.

2) Wifi network must have default or weak password (to get to the admin page, you need to be on the Wifi). A WEP network is trivially crackable (within seconds on a modern laptop or smartphone) so all WEP networks are effectively unencrypted.

3) Admin must have default password.

How are they getting thousands of these exploitable routers if it requires 1)? Is there a master list of compromised routers that wardrivers are adding to?


All I'll say is this, I do security assessments and I'd estimate that 70% of consumer routers such as netgear, linksys, belkin, ISP gateways, are left with default passwords on the management console and to the access period. Comcast sets up routers with the wireless password as the user's phone number. Some people don't like the hassle of setting it up, so they simply leave it open altogether. Walk around your neighborhood sometime, you'd be amazed. To to get to "thousands" it doesn't take much when you're talking millions of devices. As far as their being a list, I'm certain.
 
All I'll say is this, I do security assessments and I'd estimate that 70% of consumer routers such as netgear, linksys, belkin, ISP gateways, are left with default passwords on the management console and to the access period. Comcast sets up routers with the wireless password as the user's phone number. Some people don't like the hassle of setting it up, so they simply leave it open altogether. Walk around your neighborhood sometime, you'd be amazed. To to get to "thousands" it doesn't take much when you're talking millions of devices. As far as their being a list, I'm certain.

Also ISPs modem/routers are ussually remotely managed, with weak 1 password for all of them, in a ton of countries.
 
Also ISPs modem/routers are ussually remotely managed, with weak 1 password for all of them, in a ton of countries.
Another case of convenience over best practices. It's the absolute most critical part of a home internet connection - the router security yet ISPs want to be able to offer services to non-IT savvy people and do so with absolutely horrible security practices.

If they want to do that, they need to also block that port from internet access (and maybe allow access on request if default passwords etc are changed).
 
Back